Writeup CMIYC 2015

7-8 august 2015 I participated in the john-users team as trebla during the annual Crack Me If You Can contest at DefCon. John-users used only John the Ripper, not hashcat or other tools.

Only two team members were actually present at DefCon, the rest of us participated from home. Coordination between members was done through a dedicated contest server with an ssh account for each member, shared pot, wordlists and results directories and an IRC chat. Member ch3root wrote a script to go through pot files every other minute, calculate statistics and put cracked and uncracked hashes under results. A separate script uploaded the results to the contest server.

Hash types

  1. nt – very fast
  2. nsldap – very fast
  3. raw-sha512 – fast
  4. salted-sha1 – medium
  5. descrypt – medium
  6. md5crypt – medium
  7. sha512crypt – slow
  8. bcrypt – very slow
  9. scrypt – very slow

Dictionaries

In the first phase I ran the usual dictionaries, rockyou etc. Member csec uploaded some dictionaries from aspell. On day 2 Eternal found the following dicts on github:

git clone https://github.com/titoBouzout/Dictionaries.git

Some words in the .dic files had /xx appended. Cmdline to clean it up and put results in dicts:

mkdir dicts
cd Dictionaries
for d in *.dic; do
  sed 's/\/.*$//' "$d" | \
  ../unique "../dict/$d"
done

(unique comes with JtR, it works better than the unix uniq tool, no need for sorting)

Rules

I ran the dictionaries with the JtR rules; Single, Jumbo, o and i for the fast hashes. Single for large dictionaries, Jumbo, o and i for small dictionaries. See john.conf for rule definitions. You can add your own rules in john.local, see doc/RULES for syntax.

Then I ran some brute force masks, like ?a, ?a?a, ?a?a?a etc. I concentrated on hashtypes 1-6. The last ones were too slow so you needed a very specific pattern to make progress there.

After a while members began uploading pot files to the server. I made a script to get all words from all pot files:

rm -f tmp.txt
cat share/*.pot | sed 's/^[^:]*://' | unique tmp.txt
iconv -c -t UTF-8 < tmp.txt > allwords.txt

Then I repeated the dictionary phase, but now using allwords.txt as dictionary.

Custom charset

When my pot file had grown large enough I created a custom charset from it:

./john --make-charset=custom.chr --pot=cmiyc2015.pot

and copied custom.chr to 4 different computers, running incremental on different hashtypes:

./john --incremental=custom <arguments>

UTF-8

After a while it became obvious there were random UTF-8 characters inserted into the passwords that were cracked, like ¹, ³, ã, á, ë, é, è, ê, Э, э, ٤, ó, Я, л, ¤ etc.

Since I am not very good at writing custom rules I wrote a c program to insert these characters at each possible position for every password in a dictionary.

./permute allwords.txt > all_utf.txt

For instance if one of the words in the wordlist is Password and one of the characters in the UTF-8 list is Я, then that particular ”insert combination” becomes:

ЯPassword
PЯassword
PaЯssword
PasЯsword
PassЯword
PasswЯord
PasswoЯrd
PassworЯd
PasswordЯ

Note. I plan to improve the permute program to take a list of utf-8 characters in a separate file instead of hardcoding the list. (and permute is not a very good name for the program, permute means shuffling letters around, but I was in a hurry)

After creating the all_utf.txt file I repeated the dictionary process (with rules) using all_utf.txt as dict. This last step, with permute on allwords.txt was particularly succesful.

Other members

See separate writeups. I didn’t keep track of what everybody was doing all the time, but noticed for instance that solardiz (initial author of JtR) were running the hard (slow) hashes the last day and aleksey did a good job keeping the team together. Other members were Kai, lei, royce, csec, nugget, jfoug, fdukasz, wucpi , ch3root, dhiru, bghote, math07, sergey, neriah7, frank and Eternal. I probably forgot someone too. Frank, neriah7 and csec contributed most cracks by number. But slower hashes, like those solardiz cracked, gave higher points.

Results

Congratulations to Team HashCat who won the contest. John-users – which spent first day at place 3 – finished at place 4. See all results.

Other writeups

Advertisements

Om albertveli

Grävande programmerare.
Det här inlägget postades i CTF, Programmering. Bokmärk permalänken.

Kommentera

Fyll i dina uppgifter nedan eller klicka på en ikon för att logga in:

WordPress.com Logo

Du kommenterar med ditt WordPress.com-konto. Logga ut / Ändra )

Twitter-bild

Du kommenterar med ditt Twitter-konto. Logga ut / Ändra )

Facebook-foto

Du kommenterar med ditt Facebook-konto. Logga ut / Ändra )

Google+ photo

Du kommenterar med ditt Google+-konto. Logga ut / Ändra )

Ansluter till %s