Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <851s14q6ri.fsf@gmail.com>
Date: Sun, 12 May 2019 13:58:09 +0300
From: Aleksey Cherepanov <lyosha@...nwall.com>
To: john-users@...ts.openwall.com
Subject: team john-users write-up for CracktheCon contest at CypherCon 2019

Team john-users competed in the Pro category in CracktheCon 2019 hash
cracking competition held at CypherCon conference. We are grateful to
CynoSure Prime who organized this exciting contest. The contest
allowed us to test new code in John the Ripper under extreme
conditions and learn more about the art of cracking. We would like to
thank other teams for impressive performance. You inspire us! Thank
you!

Contest Website [1]:
[1] https://crackthecon.com/


    Team Members

Aleksey Cherepanov
ch3root
Luis Rocha
Matt Weir
rofl0r
soxrok2212
trebla

Also we got non-cracking help from other members:

- Solar Designer provided remote access to his ZTEX boards and gave
  invaluable advice,

- JimF implemented vectorized nsec3 format, that we were happy to use
  during the contest,

- Denis Burykin aka Apingis picked up task to implement support for
  (unusual) case when bcrypt has more than 512 hashes with the same
  salt; the coding was finished after the contest, but now it is
  merged into john[2].

Almost all members were distracted by day jobs. So it is hard to
estimate time spent on the cracking.

[2] https://github.com/magnumripper/JohnTheRipper/pull/3807


    Hardware Used

CPUs: ~166 cores / ~332 threads.

GPUs: ~11.

FPGAs: 20 chips / 5 ZTEX 1.15y boards.

FPGAs were used for descrypt mostly.

For bcrypt cost 10, we rented AWS instance with 8 V100 GPUs for the
last 7 hours of the contest. After tweaking, it was doing 17762 H/s
with hashcat.


    Software used

- John the Ripper bleeding-jumbo [3]
- hashcat [4]
- nsec3map - DNSSEC Zone Enumerator [5]
- auxiliary software, including custom scripts to handle cracks and
  submissions

[3] https://github.com/magnumripper/JohnTheRipper
[4] https://github.com/hashcat/hashcat
[5] https://github.com/anonion0/nsec3map


    The game

We had very slow start because our scripts to handle cracks were not
ready before the start. It affected points due to bonus for the first
submission of crack. And it affected progress because lists of
uncracked hashes were not updated frequently.

Also we spent more time than needed on DESleppard (descrypt) and
100%.salt.free.110%.hassle (raw-sha512). So we started BrainKiller
task very late. We were able to find one bcrypt crack with plain
attacks: it had empty password.

We were looking at the salts of hashes in BrainKiller and overthought
it. Much later, we noticed that there were 29k hashes with the same
salt, so we could attack them easily. The salt was
"2xH1dden1nPl41n51ght1u". We were able to crack a lot of them quickly,
but we missed the bonus because we started it late. Cracks on faster
hash types were not helpful, so there were no reasons to postpone
BrainKiller really. Then we got stuck at 9853 cracks because we did
not find any clear patterns on them.

soxrok2212 found the password for HiddenInPlainSight_hard.7z and we
got hashes for FantasticFour task.

FantasticFour task included HashAgain?.txt file with 5 32-hex hashes.
Aleksey wrote a custom hasher that hashed 1M of rockyou.txt with md5
again and again (i.e. md5($p), then md5(md5($p)), and so on) comparing
hashes with the given set at each iteration. But no cracks were found
within 635k iterations (most of the iterations were computed after the
contest).

At the end, there were so many questions without answers that we are
still full of curiosity. :-)


    After the contest

We continued to search patterns in BrainKiller hashes with the single
salt. And we succeeded. For instance, there is such huge pattern: take
word from rockyou.txt and insert '&', '-', '+', or '.' character at
position 3, 4, 5, 6 or 7.

The efficiency of pattern decreases through rockyou.txt, so you would
need to use --rules-stack option instead of --rules, and abort session
when it is inefficient:
$ john --wordlist=rockyou.txt --rules-stack=': i[3-7][&\-.+]' ...

Other patterns are smaller, so we'll list only some interesting:

- Append 2007, 2008 or 2009:
$ john --wordlist=rockyou.txt --rules-stack=': Az,200[7-9],' ...

Or using hybrid mask:
$ john --wordlist=rockyou.txt --mask='?w200[7-9]' ...

- Toggle case of first letter and at position 3-7:
$ john --wordlist=rockyou.txt --rules-stack=': T0 Q T[34567] Q' ...

- Permute 2 characters at positions 0 and 7, 4 and 7, 6 and 7:
$ john --wordlist=rockyou.txt --rules-stack=': >7 *[046]7' ...

- Duplicate every character ("abc" --> "aabbcc"):
$ john --wordlist=rockyou.txt --rules=': q' ...

With only one rule to run, --rules option is preferable due to higher
performance, while there are no differences in behaviour. (Brackets []
in a rule are expanded in the preprocessor, it produces several rules
usually.)

- Append "123":
$ john --wordlist=rockyou.txt --rules=': Az,123,' ...

- Duplicate the first character:
$ john --wordlist=rockyou.txt --rules=': z1' ...

- Duplicate the last character 3-5 times:
$ john --wordlist=rockyou.txt --rules=': Z[3-5]' ...

- Permute the last two characters:
$ john --wordlist=rockyou.txt --rules=': K' ...


    About --rules-stack option

--rules-stack option is handy for experiments with rules on big
wordlist with decreasing efficiency. With --rules-stack, john applies
all rules to the first word, then to the second word and so on.

john's work:

for each rule in --rules:
    for each word in --wordlist:
        for each rule in --rules-stack:
            try candidate

So with --rules, you get all words with rule 1, all words with rule 2,
and so on. That's not comfortable if you are going to abort session
when quality of candidates becomes too low, because only the first
rule would be tried.

----------------------------------------------------------------------
$ (echo word1; echo word2) > twl

$ cat twl
word1
word2

$ john --rules=': Az" rule1"; Az" RULE2"' \
       --wordlist=twl --stdout
word1 rule1
word2 rule1
word1 RULE2
word2 RULE2

$ john --rules-stack=': Az" .stacked1"; Az" ..stacked2"' \
       --wordlist=twl --stdout
word1 .stacked1
word1 ..stacked2
word2 .stacked1
word2 ..stacked2
----------------------------------------------------------------------

Other use of --rules-stack is double application of rules or
product of rules sets:
----------------------------------------------------------------------
$ john --rules=': Az" rule1"; Az" RULE2"' \
       --rules-stack=': Az" .stacked1"; Az" ..stacked2"' \
       --wordlist=twl --stdout
word1 rule1 .stacked1
word1 rule1 ..stacked2
word2 rule1 .stacked1
word2 rule1 ..stacked2
word1 RULE2 .stacked1
word1 RULE2 ..stacked2
word2 RULE2 .stacked1
word2 RULE2 ..stacked2
----------------------------------------------------------------------

Also --rules-stack works with other modes, including those that
--rules does not support.


Thanks for reading!

-- 
Regards,
Aleksey Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.