Date: Sun, 5 Aug 2012 09:36:25 +0200 From: Frank Dittrich <frank_dittrich@...mail.com> To: john-users@...ts.openwall.com Subject: Frank's writeup for CMIYC 2012 In 2010, I couldn't spend significant time on the contest, so 2011 was the first real CMIYC contest, and this is my second. My write-up for the 2012 CMIYC contest: Preparation =========== Similar to last year, I did almost nothing to prepare for the contest. I guess you have to begin preparing right now for the next contest, otherwise next year you'll also not find the time. The only thing I did prior to the contest was just building trying out a GPU version of john on bull, since I never did before. I even collected performance information for various hash types, which I intended to use for the decision which hash format to attack using one of the GPUs or the CPU cores. But I never found the time to actually look at the collected information. (I also decided to wear an openwall T-shirt for the contest, but I am not sure how much that helped ;) Hardware ======== * Laptop with i7-2820QM quad core with hyperthreading * after a few hours into the contest, Solar let me use his bull computer with an AMD FX-8120 8-core CPU, a GeForce GTX 570 and an AMD Radeon HD 7970 I won't count my Atom Netbook, because I didn't use the CPU for cracking. Instead, I had an additional monitor attached to it, and used IRC on the 10" netbook screen, and used the other screen for mail client and browser. I also had another PC with a slow CPU which would get very noisy without being of much help had I tried to use it for actual cracking. It was hot enough in my room already (KoreLogic really should consider a contest in winter, as someone suggested). So I used that PC to connect to bull, to google, and to transfer certain files between contest server and bull. Software ======== * John the Ripper (contest edition) * a few ad-hoc scripts Summary ======= When the contest started, I focused on the ssh challenges, but without much success. When I decided to switch to cracking hashes, Solar asked whether I would like to use bull, starting to attack MD5, so I did. First, I ran some attacks on my laptop. I just ran the default attack against all those hash files which john recognized without specifying --format. I started with those formats which should be fast, and used slow formats at the end. When I felt a task would need to run too long, I just interrupted it. Because at this point I just wanted to get a basic idea about possible patterns I could use when attacking MD5 hashes on bull. By the time I started using bull, there were also enough passwords cracked by others, to get an idea which patterns could be tried. The first useful ideas were just using rockyou.txt on CUDA, which gave 13 cracked passwords until I interrupted the session because the frequency of cracked passwords dropped. Trying facebook-firstnames.txt, and a rule to upper case first letter (because that was what I found among the rockyou passwords which worked, gave another 33 in about an hour. Trying lowercase first names only gave 5 in half an hour, among them words that were not names; traverse, cherished, abandoned. So, I googled for a list of english verbs and used those (plus mangling rules.) When Simon provided the dinos list, I used this one successfully. Later I successfully used the plain basewords list provided by Solar. Then Solar suggested attacking mscash2 and sha512crypt on bull. I got one mscash dinosaur, and a few first names for both hash types. Using a list of Greek names gave me several more mscash2 and sha512crypt passwords. Other attacks were far less successful, so I was happy when Aleksey compiled the mangled "password" list I could use, which gave 6 more mscash2 hashes. On my laptop, which I used between starting attacks on bull and trying to follow the IRC (and sometimes checking mails), I generally wanted to try the same pattern on different hash types, and interrupted tasks when they were not successful or too slow. I wanted to try rules and patterns others had not tried so far, so that new patterns could be detected. For the same reason, I also used the list of passwords cracked by our team to apply mangling rules to these cracked passwords. I mainly ran these tests on faster hash types. Inserting/overwriting a single character (range [ -~]) at the end or the begin of a word, or at arbitrary offset. That way, frequently used base words and the patterns should become more obvious, because more samples appear in the central pot file. Unfortunately, I couldn't use sunmd5. The patch applied without problems, but after building john, the self test for this new format failed. Probably this was caused by a bug which only occurred for OMP builds. After getting some hours of sleep, I used the last 30 minutes before deadline to try mangling rules on previously cracked passwords for fast hash types. Conclusion ========== Even if I had just 2 machines to manage, I felt that I neither managed both of these machines well (keeping both of them busy doing useful stuff) nor managed to have time to really look for patterns. I also noticed that it is harder to define good attacks for GPUs. For performance reasons, the MAX_KEYS_PER_CRYPT is very high. More than 100000 candidates easily fit into one block. Running an attack which just fills a few thousand slots here is rather pointless. While most CPU attacks can be interrupted and restored any time, a GPU attack interrupted at the wrong time easily means you lost up to an hour when you later restore that session, because the whole MAX_KEYS_PER_CRYPT block will be retried. I also found a few bugs, which I've meanwhile reported on john-dev (or will do, for the less important problems). I think KoreLogic prepared an excellent contest, providing enough possibilities to use your brain instead of pure raw computing power, throwing in a few tasks which no team was prepared for, so that you had to react during the contest. And I think the points given per hash type were fair. Last year we were third, with no real chance to win, but we cracked the highest total number of hashes (due to also cracking many challenges which provided additional easy to crack hashes). This year we were *so* *close* to winning. And we cracked the highest number of passwords for each of the 4 most valuable hash types (most expensive to compute hashes and/or hash type which had not been supported until the contest began). These expensive to calculate passwords are IMHO those who matter most. After all, who can blame a user that his password got cracked when the admin failed to provide a decent protection. Nowadays, nobody should need a pen test to learn that raw-md5 isn't a suitable password hash algorithm. If we manage to improve from this contest to the next at the same rate we improved from last year to this year, other teams will have a hard time trying to beat us. Frank
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.