Korelogic Logo
"Crack Me If You Can" - DEFCON 2010
Back to [Teams] [Top]

Team hashcat

Graph of hashcat's score over time


Members 11
Nicks atom, D3ad0ne, dakykilla, K9, kalle3, legion, MKv4, purehate, Rolf, superjames, Xanadrel
Countries Estonia(1), France(1), Germany (3), Qatar(1), UK(2), US(3)
Software hashcat, oclHashcat, EGB, JtR, PasswordsPro, rcracki_mt, SAMInside
Hardware Linux Servers
CentOS 5.X 64-Bit Server: 4 295 GTX's, CPU: i7 965
Ubuntu 10.X 64-Bit Server: 3 295 GTX's, CPU: i7 960

Windows Desktops
Windows 7: CPU: Intel Core 2 Duo E8400 @ 3.00GHz
Windows XP: CPU Q6600, GPU: none
Windows XP: CPU Q6600, GPU: GTX 285 @ 648/1548/2650
Windows XP: CPU: 2.5GHz, GPU: none
Windows 7: CPU 3.2GHz, GPU: none

Linux Desktops
Ubuntu Linux: CPU ????, GPU: 2xhd5770
Ubuntu Linux: CPU ????, GPU :GTX 285, 8800gt
Ubuntu Linux: CPU ????, GPU: hd4850
Ubuntu Linux: CPU: 2x3.1GHz, GPU: 9800gt

Windows Laptop
Windows XP: Atom N270 Netbook, No GPU
Windows 7: CPU: 3.0GHz, GPU: none

What We Thought

First we would like to thank KoreLogic for putting this competition together as every single one of our members had a great time participating. The InsidePro Team really gave us a run near the end of the competition and it was exciting to see the battle for the registered users' second place between CrackHeads and john-users. Rounding out the top five iPhelix, who I believe was a one man team, did a great job at accumulating over 22,500 points. I know all of the other teams as well really enjoyed the competition and the fact that KoreLogic took the time to put this together. We would not have been able to generate the results we did without the hashcat and oclHashcat applications as over 90% of our results were generated using one of the two hashcat applications.

How We Organized

When the initial list of hashes was received from KoreLogic it was split into text files which each contained a specific hash type. These text files were broken down into three folders titled hashcat, oclHashcat, and other based on what software had the capability to crack those specific hash types as well as what we believed would do the most efficient job of cracking the hashes. The folder structure with each of the different hash text files was then securely made available to all team members and the cracking began. The first four hours was a free for all with all members working on whatever hash types they wanted to, as we wanted to do our best to knock out a lot of hashes quickly. Then things became a little more structured with the team attempting to evenly split up hash types combined with cracking methods based on the CPU/GPU power that team member had available. There are many things we could improve upon regarding structure and scheduling for the next hash cracking competition we enter, such as scheduling longer running attacks while specific members sleep and keeping track of rules, character combinations, and other items that would allow the team to be more efficient.

How We Used hashcat Efficiently

Many different hash cracking methods were used by themselves as well as being combined with other methods in an attempt to produce unique password results using hashcat. The methods used include standard brute forcing, dictionary attacks, the hashcat random rule generator, oclHashcat mask attacks, hashcat hybrid dictionary attacks, the maskprocessor with manually detected patterns, random rule loops, and the batchcracker. Some of the dictionaries were modified with the hashcat dictionary expander which is only available privately at the moment, however the hashcat team is willing release it if there is any interest from the public. After a specific password pattern is located, the maskprocessor is used to generate rules based on those patterns, which when done properly allows passwords to be cracked more efficiently. The maskprocessor, which was developed by atom of the hashcat team, is currently unavailable to the public but this is also something that can and will be released as an open source tool if the community shows any interest. One of the unique features of hashcat that was heavily used by team members was the random rule generator which assists in filling holes during the password cracking process. When all dictionaries had been exhausted the random rule generator was used until more password patterns were located which were then run through the maskprocessor. This was the foundation of a looping process which is displayed below.

hashcat looping process
 new pattern -> maskprocessor -> rules -> cracks
        ^                                   |
        |                                   V
    new plains  <-  random rules  <-  new dict
The loop was broken in step three, or rules, at times to expand the set of rules as they are generated. Once the new rules were added they were run against the existing dictionaries to generate more combinations of passwords. Regarding dictionaries we were able to notice a pattern in the dictionaries used to generate the hashes which allowed us to minimize the dictionary size thus saving time in the entire hash cracking process. At times patterns were noticed that did not fit into the mold for our rules file so a separate process called a toggle attack was issued which would find bLACKhat, BLAcKhAt, or BLACKhAT from blackhat. One of the unique hashcat features available is the ability to have rules processing while the toggle attack is processing as well. So while the toggle attack is running we were also, say, processing the leetspeak.rule file so all words in the current dictionary such as defcon would also be attempted in their leet speak equivalent such as d3fc0n.

How We Used oclHashcat Efficiently

The oclHashcat application uses GPUs to run brute forcing, predefined rules, the maskprocessor, and run hybrid attacks. We started off with oclHashcat using a hybrid attack which included the two popular wordlists named opencrack_plains.txt and wikipedia-wordlist-sraveau-20090325.txt combined with previously located patterns. These dictionary files were processed using the dictionary expander which splits apart every word in a dictionary file and reassembles them in different patterns. We also ran our current plains through the dictionary expander to grow the plains list. Once we expanded the dictionary files and the plains list we processed them against the hashes in combinator mode which combined words from each list of character combinations. An explanation of hashcat fingerprint technology will be released in the near future on www.question-defense.com.


We would like to thank the following groups that assisted us in the competition:
hashcat: http://hashcat.net
Offensive Security: http://www.offensive-security.com/
Backtrack: http://www.backtrack-linux.org/
Question Defense: http://www.question-defense.com, http://tools.question-defense.com


Please contact us if you would like more information about our services, tools, or careers with us.
Privacy Policy : Copyright 2012. KoreLogic Security. All rights reserved