Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 05 Aug 2012 14:44:53 +0200
From: rofl0r <>
Subject: rofl0r's writeup for CMIYC 2012

this was my first pw cracking contest, so i was kinda planless in the 

1x AMD FX(tm)-8120 Eight-Core Processor @ 3.1 GHz

started reading the various docs related to the contest setup, john 
usage etc, then started to set up john contest edition, and peeked 
around on the server for wordlists.
i grabbed some of them and compiled a huge wordlist out of it. ran it on 
some randomly chosen hashes (mysql and oracle).
i got quite good results (ca 100 cracked hashes after a few seconds),
but then saw that about 80% of them were already in the cracked pots.

i should have tried to run the list on all other fasts hashes as well. 
(started doing this in the last 3 minutes of the contest and it did 
indeed find a new md5 hash, but it was ~1 minute to late to submit it...)

heard about some patterns that were found on irc and compiled a dinosaur 
wordlist which i run against bf, because of its high value.
(moderate success, only 1 pass found)
c/s was very slow, so i started to feel i need more cpu.

1x Intel(R) Core(TM)2 Duo CPU     E8500  @ 3.16GHz
to my setup.

(about 15% faster per core against bf than the AMD)

i was continously rsyncing the contest servers /home dir to a local dir, 
which i mounted via sshfs on the other box, so i had direct access to 
newest stuff.

started appending numbers to dinos and ran it again against bf. no 
success at all.

someone found that 2 swiss cities were used. i compiled a list of them 
and ran it against bf. no success again.

looked at pots and saw that those 2 swiss city names found had one 
random char appended.

since i dont know how to use john's more advanced features, i compiled a 
list of swiss city names with A-Za-z0-9 appended with a perl script and 
ran it against bf.

went to sleep. when i came back, 2 hashes were cracked, both with 
lowercase char appended.
i canceled the run in the middle and shrunk the wordlist to use only 
lowercase chars. 1 more found.

at that time Jim had the sunmd5 patch working.
i feeled i needed more beef so i set up an old dual-core laptop (which i 
wasn't even considering to use in the beginning).
Intel(R) Core(TM)2 CPU         T5600  @ 1.83GHz

i looked at the pots and saw p4$$w0rd everywhere with inserted 
characters. compiled such a list and run it against sunmd5.
the laptop was amazingly fast at this; only about 25% slower than the 

found 2 variations of it against sunmd5.
at this point, we had only 3 sunmd5, and 9 bf hashes, so i was quite 
happy with my results. total team score was ~288K

i picked up another dualcore atom box and a crappy amd laptop that were 
accessible in the network and added them to my setup.
since those where in a different network segment i couldnt use sshfs but 
had to copy everything needed over there, which was quite timeconsuming.

i started running easy english wordlists against sunmd5 since this hash 
was still mostly virgin.

the success with the password variation inspired me to insert chars into 
the swiss list at all possible offsets, one per pass.
this was my best attempt, i got hundreds of cracks all over the hash scale.
i couldnt finish all hashtypes in time so i asked solar to take over 
some of the slow hashes.

tried the greek names wordlist with inserted chars on some other box, 
and it only yielded a single hash.

i continued running mscash2 on the swiss patterns on various boxes for 
the last 30 minutes, since i was unsure if solar had picked up my 
prepared wordlist.

at the end i had nearly 1000 hashes cracked, which is a very satisfying 
result for me.

lesson learned:
next time i'll start with huge easy wordlists on fast hashes so i can 
easily spot patterns (i had no idea *how fast* those hashes are), then 
starting to test these against fash hashes again and only if they are 
really successfull continue to use them against slower ones, while 
keeping on trying new stuff against the fast hashes.

thanks for all the fun, wordlists, and jtr contest edition. =)
hope i can join you guys next year again.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.