Date: Mon, 6 Aug 2012 18:21:04 +0400 From: Aleksey Cherepanov <aleksey.4erepanov@...il.com> To: john-users@...ts.openwall.com Subject: Aleksey's writeup for Crack Me If You Can 2012 I participated in cmiyc 2011 and was a coordinator in phdays hash runner 2012. This time I was coordinator but it was very smooth: no problems with formats (except sunmd5 that was rather a nice challenge), no users to subscribe during contest, no big problems at all. Team worked well. I said what to do only once (though maybe I had to say it more times). I delegated Alexander Cherepanov to do all server scripting tasks. So during the contest I was able to do other things, some cracking, track talks and situation. I could mention some problems but they are minor. So do not feel too guilty. ;-) Preparations We had training contests a week before the contest. At the same time we setup ircd. I think these two points helped us. I subscribed all users before the contest. Though Jim aka Spank was subscribed right before the contest because his subscription request was lost but request from other email worked well. I changed motd and faq files. Though I think I had to promote them more for those who participate first time. Also I had to check that all members uploaded at least one .pot because Spank did not upload .pot files so it seems to be my fault. Problems and actions After contest start I faced different small problems. There were no scripts around 7z and gpg. So the first thing to do was to write wrapper around 7z. I spent two hours going in wrong direction but when I realized it I wrote script to crack 7z in half of hour. Though I did not cracked any 7z. I should admit that I have low basic cracking skills because I crack only during contests. I wrote gpg wrapper too but it did not handle false positives. I did not finished gpg wrapper but we solved enough challenges. While it searched for passwords I looked for dmg cracking but after all I did not find any free software tool to open/mount/crack it. Among others I tried 'mount' on it but it stuck eating 100% cpu, ignoring kill and preventing soft reboot. Also I did not understand how to crack .asc files (gnupg* challenges). Patterns were much smarter than before. Though there were "traditional" patterns, especially 'password' pattern. I wrote a script to mangle words just like I want but that script proved itself to be rather useless because it uses too much memory. Nevertheless I built 'password' pattern and finished it against fast hashes. Frank exhausted it for mscash2 on gpu. samu finished it for md5*. For slow hashes I prepared reduced version but it was not effective enough to be finished. I split my script into small that do not consume so much memory. So I got 'washington' pattern mentioned by Frank. It was huge but not so efficient so it was not done against slow hashes. I built 'grandson' pattern but it turned out to be a part Swiss cities pattern. There were some problems with: many lists, many rules that were not really right (though they were fruitful in any case). Solar Designer asked rofl0r to reduce list of cities to only found in cracks. So here I should describe workflow found during the contest. It works because patterns for fast and slow hashes were the same. So we found something and start wide range attack or just do some extensive search that gives some results on fast hashes. Then we reduce pattern to be exact. Here we could realize that there are more than one pattern (i.e. 'password' + 1 any char in any position, 'password' + leet, 'password' + leet + any char + number). So we get many patterns that are smaller and we run them against slower hashes (for instance mscash2 on gpu is slow but enough fast for quite big patterns). Then we try to reduce pattern more and run against most slow hashes. Though even reduced 'password' pattern was too big for one man to run. I asked Alexander Cherepanov to run it on 48 cores but it'd took 1.5 days so we postponed it. I started to think how to distribute attack but got nothing good. So my "hardcore pattern search" turned out to be not so hardcore. On the other hand Jim and Simon did distribution manually through files on server. I noticed problem with wikipedia list: there were different lists and nobody knew did we tried any against all hashtypes or not. After all I'd say we need a table format-attack so we could keep track of exhausted attacks and patterns. Both distribution and tracking were goals for my MJohn project so I regret that I did not make it in time. I used my old one-liner to ease pattern search. After contest I found a bug in it: it does not search groups of words with one different letter - it searches groups of words with the same beginning. It is not so cool. I played with it a bit: one letter difference is too strict, two letters are much better. Trying 'password' pattern I got a problem with file names: in first case filename did not contain format name (md5a), in other case I had to use number of file in names of session. I stopped on the second option. Elijah found 'pride and predjustice' pattern. While I looked on it Solar Designer asked me to script phrase ripper. I scripted it in 5 minutes and it worked. I was afraid that straightforward method produced too many candidates but it did not. Also I was not sure that [\w,] pcre range to catch words is good so then I tried to include more signs in words (\S range, all except white spaces) and to make pack of 1-5 words. 5 words did not yield anything, 1-3 words yielded something but then I refreshed my uncracked and about nothing were left - only one word with colon but I guess it would be found in any case with rules against cracked or basewords. In the end I run mangled cracked against fast hash types. Mangling words I considered to store wordlists on disk because I did mangling in many steps with branches and did not want to wait again redoing previous steps for new branches. So I spent all disk space in my home dir partition. It was nasty. I had to think about it before the contest. Mangling revealed that kikugalanet+6digits pattern has also variant with 8 digits. I found it after the contest and I guess it was not tried during the contest. Though it does not seem to be so effective. After the contest I tried to find Lord of the Rings on the Internet to download but failed because it is under copyright. It makes situation 'p&p vs LotR' not so comic. I think I was able to improve some things making better layout of files. Just noticed Solar Designer had problem with submission. I think KoreLogic could provide a way to do test submissions. After the contest Alexander Cherepanov pointed out to me that I had wrong time on my computer (about 45 seconds). Right time setup should be one of points during preparation. This contest had a lot of very different tasks that made it very interesting. Team work We had a good time. There were jokes. We supported and helped each other. Everyone did small things and together we got great result. I think our relationships were improved and it is important and will give us more results in the future. We got many good things during the contest (including fun, experience, bugs, code for sxc, sunmd5) hence so close victory is not important. We are on the way to become the best forever. Thanks! -- Regards, Aleksey Cherepanov
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.