Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 1 Jun 2010 15:10:15 -0500
From: Minga Minga <>
Subject: Re: Upcoming Password cracking contest at Defcon (shhh 
	its a secret).

> Will the contest be open to DEFCON attendees only or will john-users
> members (or anyone else) be invited to participate as well?

The teams will be required to have at least 1 or 2 people present at Defcon.
I want the winners to share their techniques will attendees while onsite.
If you can't make it to defcon - and I am familiar with you (via IRC or on
this list) I can send you the hashes once the contest has started. You cant
win the prize though  ;)

> What hash type(s)?  I think it'd be curious to have two or three
> different types: fast & saltless, fast & salted, slow & salted.  These
> are the common categories seen in practice (slow & saltless is not
> seen), and they may need to be approached differently.

You read my mind on this. It will simulate a penetration test of a
large corporate environment. Essentially if you were able to run
'pwdump' on a domain controller, and compromise a variety of
UNIX systems.  I don't want to goto into any more detail right now

(Join #john on FreeNode IRC channel if you want to talk to me
about it).

> Although you may choose to award just one prize (e.g., based on total
> hashes cracked), the hash type split I suggested above may allow for
> three teams to get due recognition.

Thought about that. I don't even know how many teams there will be.
Or if ANYONE will join ;) Ill save the "multiple prizes" for next year.

> It would also be curious to see how many more different hashes the teams
> will crack combined vs. those cracked by the winning team alone.

I imagine the GPU brute forcers will get lots of the short passwords,
but I split up the ~50,000 based into various lengths. Some lengths
can "not" be brute forced in 48 hours. But if logic/rules are used, hopefully
some of the long passwords will be cracked.  I really hope that some of
the teams break out some cool techniques that I didn't think of. Or
maybe use really large clusters ? Im hoping to be surprised.


For the john-users list:

KoreLogic will be publishing the following information AFTER the
contest is over:

1) the entire list of passwords
2) a large collection of wordlists that we deemed useful in cracking password
3) a LARGE collection of rules used by us to crack passwords.
4) Our slides about password cracking from recent speaking engagements.

The rules will be very useful to the group, but will need some "reworking"
or re-tweaking by Solar (or someone else) before they are 100% efficient.
Ill ask for some patience in that matter.  More on this after they are

I'm speaking on password cracking this week at the Techno Security Conference
in Mrytle Beach, SC (USA).


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.