Date: Tue, 3 Aug 2010 02:23:35 +0400 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: contest results On Mon, Aug 02, 2010 at 09:19:28PM +0000, Brandon Enright wrote: > I'm also disappointed that a bit of fire-and-forget GPU cracking > of the NTLM hashes beat out both our team's hard work, adaptation, and > innovation. Do we know that it's GPU cracking that did the trick? I think the winning teams did other things better as well - perhaps there were simply more active people involved and the teams were better organized (well, definitely better than ours - I was just building the team and setting up the file-exchange server _during_ the contest). Computing resources were secondary for this contest, I think. I didn't even make use of all I was going to (peaked at as few as 12 CPU cores in use under my own control) - had no time to _reasonably_ put more CPUs to use, my time was better spent looking for and implementing patterns. Our score was primarily limited by not having enough people who would look for patterns, implement those into rules or code, and test them. I was doing that myself, and it was the primary thing that helped, but few others on our team did this to much extent. (I am not complaining about the team, no. I actually enjoyed working with everyone, regardless of whether this helped in the contest or not! And a lot of contributions from team members did help greatly!) I am wondering if the hashcat folks maybe tried auto-generating rulesets based on cracked passwords (which would save people's time). > I am writing up my contest experience, strategy, thoughts, and > suggestions right now. I should have the email done in a few hours. Sounds great! > Yes, this is quite sad. I was sure that with all of the other hashes > besides NTLM in the competition that the GPU crackers would be very > limited. With the volume of NTLM hashes though it seems all of our > effort to crack the other hashes went to little use. Yes, and frankly I mostly focused on NTLM myself due to their number, speed, and the way the points were being awarded (irrespective of hash type). I let others on the team run certain attacks against the slower hashes, as a way to reduce overlap with my own cracking. I did spend approx. half the CPU time under my control on non-NTLM hashes, though. If that half were directed to NTLM, it would not help all that much, and as I mentioned I had idle machines anyway. If I came up with more patterns to test against NTLMs in time (which ran pretty fast anyway, even without any GPUs), I'd just proceed to start more john's on those extra machines. Well, maybe with 100x faster machines, I'd test all possible overstrikes for three rather than just for two character positions at once (which is what I did), in combination with all possible case toggling for all character positions (which is also what I did). However, going from two to three without case toggling or with limited case toggling did not provide much of an advantage, so I doubt that it'd affect the final score substantially. > I used Amazon EC2 and spent $185. How much CPU power did you get for that? > We also used 1700 (of 2000) donated > CPU-hours on a large cluster with John + Magnum's MPI patch. So that's 35 CPU cores in use on average (in the cluster alone), right? > > software (free or previously acquired, I suppose?), > > John (of course!), Matt Weir's "probabilistic cracker", Did the "probabilistic cracker" help? Matt ran it for us as well, but the effect was very small (compared to what we had already cracked by other means by the time). I don't have an exact number, but I think it was no more than 500 passwords extra. In part this might be because Matt was only using his laptop (I think). > some of my own > code (hacked up but releasable), and I'm ashamed to admit, some > oclHashcat. We didn't use oclHashcat very effectively though. How much help was oclHashcat? We, I admit, used a little bit of IGHASHGPU (not me personally), and it helped a little bit, but by far the majority of hashes were cracked with John, and most of those cracked with IGHASHGPU overlapped with John's. We would definitely be 4th without IGHASHGPU as well. > Yeah you read my mind on this. I would like to know too. We can't > just sort -u our results because of the admin hashes but here are mine > anyways: > > http://noh.ucsd.edu/~bmenrigh/crackheads.txt Thanks. With a quick check, I am getting +5700 to your score with our results combined, so we'd be 2nd. But that's just an estimate. You're right - KoreLogic are the ones to make this check for real. When we got cracked passwords contributed by a team member or by someone external, we'd use those as a wordlist with our identified approaches (e.g., extract all substrings, then apply figured out Kore-rules) - which always provided even more cracks. So if you shared your stuff, our cumulative score would be even higher. I guess I need to share our stuff too, although I'm not sure I have _exactly_ the last contest submission's results saved (I may have only slightly earlier and slightly later post-contest results). Thanks, Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.