Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 14 Aug 2012 19:28:21 +0400
From: Aleksey Cherepanov <>
Subject: team john-users writeup for Crack Me If You Can 2012 contest


As many of you are aware, we participated in KoreLogic's "Crack Me If
You Can" password cracking contest at DEFCON earlier this summer, as
team john-users.  We ended up taking 2nd place overall (out of 12),
and we're first for 7 out of 19 hash types.  Additionally, we achieved
the highest number of weighted points prior to the application of
bonuses, and we cracked more challenges than any other team did (we
cracked 11 total, and we were first to crack 6).  Here are the
statistics for all teams:

We hope to see pretty graphs of teams' progress over time there.  And
here are the per-hash crack numbers for our team in particular:

Now to the writeup, to be re-published on the contest website:


The contest was fun and challenging, it helped us test some
experimental John the Ripper code and identify areas for further

Since last year we got a lot of cool stuff related to challenges:
truecrypt (thanks, Alain Espinosa), rar (thanks, magnum), zip (thanks,
JimF), odt, pdf, ssh, encfs (thanks, Dhiru Kholia) and many more.
Also we got OpenCL versions of sha512crypt (thanks, Claudio Andre),
bcrypt, mscash2 (thanks, Sayantan Datta) and others.  We'd like to
list all john's contributors but this list would be too long for this
writeup.  Thanks to all!

We'd like to thank KoreLogic for organizing the event.  We would also
like to thank all other teams who participated and made it tough for
us to compete. ;-)


Active members: 21

Names / nicks:
Aleksey Cherepanov, Alexander Cherepanov, bartavelle, Dhiru Kholia,
elijah, Francois Pesce, Frank Dittrich, guth, JimF, Kevin Young, Matt
Weir, Me Agap1, myrice, Rich Rumble, rofl0r, Rory Michele, samu,
Sergey, smooge, Solar Designer, ukasz.

Additionally, we had a few members who merely listen.  We hope they
learned a lot and next time they'll show better results.

Also many members asked friends for hardware.  The same way some
organizations contributed their servers to us.  Thanks to all!

Software: John the Ripper (with various patches), custom scripts,
Cryptohaze Multiforcer (used by samu only), 7-zip to crack 7z, also
elijah used trial Passware Kit to crack dmg.

We're an Open Source only team.  This needs to be clarified:

We only use Open Source password cracking tools, meaning that we may
use e.g. John the Ripper and Cryptohaze Multiforcer, but not e.g.
hashcat (since it is closed-source).

However, we may use e.g. closed-source GPU device drivers for lack of
an alternative and because they're not directly a password cracking

This year, as an exception to our normal policy, a team member
happened to use a trial version of Passware Kit to crack a .dmg
challenge.  After some debate, we decided to go ahead and submit this
crack anyway, but confess in the writeup - which we do.  That one
crack did not affect our contest score at all since we were beyond the
cap of 6 challenges anyway.  With this one, we cracked a total of 11
challenges; without it, we would be at 10.

Hardware: it is hard to count accurately, our estimate is ~250 cpu
cores and 9 gpus.


We started by cracking the challenges.  The hashes were postponed.  As
soon as we cracked the first challenge, we tried to submit it (and
shortly another one as well), but we failed: we did not try to send any
e-mail from our contest server since the previous CMIYC, and as it
turned out we got a problem with the caching & recursive nameserver
configured on this server.  We detected the problem and fixed it half an
hour later, so cracked passwords for these two challenges were finally
submitted.  We would be happy if KoreLogic would provide a way to test
scripts for cracks submission before the contest next time.

In first 3 hours Dhiru Kholia added support for sxc in JtR.  Aleksey
Cherepanov wrote a wrapper around 7z in shell.  We cracked many
challenges waiting for approval for our cracks #3, #4, #5, #6.  It was
a big relief to know we could stop cracking challenges, but some of us
chose to proceed cracking some further challenges in the background

sunmd5 became a problem for us.  JtR supported it through generic
crypt() function of operating system so we needed (Open)Solaris
systems for cracking but we did not have such.  So bartavelle
implemented sunmd5 in JtR directly.  Then JimF polished it and we
attacked all hash types.

We searched for patterns.  But they were not just about word mangling
like before.  Together with challenges it filled contest with very
different tasks.  It was very interesting.

elijah found "pride and prejudice" pattern about 6 hours before the
end.  We got a perl one-liner to rip phrases and started cracking in
20 minutes.  This book was a game changer.

We tried some other books but without such results.  We got our books
from Project Gutenberg where they were in public domain.  So we did
not have problems with copyright.  Though we missed Lord of the Rings.

        Other details.

You could read more details in members' writeups:

Solar Designer
Frank Dittrich
Rich Rumble
Dhiru Kholia
Aleksey Cherepanov
Matt Weir
Me Agap1
Alexander Cherepanov

        Final words.

This year we worked as a real team.  Everyone supported and helped
each other.  Team spirit was very strong.  It was amazing experience.

The contest made us better in many ways: we improved relationships, we
got experience, we found bugs, we wrote new code.  This contest was
very smooth and interesting.  Great thanks for all that!


Aleksey Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.