CMIYC 2015

Global technique used for this contest explained in the following video :

 

 Then, 6 hours before the end we found another idea :

https://www.youtube.com/watch?v=X5hrUGFhsXo

DO IT

JUST DO IT
NOTHING IS IMPOSSIBLE
DON'T LET YOUR DREAMS BE DREAMS

Hashrunner - PHDays 2015

If you didn't already you must read the team write-up :
https://hashcat.net/forum/thread-4370.html (PDF).

LC

For this year I was available all 72 hours for the contest, and as last time I was managing our list management system (known as LC).
I spent a lot of time adding new algorithms and fixing issues, the tools used to verify the hashes submitted by the team members are based on rli2 (hashcat-utils), this allows us to only hash once per plaintext and requires close to no cpu or memory (all inputs have to be sorted and uniqued though).

Most of the algorithms are supported by a perl script maintained by philsmd, but for gost256 and gost512 I had to add a "rli2" behaviour to the gost crackers made by atom, as well as $HEX[] plaintext parsing.

When adding the lists we also had to reformat them in order to be loaded by hashcat (oracle, pbkdf hmac...), and of course format them back for being accepted by hashrunner's site, all of that needed to write code specific to each hash type.

Cracking

I almost only used the well known wikipedia wordlist from Sébastien Raveau, some italian and chinese wordlists other members of the team gathered and rules to basically do uppercase, duplicate, leetspeak and appending/prepending special chars.

Invuln challenge

I looked at the invuln challenge around the second day of the contest.
It was obvious that we could target the salts (la_encrypt() function) because they were based on the plaintexts, so I started writing a cracker for the salts in C, but was unfortunately too busy fixing LC at that time.
Later, the night between sunday and monday I got back to the code (and as every coder I think, I lost quite some time on a stupid thing, which was not using unsigned int this time).
The cracker worked great except that due to its use as the salt in sha512crypt it was a bit truncated and gave "only" the first 12 bytes of the plaintext, but that was good enough.
After running it with 2 rules on the wikipedia wordlist it gave 847 "pre cracks" in less than 3 minutes, and then using hashcat to get real plains using these base words we got 250 hashes cracked in around 30 minutes.

Fail

After the sleepless night, at around 9:00 I decided to take a little nap for 1 hour, set 2 alarm clocks at 10:00 and hit the bed.
When I woke I looked at the alarm clock in the opposite corner of the room, but I couldn't read without my glasses, I checked at the alarm clock on my bedside table... 18:45
Rush on the PC, switch screen on, F5 god damn it ! And breathe a huge sigh of relief as I see the team managed to stay on top.
Fortunately there was no more bug or issue with LC in the meantime, but it could have been worse.
For sure I'll invest some money in good alarm clocks.

Thanks

Hashrunner team for running the contest. Special thanks to atom & philsmd for the quick coding in a quite stressful situation. And obviously thanks to all team hashcat members as always it's an honour doing contests with you all.

Hashrunner/PHDays :

https://hashrunner.phdays.com/
https://twitter.com/phdays
https://twitter.com/GiftsUngiven
https://twitter.com/repdet

Arctic Accelero Xtreme 7970

So, I bought an Arctic Accelero Xtreme 7970 1 year ago, and finally decided to mount it on a 7970.

The reference design 7970 and the Accelero

Removed the top part

Removed the heat sink block

Quickly removed thermal paste stuff

A little bit cleaner

Done cleaning the gpu chip

Now that is clean, it's like a mirror

Trying methods to hold everything in place...

Screwed the mounting plate with the backplate

Mixing the G1 thermal glue

Applied thermal glue and put heat sinks on the components

And now we wait at least 5 hours...

Put the mounting plate back on the Accelero

Assemble everything

Done !

Let's see how it performs :

oclHashcat-lite

MSI Afterburner

Now the temperature stays under 60°C at full load (and under 50°c with the fans set to 100%)
It also appears that the rpm of the fans is wrongly reported/acquired.
It's really quiet compared to the reference design.

The installation guide used.

MySQL collision

7e327f193b2ac0dd:!lowC'@`"\Fhb\
7e327f193b2ac0dd:#`oWSALT$vT"dz
7e327f193b2ac0dd:(:YiFsf:&D4fl~
7e327f193b2ac0dd:"YHYxIv*&ZP<x~
7e327f193b2ac0dd:"Pi-hmn2&zljJn
7e327f193b2ac0dd:$tPvC<d<(.F|BT
7e327f193b2ac0dd:(@$|ta<d(R0vbb
7e327f193b2ac0dd:)DS}3m>b(d`x|V
7e327f193b2ac0dd:$X[?vQ*v(r*$Jh

derp

PHD : Hash Runner Contest

I recently participated to the Hash Runner challenge ran by http://ptsecurity.com/ during their "Positive Hack Days" or "PHD" forum (held on 30/31 May).

The idea is quite simple, you are given a list of hashes of different types and you have 24 hours to crack as many as possible.


I started the contest arround 5 hours late as a one man team, so only me "Xanadrel" from France. I was  also in team hashcat for past "Crack Me If You Can" challenges in 2010 and 2011 (which I joined in the end of the contest as I said them when starting Hash Runner that I was ok to give my plains to them), but this time I wanted to see how good I was alone, that was the point.

The hardware used was :
- my main PC : i7 950, 1x 5770 and 1x 7970
- one i5 2300k core for 4 lm hashes
- a pencil

Software used :
Hashcat, oclHashcat-plus, ophcrack, rcracki_mt, passwordspro, maskprocessor, notepad++ (for copy/pasting hashes), brain ?

Once I was ready for the contest I grabbed the list of hashes and split them by hand (copying hashes of a certain type, removing type note and  ":" chars) in files like this :

dcc2.txt
des.txt
lm.txt
md5.txt
md5_pass.salt.txt
and so on...

In the meantime I ran the LM hashes with ophcrack (took arround 5:30 hours to finish).

Then I started to crack the hashes with straight wordlist attacks and some basic/common rules in hashcat and in passwordspro for the GOST hashes.

I also noticed some things were wrong to me, such as DES (couldn't crack a single one during the contest), or phpbb3, ssha, wordpress hashes (their length was uncommon and couldn't crack them with hashcat).

Later, atom made a custom oclHashcat-plus version to support the phpass and DCC2 hashes, which I used.

With the few plains I found I started searching for patterns, noticed things like dates (dd.mm.yyyy) or appending years (yyyy) to words.

The wordlists used were :
- Custom/previously found plains by me
- facebook-firstnames (a lot of plains were based on names)
- common small dicts for slow algorithms + rules
- well known wordlists such as phpbb or rockyou

A few hours after the start I tried other things like rules to prepend/append or both 1/2 chars (well it was mostly special chars) to the words or rules to duplicate words as I saw a few plains like that.

Examples of rules tried

Noticed some leetspeak plains like : h3rrm@nn or r0ch3573r, so used rules for this and made a smaller rules file based on leetspeak for slow algos.

When ophcrack was done with the LM hashes there were 8 left hashes, found 4 of them running rcracki_mt with the lm_all_space tables.

Near the end I noticed that I didn't really run bruteforce attacks, so I found some passwords like : 6{x#_a or 9Mv)0. There were also passwords in the form : dd<month>yyyy (08march1924 for example), made rules to append/prepend the year/day and a wordlist with only months.

And if you were wondering why I used a pencil here is the answer, to press the "q" key only if I really want to stop a long oclHashcat run.

To submit the hashes I was copy/pasting the found plaintexts and replacing ":" with " : " in notepad++ and put them in a file to upload, later I did "cat *.out > found.out.txt" to have all found hashes in a single file and upload them all at once.

Plaintexts found per type (approx) : 

31 DCC2
108 md5
54 md5(pass.salt)
77 mssql2005
114 ntlm
79 phpbb3
106 sha1
96 sha256
91 MySQL5
383 LM
42 wordpress
74 GOST

During the contest I "fought" against InsidePro Team hoping to get the first place but they finally took a great advantage and before the end teardrop took the 2nd and then the 1st place, so congratulations to them, they did a great job.

Thoughts about the contest :
- the "hash : plain" format was annoying, but maybe it was made on purpose :p
- I still can't figure out why no DES was found
- the points system was good ( like 10-300 points, compared to last CMIYC where hashes weighed from 1 to 16000 points)
- it would have been more convenient for the forum/contest to take place during the week-end

As a conclusion I would say that 1st place was maybe too much but with a 3rd place (less than 5k points behind InsidePro) I'm quite proud of what I did and I enjoyed the contest (thanks to PHD staff for organizing such a contest), if there is another one next year I will participate too.

Tellspell wordlists

Some wordlists...

tellspell.word.txt (221,746 words - 2.13Mb)
http://www.multiupload.com/E2Z5DN4AM6

tellspell.typo.txt (10,113,773 words - 101Mb)
http://www.multiupload.com/ILUO9JWFG1

tellspell.mispell.txt (12,330,335 words - 135Mb)
http://www.multiupload.com/DXMEBWWV2J

tellspell.anagram.txt (34,887,239 words - 372Mb)
http://www.multiupload.com/LHBLTVOXSJ

Monday and SSH

Last Monday I wanted to ssh in my pc from my work, the problem was that the sshd port of my pc was 25565 and the proxy where I work only allows standard ports (80, 443...).
So the plan was simple, I just had to change the port in the sshd config file remotely, but I can't connect to my box as the port is blocked by the proxy.
Then kalgecin (oh hai) created an account for me on his own box, I successfully got root logged in it and was able to log in my box to change the port used by sshd, but changing it wasn't enough, I also had to open it in my freebox (Free, a french ISP), another problem was in order for the changes to take effect I need to reboot the freebox, manually.

...

But, I can log in the freebox administration panel to see which ports were already opened, and for which IP, then I'll only have to change the IP of my pc to match a certain port.
I went to lunch.
When I was back, everything was clear and I knew what I had to do.
So I installed elinks and logged in the admin panel and finally got this :

And decided to take the port 8080, so changing the IP to 192.168.0.33 :
So, I opened the interfaces file with nano :
nano /etc/networking/interfaces

auto eth0
iface eth0 inet static
address 192.168.0.33

And then : /etc/init.d/networking restart
After this I was disconnected, that's normal, the IP changed, I just had to open a new connection on the new port 8080, and then remember that I forgot to change the port of sshd.