Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 30 May 2014 00:33:02 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: team write-up for PHDays Hash Runner 2014

Hi,

Thanks for preparing this writeup, Aleksey!  Some minor
additions/corrections below:

On Thu, May 29, 2014 at 11:04:01PM +0400, Aleksey Cherepanov wrote:
> Active Members: 12
> 
> Names:
> Aleksey Cherepanov
> Alexander Cherepanov
> bartavelle
> bghote
> Dhiru Kholia
> Jose Luis Herrera
> jvoisin
> Micha Borrmann
> rofl0r
> sftp
> Solar
> ukasz

Some of us participated during part of the time of the contest only.

As we normally do it, the members list in the writeup is based on who
uploaded .pot files, no matter how many or few, how large or small.

Besides the immediate participants - those who cracked at least one
password - we also received contributions from Sayantan (lotus5-opencl,
which affected our contest score significantly), from magnum (who fixed
a nasty bug identified in bleeding-jumbo during the contest), and from
some people who ran "slave" to donate CPU time to our little cluster
(mostly used for dominosec, as a workaround for us not having dominosec
on GPU yet).

I think Sayantan's and magnum's indirect participation was at least as
valuable as that of "Active Members" above.

> Software: John the Ripper (with various patches); custom scripts on
> top of usual linux tools like Perl and wget; Metasploit and PCredz to
> get hashes for some tasks.

I also ran ops_SIMD - http://conus.info/utils/ops_SIMD/ (my custom
build of it with some trivial changes) on some Oracle 10 hashes for
around 10 hours, but this didn't crack anything.  ops_SIMD is quite
buggy and limited, but I hope the specific build and settings that I
used would actually crack passwords if there were any within that
keyspace.

> In addition to active members listed above: magnum fixed a serious
> bug, Sayantan implemented lotus5 in OpenCL for GPU during the contest.

Exactly, and I think we should be listing such important contributors
right near the members list next time.

> Solar Designer improved lotus5 and dominosec formats before the
> contest (about 3x speed-up).

The up to 3x speedup is for dominosec only.  lotus5 was already mostly
optimized(*), so it got only a ~10% further speedup on x86-64.

(*) Short of potential major redesign, such as bitslicing (tough to
optimize the S-box expressions enough) or use of VPPERM on XOP (too
limited since we have few XOP-enabled CPUs), which we did not do.

> About 40 cpu cores were contributed by visitors of linux.org.ru.
> Thanks!

During the first evening/night of the contest only, as far as I can
tell, but yes - thanks to them!

> We found several patterns but we did not track them properly. We used
> only IRC this time unlike previous times when we used mailing list to
> share progress. We had only 1 IRC channel so it was messy. Bad
> experiment.

No problem with only 1 IRC channel, I think (as opposed to more than 1).
IRC traffic was low enough for that.  I think results would be worse
with more than 1 IRC channel, as some of us would not track all of them.

> Dhiru Kholia tried to implement "wonderful" quite long and we got an
> implementation in C but we did not get cracks. We did not try very
> precise wordlist at all. We missed the possibility to use original php
> script with minimal adoption to crack. Though Dhiru used it to produce
> test hashes.

Dhiru implemented "wonderful" as a trivial JtR format, and he was also
the one to actually try cracking hashes with it - without luck, as
Aleksey said.  My advice to Dhiru was to group hashes by their set of
underlying primitives, and attack the faster ones first (those with no
SHA-512, etc.) - but apparently that was not enough.  I guess there were
some specific patterns we should have identified from related hashes
and tried those on "wonderful", which apparently we did not.  That's
assuming that format was in fact working correctly, which we don't know
reliably (without a single crack yet).

> We used tomato wordlist from previous Hash Runner but we did not
> reduce it. (Will tomato spread as a meme outside of Hash Runner?!)

Per team Hashcat writeup, that wordlist was also relevant for the
bsdicrypt hashes, but apparently we did not run it on them.  Oops.

> Unfortunately we got results from only a few good ideas and looked
> into only a few problems. For instance we did not look into unknown
> salted md4 format. We did not have much men with time. Those problems
> we investigated were cool.

I don't even know what exactly you're referring to by those "unknown
salted md4" hashes.  Were they from the mt_rand() task (user.db)?  If
so, they are not exactly unknown, but none of us put enough time into
this task to solve it.  I did notice that PHP would be outputting
floating-point numbers in scientific notation after the three
multiplications, but somehow felt it'd be 2^53 (based on the size of
mantissa in "double"), plus a bit more from the slight uncertainty in
the exponent.  Per team Hashcat writeup, we now know it's actually 2^48
or so, and thus is even more practical to search.  I think we also
didn't locate Razor CMS, and didn't check its create_hash(), so I was
merely guessing whether/how it applies the salt (thought it'd simply
append or prepend to plaintext password, whereas apparently there's an
extra MD4 pass).  Pretty ridiculous on our part, but on the other hand I
only spent about 1 hour total on this task during the contest, and it
was hardly worth more of my time (vs. other ways I could contribute to
the team's overall effort) given its moderate points potential.  A very
nice task on its own, though!

> Problems and mistakes
> 
> - lack of people,
> - focus on all hash formats instead of just very fast at the beginning,
> - bad management of patterns and attacks,
> - I postponed phpass attacks,
> - we did not make very precise wordlists,
> - we found strange numbers in #2 but did not get cracks using them,
> - we did not look into mt_rand well,
> - we did not adopt original .php script to crack #12,
> - we did not reduce tomato wordlist to make it precise,
> - probably others. We have something to investigate. :-)

Some of this analysis is subjective, and there are definitely more
reasons why we didn't perform better.

> We are happy that the contest is not overlapped with the conference.

Yes, that was nice.  We enjoyed meeting at PHDays.

> We hope to be there again and to meet InsidePro team and hashcat there
> next time too.

Yes, it'd be nice to meet other teams.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.