Date: Tue, 24 Aug 2010 00:30:56 -0400 From: Charles Weir <cweir@...edu> To: john-users@...ts.openwall.com Subject: Defcon18 "Crack Me If You Can" Complete Pot File Hey all, I've been playing around with the plaintext answers KoreLogic released after the "Crack Me If You Can" competition at this year's Defcon, and I got it into my head to use the list of words to try and create a complete JtR .pot file from all of the hashes. There were a couple of reason for this. First of all, I wanted to start doing comparisons of the different teams' cracking techniques; More specifically the techniques they used to train on the cracked NTLM passwords to attack the other hash types. For that I needed training and test sets. Also, I REALLY wanted to see if JtR correctly handled those #$@!# Oracle10 hashes, and if so, what the plaintexts were for them. Since I figure other people might be interested in this as well, I'm making the .pot file available at: https://sites.google.com/site/reusablesec/Home/random/KoreLogic_Defcon2010.pot As for the highlights, yes JtR does handle the Oracle passwords, though it's no wonder no one managed to crack them in the 48 hours we had. For example, here is a typical Oracle password from the set: !'O2?CHDOWN Yes, it's based off of 'TOUCHDOWN', but nobody had those rules in their mangling set... What was much more interesting though was the time it took to run the plaintext passwords through each hash type. To give you some background, the plaintext list of all the passwords contained 54,932 unique words. I ran these cracking sessions on my Mac 2.2GHz Intel Core Duo laptop, (only using one instance of JtR), with no mangling rules, (since I had the perfect dictionary). Also note, some of the salted hashes were already cracked from the competition so I did not attempt to re-crack them, (though they are all in the downloadable .pot file). I didn't time it, but if I am generous it took approximately 1 second to run the attack against all of the NTLM password hashes. Against 10157 Netscape Salted Sha (ssha) hashes, it took me 1 minute and 30 seconds, with me making 3095K c/s Against 1000 Oracle10 password hashes it took 1 minute and 28 seconds, with me making 260645 c/s Against 80 Blowfish hashes, it took me 3 hours and 36 minutes to crack them all, with me making 200 c/s Against 4077 Crypt-MD5 hashes it took 10 hours and 10 minutes to crack them all, with me making 3228 c/s What this really brings home is how important hash type is to the cracking session. There's been a lot of talk in the news lately how GPU password crackers will soon force everyone to choose 12 character passwords: http://www.bbc.co.uk/news/technology-10963967 While team HashCat showed GPU password crackers are extremely effective, (and I'm still in awe of their work), even a 10x speedup against Crypt-MD5 hashes would only allows me to make ~30k guesses a second. That's compared to the 328296K, yes that's 328 MILLION guesses a second I'm able to make against NTLM password hashes on my laptop. And that completely ignores the effect that the password salt has when auditing large lists. So once again, thanks to KoreLogic for running this competition, and I can't wait for the next one at Defcon 19! Matt Weir
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.