Monday, October 7, 2019

Defcon CMIYC 2019 Write-up

Rough hardware estimate

HardwareCountHardwareCount
2080 TI2107025
1080 TI2210606
1080159702
1070 TI:7CPU Physical Core:892

Software used

  • John the ripper + MPI
  • Passcovery Suite
  • Hashcat
  • Bcval
  • Hashtopolis
This year we had 15 members compete, we welcome 0xln, golem445, and John_Smith to the team. Tremendous thank you to Korelogic for hosting the 8th Defcon Crack Me If You Can, it was a blast this year as it contained interactive elements involving a dynamic workflow. This is quite different from what we expected and was welcomed with open arms.
After seeing that the test hashes contained usernames which involved matching, we suspected that pairing up different hashes and passwords with similar usernames was going to be needed this year. Prior to the contest, we developed a matching utility that would handle this operation for us. The pair tool was used throughout the contest to generate scrypt Hash:potential-pass pairs for us to run using single-mode style attacks.
We here able to get quite high completion rates on the “easy” hashes.
What is Bcval
Our Bcrypt Validator (Bcval for short) was originally created for the Ashley Madison project Cynosure Prime worked on back in 2015. It is an optimized single-mode cracker designed to work with hash:[potential]password pair and supports rules and case twiddling. This was quickly adapted to support scrypt during the contest.
While our team initially used john to attack the scrypt hashes, once Bcval was available we switched across as we noticed it was quicker in the workloads we benchmarked. The performance increase highlighted with the vertical red line can be seen in the contest performance graphs.
We are unable to directly produce a Bcval vs John comparison as we are running into a strange issue when using --single=none. It appears john is still using some sort of rules or is testing extra candidates (note this could be due to a PEBCAK error). On a Ryzen 2700x Bcval was running at about 240 h/s. However when running two identical hashlists john appears to run for quite some time even though it was reporting 220+ h/s.
It is unclear why we see such a discrepancy between the performance of the two tools as they are using the same hashing code. We believe this is due to the way we handle the hashes, this includes the ability to terminate jobs when a cracked hash is found as well as using a different threading model. Bcval does not use OpenMP nor is it using the ROM optimizations for the scrypt algorithm. As an afterthought to the contest, a rule candidate cache would have added nice gains for certain rules. The rule cache would effectively temporarily store all generated rule candidates for that single plain and check whether it has been tested, skipping the hash routine where applicable. Considering the slow speed of the hashing algorithm, the processing cost to store candidates and performing lookups would be negligible but would provide huge benefits.
As we had a pairing tool, this was used to crack the password changes. Pair-ception was carried out with the cracked passes along with the accounts affected. The cracked user:scrypt:plains were paired with user:[new]scrypt to provide user:[new]scrypt:[potential]plain which was then cracked by using simple rulesets such as best64 in single mode with Bcval.
While we did notice the avatar, WOLF, core and other hashsets we were not able to properly figure out the patterns for them. It appeared we were trying more complicated things than needed.
Early on, we ran into an issue where the system did not like empty hashes (we found several hashes that had blank plains), this was quickly rectified by korelogic. Due to focussing on cracking the hashes we decided not to recode our system to re-validate hashes on our end prior to submitting them and did run into a couple of submission mistakes where we accidentally submitted bad hashes.
Our team generally prefers the whatever approach, as any member can work on whatever hashlist or task they want. However, for this particular competition due to the added layer of hash pairing and password changes, some team co-ordination would have helped, especially when we had members who were only able to join in mid-way.
It was interesting to see the use of single mode password attacks and we were lucky to be familiar with this approach. It was very refreshing to see a dynamic element added to a traditional hashing cracking contest with the pairing and password changes.
Congratulations to Team Hashcat for bringing their A-Game and a massive thanks to Korelogic for organising Crack me if you can 2019.

11 comments:

  1. Thanks for sharing this information with us. we are Best Wedding Planners in agra city we providing Event Management services.

    ReplyDelete
  2. Giving It All You Got: Playing A Great Game Of Football

    Do you like the sport of football? On a scale of 1 to 10, how much do you know about the sport? No matter your answer to that question, this article is going to help you with some things. You can always benefit from new advice, and becoming the best player you can be is what it's all about. play bazaar satta king

    ReplyDelete
  3. Kami adalah Situs Judi Poker Online Terpopuler di indonesia, pasti nya kami sudah menjadi kepercayaan banyak orang bisa di buktikan agar kalian dapat mempercayai kami, bagi kalian pecinta kartu silahkan kunjungi kami, kami telah di akui dengan pelayanan kami yang sangat ramah dan pasti nya akan memuaskan kalian.

    link alternatif domino qq


    game domino qq

    capsa susun

    capsa susun online

    mango capsa susun

    dominoqq

    remi poker game deposit

    domino qq

    game online domino qq

    domino qq versi terbaru

    domino qq apk

    link login domino qq

    deposit pulsa domino qq

    daftar domino qq

    deposit remi poker

    remi poker uang asli

    deposit pulsa murah remi poker

    capsa susun apk

    download mango capsa susun

    capsa susun versi terbaru

    ReplyDelete
  4. Bagi Kalian yang sangat menyukai bola tentunya kalian ingin memasang pasangan yang kalian inginkan, Kalian bisa memasang di situs kami, karena pelayanan kami sudah sangat terpercaya bagi para orang orang yang bermain di situs kami silahkan kunjungi tempat kami untuk membuktikan bahwa kenyamanan dan untuk membuktikan kualitas kami adalah yang terbaik.

    Bola Deposit Pulsa

    deposit bola via pulsa

    deposit bola dengan pulsa

    deposit bola sbobet pakai pulsa

    deposit bola sbobet88 pakai pulsa

    deposit sbobet pakai pulsa

    deposit sbobet88 pakai pulsa

    sbobet deposit pulsa

    sbobet88 deposit pulsa

    agen bola deposit pulsa

    ReplyDelete