• 07 Aug
    Crack me if you can

    It was an absolute blast to participate in the Crack me if you can at Defcon. The KoreLogic team did an amazing job both preparing and running the contest. The organizers managed to keep the contest competitive while at the same time promoting information sharing and community feel with regular participant meetings. Using hardware, software and strategy below I was able to place 4th in the contest.


    At the time the "Crack Me if You Can" contest was announced, I was working on a survey of available password cracking techniques, hardware, and software. My initial (and really naive) approach to password cracking was to find the fastest software/hardware bruteforcer combination and call it a day. This quickly changed once the contest was announced and a practice sample of 17000 ntlm hashes released before the competition. After days of bruteforcing, only 50 passwords were cracked! It was clear that smarter password cracking techniques had to be developed in order to compete.

    One of the first things I did was to analyze a list of leaked passwords from the RockYou hack. Next I spent days analyzing JtR password generation rules, that's when I ran across Minga's research into using RockYou password list as a basis for the new JtR incremental mode charset, which turned out to be very effective during the contest. While searching for more advanced JtR rules, I found a very informative blog by Matt Weir: Just in time for the competition, Matt posted his PhD. dissertation on using probabilistic techniques in password cracking. The above work was truly revolutionary for me and served as an essential foundation for all future research.


    A custom machine was built a week before the contest based on ATI's powerfull 5970 video card. Setting up ATI 5970 was truly a pain due to buggy drivers that broke more things than they fixed with each release. However, 5970 is a pure 6TFLOP beast, so I played along. It was truly a miracle that days before the competition, ATI released updated Catalyst drivers permitting the use of the second core!


    The most amazing piece of software used for the cracking was undoubtedly oclHashcat developed by atom. The tool's mask based attack rules combined with GPU accelerated cracking have truly revolutionized the password cracking field. I have also included Ivan Golubev's ighashgpu GPU cracker for pure brute-forcing. Ivan was kind enough to release the much needed NTLM multi-hash support for ighashgpu days before the contest. At last, the classic John the Ripper was used for password hashes not supported by the other crackers (e.g. DES).

    Armed with the previous research on password cracking techniques, I started the development of password analysis and mask generation toolkit that was used to generate rulesets for oclHashcat and JtR capable of cracking 50% of RockYou based passwords with a time limitation of two days. The ruleset was used during the competion with a high level of success - the majority of NTLM hashes were cracked within the first 12 hours. The password analysis toolkit, custom rulesets, as well as guides on tool usage and installation will be released soon.

    Several dictionaries were compiled before the contest. Three particularly powerful dictionaries were wikipedia-wordlist-sraveau-20090325.txt, InsidePro Big Dictionary, Alter-Hacker wordlists (currently available on Korelogic's site here: In order to compress all collected dictionaries, I ran them through several iterations of unmangling and normalization rules.


    During the competition we have received a large file with various types of password hashes. After splitting up the hashlist into individual hash types, it became quickly apparent that the majority of effort should be dedicated toward NTLM, followed by SSHA, Unix DES, and Unix MD5. Other hash types were left to be cracked toward the end of the contest due to either hash complexity or the total number of hashes.

    While mask and dictionary based password cracking attacks yielded the most passwords, I decided to keep a separate GPU core running several pure bruteforcing iterations which produced several thousand purely random passwords which could not have been cracked by other attack types.

    Password cracking was evenly distributed across three GPU cores and 8 CPU cores as follows:

    • 5970 Core #1 - oclHashcat Mask and Combinator attacks against NTLM (Cracked about 11000 NTLM Hashes)
    • 5970 Core #2 - ighashgpu running a series of bruteforcing attacks against NTLM (Cracked about 4000 NTLM Hashes) Tesla - oclHashcat Dictionary attacks against NTLM (Cracked about 13000 passwords)
    • 4 CPU Cores - hashcat running various rulesets against NTLM, SSHA, SHA (NTLM: 5000 passwords, SSHA: 1600 passwords, SHA: 300 passwords)
    • 4 CPU Cores - JtR session against *nix password hashes. (Cracked about 2000 UNIX-DES and UNIX-MD5 passwords)

    There was a lot of overlap for NTLM hashes as each card executed different attacks, but you can tell that a relatively slower Tesla was able to crack the most passwords due to high success rate of dictionary attacks.

    As the contest progressed and the number of cracked hashes slowed down, I had to adapt by recycling already cracked passwords and coming up with new rules. I have used the same demangling scripts used in dictionary generation.

    Overall, the contest really pushed the envelope on password cracking. The key advances that helped make the contest more competitive was the popularization of GPU cracking as well as advanced study in to the way people generate passwords which can be expressed as simple masks.


    password analysis and cracking kit

    Download PACK-0.0.4.tar.gz
    Size 68.8 KB
    DateAugust 8th, 2013

    PACK (Password Analysis and Cracking Toolkit) is a collection of utilities developed to aid in analysis of password lists and enhancing cracking of passwords using password pattern detection. It can be used to reverse word mangling rules, generate source words, optimize password masks, craft policy attacks, etc. for the Hashcat family of tools. The toolkit itself is not able to crack passwords, but instead designed to make operation of password crackers more efficient. Read more.

    08 aug
    smarter password cracking with pack

    Last week I gave a talk during the Password '13 security conference on various password analysis and pattern detection attacks using the Password Analysis and Cracking Kit. You can download slides for the presentation here.

    The conference itself was an absolute blast with great organization by Per Thorsheim and Jeremi Gosney. The conference gathered a fascinating crowd which spawned hours of great discussions on password security, cryptography, politics and everything in between. However, I especially enjoyed meeting in real life with many members of Team Hashcat.

    Team Hashcat had another great run at the CMIYC during Defcon where we placed 2nd. As always I ended up spending most of the conference in the hotel room or the chill room at Defcon, but that's part of the fun doing contests. Russia-based team Inside-Pro placed first by scoring more points on harder hashes, молодцы ребята!

    Today, I have finally finished writing documentation for the many changes and adding the final polish to the next release of PACK 0.0.4. There should be noticeable performance bumps for all of the tools in the toolkit especially Rulegen which is now finally using multiple CPU cores. You should also try out the completely rewritten 'maskgen' which is now capable of generating highly optimized mask collections for use with Hashcat suite of tools (see presentation slides above for more details). Enjoy and most importantly have fun with password cracking! Read more.

    automatic password rule analysis and generation

    The field of password cracking has evolved by leaps an bounds over the last decade with the introduction of new cracking techniques, more advanced software and significantly faster hardware. One area which I find most fascinating is rule-based cracking. An attacker can develop a set of word mangling rules (e.g. substitute all 'a's to '@'s, upper-case every third letter, etc.) in order to attack non-random passwords which use slightly modified dictionary words. The purpose of this research is to develop an automated method of analyzing a large body of leaked passwords in order to come up with a list of frequently used words and rules to make up passwords. Read more.

    hackers 95

    Hackers 95 is an independent documentary by Phone-E and RF Burns shot during the summer of 1995. The documentary covers hacker happenings during that summer including Summercon and Defcon III. There are plenty of interviews and random clips from these two conferences. The documentary also includes a separate segment on Area 51 as well as a Secret Service press release on Operation Cybersnare. Read more.


    All original content on this site is copyright protected and licensed under Creative Commons - Attribution, NonCommercial, ShareAlike 4.0 International.