Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 3 Aug 2010 02:23:35 +0400
From: Solar Designer <>
Subject: Re: contest results

On Mon, Aug 02, 2010 at 09:19:28PM +0000, Brandon Enright wrote:
> I'm also disappointed that a bit of fire-and-forget GPU cracking
> of the NTLM hashes beat out both our team's hard work, adaptation, and
> innovation.

Do we know that it's GPU cracking that did the trick?  I think the
winning teams did other things better as well - perhaps there were
simply more active people involved and the teams were better organized
(well, definitely better than ours - I was just building the team and
setting up the file-exchange server _during_ the contest).  Computing
resources were secondary for this contest, I think.  I didn't even make
use of all I was going to (peaked at as few as 12 CPU cores in use under
my own control) - had no time to _reasonably_ put more CPUs to use, my
time was better spent looking for and implementing patterns.  Our score
was primarily limited by not having enough people who would look for
patterns, implement those into rules or code, and test them.  I was
doing that myself, and it was the primary thing that helped, but few
others on our team did this to much extent.  (I am not complaining about
the team, no.  I actually enjoyed working with everyone, regardless of
whether this helped in the contest or not!  And a lot of contributions
from team members did help greatly!)

I am wondering if the hashcat folks maybe tried auto-generating rulesets
based on cracked passwords (which would save people's time).

> I am writing up my contest experience, strategy, thoughts, and
> suggestions right now.  I should have the email done in a few hours.

Sounds great!

> Yes, this is quite sad.  I was sure that with all of the other hashes
> besides NTLM in the competition that the GPU crackers would be very
> limited.  With the volume of NTLM hashes though it seems all of our
> effort to crack the other hashes went to little use.

Yes, and frankly I mostly focused on NTLM myself due to their number,
speed, and the way the points were being awarded (irrespective of hash
type).  I let others on the team run certain attacks against the slower
hashes, as a way to reduce overlap with my own cracking.  I did spend
approx. half the CPU time under my control on non-NTLM hashes, though.
If that half were directed to NTLM, it would not help all that much, and
as I mentioned I had idle machines anyway.  If I came up with more
patterns to test against NTLMs in time (which ran pretty fast anyway,
even without any GPUs), I'd just proceed to start more john's on those
extra machines.

Well, maybe with 100x faster machines, I'd test all possible overstrikes
for three rather than just for two character positions at once (which is
what I did), in combination with all possible case toggling for all
character positions (which is also what I did).  However, going from two
to three without case toggling or with limited case toggling did not
provide much of an advantage, so I doubt that it'd affect the final
score substantially.
> I used Amazon EC2 and spent $185.

How much CPU power did you get for that?

> We also used 1700 (of 2000) donated
> CPU-hours on a large cluster with John + Magnum's MPI patch.

So that's 35 CPU cores in use on average (in the cluster alone), right?

> > software (free or previously acquired, I suppose?),
> John (of course!), Matt Weir's "probabilistic cracker",

Did the "probabilistic cracker" help?  Matt ran it for us as well, but
the effect was very small (compared to what we had already cracked by
other means by the time).  I don't have an exact number, but I think it
was no more than 500 passwords extra.  In part this might be because
Matt was only using his laptop (I think).

> some of my own
> code (hacked up but releasable), and I'm ashamed to admit, some
> oclHashcat.  We didn't use oclHashcat very effectively though.

How much help was oclHashcat?

We, I admit, used a little bit of IGHASHGPU (not me personally), and it
helped a little bit, but by far the majority of hashes were cracked with
John, and most of those cracked with IGHASHGPU overlapped with John's.
We would definitely be 4th without IGHASHGPU as well.

> Yeah you read my mind on this.  I would like to know too.  We can't
> just sort -u our results because of the admin hashes but here are mine
> anyways:

Thanks.  With a quick check, I am getting +5700 to your score with our
results combined, so we'd be 2nd.  But that's just an estimate.  You're
right - KoreLogic are the ones to make this check for real.

When we got cracked passwords contributed by a team member or by someone
external, we'd use those as a wordlist with our identified approaches
(e.g., extract all substrings, then apply figured out Kore-rules) -
which always provided even more cracks.  So if you shared your stuff,
our cumulative score would be even higher.

I guess I need to share our stuff too, although I'm not sure I have
_exactly_ the last contest submission's results saved (I may have only
slightly earlier and slightly later post-contest results).



Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.