Korelogic Logo
 
 
"Crack Me If You Can" - DEFCON 2010
 
     
 
Back to [Teams] [Top]

Team iPhelix

Graph of iPhelix's score over time

Resources

Members 1
Nick iphelix
Countries US(1)
Software oclHashcat, hashcat, ighashgpu, John the Ripper, probabilistic cracker
Hardware Windows Server
Windows 2008 64Bit: CPU: Intel Core i7-930 (4 Cores), GPU: ATI 5970 (2 Cores), Nvidia Tesla (1 Core)
Linux Server
Ubuntu 10.04 64Bit: CPU: Intel Xeon E5506 (4 Cores), GPU: none
What I thought

From the initial announcement to the last minutes, it was an absolute blast to participate in the contest. KoreLogic team did an amazing job both preparing and running the contest. The organizers managed to keep the contest competitive while at the same time promoting information sharing and the feeling of community.

How I prepared

At the time the "Crack Me if You Can" contest was announced, I was working on a survey of available password cracking techniques, hardware, and software. My initial (really naive) approach to password cracking was to find the fastest software/hardware bruteforcer combination and call it a day. This quickly changed once the contest was announced and a practice sample of 17000 ntlm hashes released. After days of bruteforcing, only 50 passwords were cracked! It was clear that smarter password cracking techniques had to be developed in order to compete.

One of the first things I did was to analyze a list of leaked passwords from rockyou.com. An excellent collection of leaked passwords is available on Skull Security wiki (http://www.skullsecurity.org/wiki/index.php/Passwords). Next I spent days analyzing JtR password generation rules, that's when I ran across Minga's research into using RockYou as a basis for the new JtR incremental mode charset, which turned out to be very effective during the contest. While searching for more advanced JtR rules, I found Matt Weir's blog: http://reusablesec.blogspot.com. Just on time for the competition, Matt posted his PhD. dissertation on using probabilistic techniques in password cracking. The above work was truly revolutionary for me and served as an essential foundation in all future research.

Several dictionaries were compiled before the contest. Three particularly powerful dictionaries were wikipedia-wordlist-sraveau-20090325.txt, InsidePro Big Dictionary, Alter-Hacker Wordlist. In order to compress all collected dictionaries, I ran them through several iterations of unmangling and normalization rules.

Regarding hardware, a custom machine was built a week before the contest based on ATI's powerfull 5970 video card. Setting up ATI 5970 was truly a pain due to buggy drivers that broke more things than they fixed with each release. However, 5970 is a pure 6TFLOP beast, so I played along. It was truly a miracle that days before the competition, ATI release updated Catalyst drivers permitting the use of the second core in 5970!

Armed with the previous research on password cracking techniques, I started development of password analysis and mask generation toolkit that was used to generate a rule set capable of cracking 50% of RockYou based passwords with a time limitation of two days. The same ruleset was used during the competion with a high level of success - the majority of NTLM hashes were cracked within the first 12 hours. The password analysis toolkit, custom rulesets, as well as guides on tool usage and installation are available here: http://thesprawl.org

Strategy

After splitting up the hashlist into individual hash types, it became quickly apparent that the majority of effort should be dedicated toward NTLM, followed by SSHA, Unix DES, and Unix MD5. Other hash types were left to be cracked toward the end of the contest due to either hash complexity or the total number.

While mask and dictionary based password cracking attacks yield the most passwords, I decided to keep a separate GPU core running several pure bruteforcing iterations which yielded about several thousand purely random passwords which could not be cracked by other attack types.

Password cracking was evenly distributed across three GPU cores and 8 CPU cores as follows:

  • 5970 Core #1 - oclHashcat Mask and Combinator attacks against NTLM (Cracked about 11000 NTLM Hashes)
  • 5970 Core #2 - ighashgpu running a series of bruteforcing attacks against NTLM (Cracked about 4000 NTLM Hashes)
  • Tesla - oclHashcat Dictionary attacks against NTLM (Cracked about 13000 passwords)
  • 4 CPU Cores - hashcat running various rulesets against NTLM, SSHA, SHA (NTLM: 5000 passwords, SSHA: 1600 passwords, SHA: 300 passwords)
  • 4 CPU Core - JtR session against *nix password hashes. (Cracked about 2000 UNIX-DES and UNIX-MD5 passwords)
There was a lot of overlap for NTLM hashes as each card executed different attacks, but you can tell that a relatively slower Tesla was able to crack the most passwords due to high success rate of dictionary attacks.

As the contest progressed and the number of cracked hashes slowed down, I had to adapt by recycling already cracked passwords and coming up with new rules. I have used the same demangling scripts used in dictionary generation.

Thanks

Thank you Minga and Matt for posting you research, it was instrumental for my research on password cracking.

Huge thanks to Ivan Golubev for releasing the much needed NTLM multi-hash support for ighashgpu days before the contest.

I would like to thank atom, pure_hate, and other hashcat developers for continued development of an extremely powerful GPU password cracking tool: oclHashcat. Its flexible rule generation engine truly makes it stand out from the rest. You guys rock!







 
 

Please contact us if you would like more information about our services, tools, or careers with us.
HOME : SOLUTIONS : RESULTS : TOOLS : RESOURCES : ABOUT KORELOGIC
Privacy Policy : Copyright 2012. KoreLogic Security. All rights reserved