Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 5 Aug 2012 09:36:25 +0200
From: Frank Dittrich <>
Subject: Frank's writeup for CMIYC 2012

In 2010, I couldn't spend significant time on the contest, so 2011 was
the first real CMIYC contest, and this is my second.

My write-up for the 2012 CMIYC contest:


Similar to last year, I did almost nothing to prepare for the contest.
I guess you have to begin preparing right now for the next contest,
otherwise next year you'll also not find the time.

The only thing I did prior to the contest was just building trying out a
GPU version of john on bull, since I never did before.
I even collected performance information for various hash types, which I
intended to use for the decision which hash format to attack using one
of the GPUs or the CPU cores. But I never found the time to actually
look at the collected information.
(I also decided to wear an openwall T-shirt for the contest, but I am
not sure how much that helped ;)


* Laptop with i7-2820QM quad core with hyperthreading
* after a few hours into the contest, Solar let me use his bull computer
with an AMD FX-8120 8-core CPU, a GeForce GTX 570 and an AMD Radeon HD 7970

I won't count my Atom Netbook, because I didn't use the CPU for
cracking. Instead, I had an additional monitor attached to it, and used
IRC on the 10" netbook screen, and used the other screen for mail client
and browser.
I also had another PC with a slow CPU which would get very noisy without
being of much help had I tried to use it for actual cracking.
It was hot enough in my room already (KoreLogic really should consider a
contest in winter, as someone suggested).
So I used that PC to connect to bull, to google, and to transfer certain
files between contest server and bull.


* John the Ripper (contest edition)
* a few ad-hoc scripts


When the contest started, I focused on the ssh challenges, but without
much success. When I decided to switch to cracking hashes, Solar asked
whether I would like to use bull, starting to attack MD5, so I did.

First, I ran some attacks on my laptop.
I just ran the default attack against all those hash files which john
recognized without specifying --format.
I started with those formats which should be fast, and used slow formats
at the end. When I felt a task would need to run too long, I just
interrupted it.
Because at this point I just wanted to get a basic idea about possible
patterns I could use when attacking MD5 hashes on bull.
By the time I started using bull, there were also enough passwords
cracked by others, to get an idea which patterns could be tried.

The first useful ideas were just using rockyou.txt on CUDA, which gave
13 cracked passwords until I interrupted the session because the
frequency of cracked passwords dropped.

Trying facebook-firstnames.txt, and a rule to upper case first letter
(because that was what I found among the rockyou passwords which worked,
gave another 33 in about an hour.

Trying lowercase first names only gave 5 in half an hour, among them
words that were not names; traverse, cherished, abandoned.
So, I googled for a list of english verbs and used those (plus mangling

When Simon provided the dinos list, I used this one successfully.

Later I successfully used the plain basewords list provided by Solar.

Then Solar suggested attacking mscash2 and sha512crypt on bull.

I got one mscash dinosaur, and a few first names for both hash types.
Using a list of Greek names gave me several more mscash2 and sha512crypt

Other attacks were far less successful, so I was happy when Aleksey
compiled the mangled "password" list I could use, which gave 6 more
mscash2 hashes.

On my laptop, which I used between starting attacks on bull and trying
to follow the IRC (and sometimes checking mails), I generally wanted to
try the same pattern on different hash types, and interrupted tasks when
they were not successful or too slow.
I wanted to try rules and patterns others had not tried so far, so that
new patterns could be detected.
For the same reason, I also used the list of passwords cracked by our
team to apply mangling rules to these cracked passwords.
I mainly ran these tests on faster  hash types.
Inserting/overwriting a single character (range [ -~]) at the end or the
begin of a word, or at arbitrary offset.
That way, frequently used base words and the patterns should become more
obvious, because more samples appear in the central pot file.

Unfortunately, I couldn't use sunmd5. The patch applied without
problems, but after building john, the self test for this new format
failed. Probably this was caused by a bug which only occurred for OMP

After getting some hours of sleep, I used the last 30 minutes before
deadline to try mangling rules on previously cracked passwords for fast
hash types.


Even if I had just 2 machines to manage, I felt that I neither managed
both of these machines well (keeping both of them busy doing useful
stuff) nor managed to have time to really look for patterns.

I also noticed that it is harder to define good attacks for GPUs.
For performance reasons, the MAX_KEYS_PER_CRYPT is very high.
More than 100000 candidates easily fit into one block.
Running an attack which just fills a few thousand slots here is rather
While most CPU attacks can be interrupted and restored any time, a GPU
attack interrupted at the wrong time easily means you lost up to an hour
when you later restore that session, because the whole
MAX_KEYS_PER_CRYPT block will be retried.

I also found a few bugs, which I've meanwhile reported on john-dev (or
will do, for the less important problems).

I think KoreLogic prepared an excellent contest, providing enough
possibilities to use your brain instead of pure raw computing power,
throwing in a few tasks which no team was prepared for, so that you had
to react during the contest.
And I think the points given per hash type were fair.

Last year we were third, with no real chance to win, but we cracked the
highest total number of hashes (due to also cracking many challenges
which provided additional easy to crack hashes).

This year we were *so* *close* to winning.
And we cracked the highest number of passwords for each of the 4 most
valuable hash types (most expensive to compute hashes and/or hash type
which had not been supported until the contest began).
These expensive to calculate passwords are IMHO those who matter most.
After all, who can blame a user that his password got cracked when the
admin failed to provide a decent protection.
Nowadays, nobody should need a pen test to learn that raw-md5 isn't a
suitable password hash algorithm.

If we manage to improve from this contest to the next at the same rate
we improved from last year to this year, other teams will have a hard
time trying to beat us.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.