Thursday, June 7, 2012

PHD : Hash Runner Contest


I recently participated to the Hash Runner challenge ran by http://ptsecurity.com/ during their "Positive Hack Days" or "PHD" forum (held on 30/31 May).

The idea is quite simple, you are given a list of hashes of different types and you have 24 hours to crack as many as possible.


I started the contest arround 5 hours late as a one man team, so only me "Xanadrel" from France. I was  also in team hashcat for past "Crack Me If You Can" challenges in 2010 and 2011 (which I joined in the end of the contest as I said them when starting Hash Runner that I was ok to give my plains to them), but this time I wanted to see how good I was alone, that was the point.

The hardware used was :
- my main PC : i7 950, 1x 5770 and 1x 7970
- one i5 2300k core for 4 lm hashes
- a pencil

Software used :
Hashcat, oclHashcat-plus, ophcrack, rcracki_mt, passwordspro, maskprocessor, notepad++ (for copy/pasting hashes), brain ?

Once I was ready for the contest I grabbed the list of hashes and split them by hand (copying hashes of a certain type, removing type note and  ":" chars) in files like this :
dcc2.txt
des.txt
lm.txt
md5.txt
md5_pass.salt.txt
and so on...

In the meantime I ran the LM hashes with ophcrack (took arround 5:30 hours to finish).




Then I started to crack the hashes with straight wordlist attacks and some basic/common rules in hashcat and in passwordspro for the GOST hashes.

I also noticed some things were wrong to me, such as DES (couldn't crack a single one during the contest), or phpbb3, ssha, wordpress hashes (their length was uncommon and couldn't crack them with hashcat).

Later, atom made a custom oclHashcat-plus version to support the phpass and DCC2 hashes, which I used.

With the few plains I found I started searching for patterns, noticed things like dates (dd.mm.yyyy) or appending years (yyyy) to words.

The wordlists used were :
- Custom/previously found plains by me
- facebook-firstnames (a lot of plains were based on names)
- common small dicts for slow algorithms + rules
- well known wordlists such as phpbb or rockyou

A few hours after the start I tried other things like rules to prepend/append or both 1/2 chars (well it was mostly special chars) to the words or rules to duplicate words as I saw a few plains like that.
Examples of rules tried
Noticed some leetspeak plains like : h3rrm@nn or r0ch3573r, so used rules for this and made a smaller rules file based on leetspeak for slow algos.

When ophcrack was done with the LM hashes there were 8 left hashes, found 4 of them running rcracki_mt with the lm_all_space tables.

Near the end I noticed that I didn't really run bruteforce attacks, so I found some passwords like : 6{x#_a or 9Mv)0. There were also passwords in the form : dd<month>yyyy (08march1924 for example), made rules to append/prepend the year/day and a wordlist with only months.

And if you were wondering why I used a pencil here is the answer, to press the "q" key only if I really want to stop a long oclHashcat run.


To submit the hashes I was copy/pasting the found plaintexts and replacing ":" with " : " in notepad++ and put them in a file to upload, later I did "cat *.out > found.out.txt" to have all found hashes in a single file and upload them all at once.

Plaintexts found per type (approx) : 
31 DCC2
108 md5
54 md5(pass.salt)
77 mssql2005
114 ntlm
79 phpbb3
106 sha1
96 sha256
91 MySQL5
383 LM
42 wordpress
74 GOST

During the contest I "fought" against InsidePro Team hoping to get the first place but they finally took a great advantage and before the end teardrop took the 2nd and then the 1st place, so congratulations to them, they did a great job.

Thoughts about the contest :
- the "hash : plain" format was annoying, but maybe it was made on purpose :p
- I still can't figure out why no DES was found
- the points system was good ( like 10-300 points, compared to last CMIYC where hashes weighed from 1 to 16000 points)
- it would have been more convenient for the forum/contest to take place during the week-end

As a conclusion I would say that 1st place was maybe too much but with a 3rd place (less than 5k points behind InsidePro) I'm quite proud of what I did and I enjoyed the contest (thanks to PHD staff for organizing such a contest), if there is another one next year I will participate too.