Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 05 Jul 2013 14:58:50 +0400
From: Alexander Cherepanov <cherepan@...me.ru>
To: john-users@...ts.openwall.com
Subject: Alexander's write-up for Hashrunner-2013

Hi!

This contest for me was very similar to the last CMIYC -- the same 
hardware, the same wordlists etc. See 
http://openwall.com/lists/john-users/2012/08/13/3 .
But both days of this contest were working days and I was not able to 
dedicate all the time to it.

= Scripts

I mainly managed our server scripts for combining .pot files and 
preparing them for upload:

- converted hashes to canonical form;
- adapted server scripts from CMIYC for this contest;
- added processing of md5-broken cracks to the scripts;
- checked cracked hashes rejected by the scripts;
- checked part of the submissions rejected by organizers' server.

= Cracking

Little time was dedicated to manage real cracking. Attacks were run with 
JtR against all types of hashes. Attacks are default cracking mode and 
wordlists with jumbo rules. Wordlists are generated from several 
wikipedia dumps.

As a result I found several series like 2w5x, 2xc, 33dc, 3dc, Blu3, Cd3 
with suffixes from 10 to 99 and several non-latin passwords like "God" 
in Hindi and Bengali.

Additionally I run a short attack from Frank and recracked everything 
near the end of the contest.

= Notes for organizers

Some remarks for for organizers and some ideas to lessen frustration and 
to make contest more pleasant.

- Publish more info and do it in more timely fashion: if you cannot 
regularly post news on the site and want to do it via Twitter just put a 
note about it on the site beforehand; if you cannot start on time just 
write about it; if some files are not available (like #5 and #7) don't 
show them at all or write that they are not available (so that everybody 
have not to recheck their downloaders and then check whether xanadrel 
have got an answer about it in twitter or not); etc.

- Provide all the info necessary to calculate your exact score, from the 
beggining. It's good mainly because it helps to decide what to crack and 
makes it possible for teams to check that their cracks were uploaded and 
counted without errors.

- Include a test password (say, "password") for every kind of hashes. 
Teams can use it 1) to check that they understand hashes (padding, 
number of rounds etc.) in the same way as organizers and 2) to check the 
upload process.

- You could easily register for contest simultaneously with registration 
on the conference site but it was not clear at all how to register for 
contest when you already have an account on the site.

- Make hashes (hints etc.) available to everybody without registration.

- Run contest during weekend.

= Thanks

I'd like to thank organizers for an interesting contest, our team for 
making an experience fun and Laboratory of Algebraic Geometry, HSE, for 
letting me use laboratory's servers in this contest.

-- 
Alexander Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.