It was an exciting weekend, sadly team Hashcat only achieved the second place. The team Insidepro however managed to beat us. Congrats to them and a big thanks to minga: http://contest.korelogic.com/stats.html
I don't think that these numbers can say enough without any background story:
So, as you might notice i write as i where a member of any team, actually i took part in the contest as a member of team hashcat. Sadly i was very late and got in about 12 hours after the contest actually started and was quite overwhelmed by the challenges, hashes, websites, irc channels etc. It took me about an hour to actually get an overview and start working since i didn't know what the past 12 hours happened. There were a few issues and rumors about strange things that happened. The first to mention is that somehow hashcat.net went offline a few hours before the contest started, as by now there is no evidence of any attack but it's strange.
There are a few other things which i will mention later but now to the contest. The contest itself was about as you might guess hashcracking, yes! To be exactly it was about little more, 19 challenges and 20 lists of hashes with different encryption (mscash2, bf, phpass-md5, md5, md5_gen(28), bsdi, raw-sha512, mysql-sha1, md5_gen(23), md5_gen(22), des, md5_gen(12), ssha, mssql, oracle11, raw-sha1, md5_gen(16), phps, md5_gen(0), nt). The contest was not directly about to crack the most hashes since there where different weights for example one mscash2 got you 16000 points and one DES just 10. In addition to this lists there where the mentioned 19 challenges which included things like a encryped zip, rars, pdfs, docs and even a encrypted dmg file. Some of the challenges contained again hash lists.
So yea, that's about it. Back to the point as i got into the contest. The clock is running, already 12 hours past, hashcat is #1 on the leaderboard with about 5m points followed by john-users and insidepro. I am preparing myself to get started with special contest optimized versions of hashcat and an (i call it for now) special online management suite where the team could manage itself. I am looking at the cracked hashes and studying the left hash lists. Where to get started? Most of these hashes are not crackable with hashcat. As i take a loot back in the irc channel where the rest of the team hangs i notice rumors. "damn, why we have to use john?" followed by an "this is freaking slow!" and something like "john-users are catching up" gave me the hint that there is a problem. Of the 20 hashlists minga provided the minority could be cracked by hashcat with GPU acceleration. I decided to ignore this for now and try my luck on the left phpass, MD5-Unix and NTLM. A few hours went by in which i struggled with these lists. Only a couple of hashes every now and then. I'm trying to figure out what's the point, where did minga get the hashes, wich pattern, masks, dictionaries etc he used. Searching for patterns and masks in the already cracked hashes, wrapping my head around the challenges i notice resentment in the channel. The john users are ahead! Ok, now to the fridge, some more redbulls and coffees are necessary! Back at my computer i see that atom was awake again talking about the mscash2. It's 6 somewhat AM saturday, the contest is now up 21 hour and atom is deciding to implementing mscash2 in oclhashcat-plus. Yes, you don't read wrong, there is a about 27 hours left and he decides to pull out all his abillities and implement an algorythm he never used before! So ok, i'm thinking "the chance is not really huge that he can do this in time but if, it would be great" and sending atom "give it a shot".
The coffeein is kicking in and i go back to my work. Let's check my mac to see what the dmg cracking tool did. Hm..nothing, great. What are the left rar and zip files do? Nothing, no plain worked. Suxx...let's run a freaking bruteforce. Back to the hash lists. I have multiple machines running cpu and gpu jobs on several lists. 50 new NTLM, nice. upload. 5 new phpass. upload. 3 new MD5-Unix. upload. 2 hours work. Progress!
This can not be" i am saying to myself as i look at the results. "Where are the patterns we are missing?" asking the rest of the team. No one have a answer. "We are missing some importend clues!" i am saying to the team. "We know that there are correlations of patterns on every list, if we get on pattern on one list, the chance is huge that we get a more cracks on another".
I am looking at my latest cracks on MD5-Unix and phpass as i seem to discover a pattern. The obsession kicks in and i am working the next two hours on a dictionary. The words a combined patterns, like "mel", "and", "ina" etc. Let's put these all in a list and run a permutation attack on it. Yes, success. Quite a few hits. Gather the results use the expander on them and bam, some more hits. Take all the new gathered plains and check all the other hashlists with rules. And again more hits. Feeling good, but tired.
"Where is atom?" someone asks on irc. "Didn't see him for hours!" comes back. He is now gone for 6-7 hours. What's he doing? "atom> YEEEAAAAAAA" out of nowhere. "atom> got it!!!!". "atom> mscash2! but only for ati". "Ok well pretty damn good" i think "but since my one box with ATI died an hour ago i better keep my work on the challenges and hashes i am able to crack". With one eye following the team on the irc channel hyping the new beta and fetching mscash2 i am trying to point the other eye on other things. The challenges are still not done. And now suddenly team insidepro is ahead. Hopefuly the mscash2 will do it's work.
I am now about 30 hours awake and can't remember when i have eat last. Hm...let's take a break. Hm..all stores are closed and i have nothing good at home...too late for my favorite bistro...suxx...let's drive to McD. The burger tastes like nothing. Well, at least as expected. Back to work.
Let's see what happened. A fair amount of mscash2 more, nice! Our last update with the contest-system was a couple hours ago, we are still behind insidepro. Let's run another round with the new gained plains on mssql, MD5-Unix, phpass and NTLM. Bingo, a couple more. Upload. The admin starts the sync and i am looking at the contest table to check our progress. Yes! Back at the top! Back on the journey on finding the lost pattern. Discussing with the other members on what we haven't tried, what we should do and what minga might have done. "are the other teams listening?" maybe not. But well who knows.
"Let's put in another bruteforce, maybe if have luck and just relax a few minutes." Getting the jobs started and put in a Starcraft2 replay. Man, my back could take a few minutes off, better i lay done on the couch till the replay ends.
The was the last thing i remember after about 36 hours awake. I even don't know how the SC2 match ended or who played. I woke up 3 hours after the contest ended. It was somehow bitter to find team insidepro ahead because of the bonus points minga has given for the most cracked hashes in a list. It was really close, we missed 5 NTLM for the bonus.
A few of you might noticed that the Defcon started today. And as every year the cracking contest is taking place and is managed by minga.
The contest started today at 0:00 PST. At this time the teams are working on the hashlists minga handed out!
Good Luck team Hashcat!