Team hashcat
Resources
| Active Members | 14 |
|---|---|
| Nicks | |m|, atom, blaz, d3ad0ne, Superjames, K9, legion, MKv4, pure_hate, Radix, Rolf, T0XlC, Xanadrel, Dakykilla |
| Software | oclHashcat suite, John the Ripper, egb, pwp, and others |
| Hardware | 84 CPU cores (+ some hyperthreads), 46 GPUs |
Preparation
We spent a lot of time getting ready for this years contest in order to improve some of the things we felt went wrong last year. The main thing was organization. We were madly sending text files around via email, ftp, ssh and whatever else we could use and it was extremely unorganized. This year Superjames spent a vast amount of time creating a web application which tracked algorithms, uploads, found, not found, dictionary analysis and a variety of other information which we have deemed important over the last few years of cracking. This application made the entire contest a breeze to get organized and was a invaluable asset to the team.During the Contest
Since we knew that this year's competition was not about total number of cracked passes but more like the weighting of the hash-type, we did not attack the usual suspects like MD5, NTLM oder SHA1. We immediately started to go for the hard ones, especially that ones that are supported by oclHashcat-plus such as md5crypt and phpass. Both of the hashes gave 1000 points each and are fully supported. Additionally we had an defcon edition of oclHashcat-plus that also support {SHA}, {SSHA}, raw SHA1, MySQL. This version was specificly coded for the contest since we knew the guys from KoreLogic would pick hash types which were not supported by current GPU proccessing. The rest of the team set out to find how the passes were generated. We quickly spotted the dates first, so we took the maskprocessor and ran it with-1 .-/ -2 0123 ?2?d?1?2?d?1?d?d. Soon we realized those masks are mostly used in all
the algorithms. So it looks like that if you find one mask, you just have to run it on all the
algorithms to get the most out of it.Adding mscash2 Support
We realized that mscash2 gave so many points, but it's freaking slow. The only tool that supported it was John and latest omp build gave me only 545/s on my 4200+. On a Intel 17 965 Extreme we were only getting about 75/s which was seriously slow. We started to attack the Mscach2 and were able to recover a few but not enough to put us in the lead. At this point the contest had been running for about 12 hours and the first stats came up we saw that the other teams we making a run at the mscash2 hashes. We had no choice. since our focus is utilizing the GPU rather than the CPU. so Atom stopped all cracking and focused on implementing the mscash2 algorithm for the -plus version. He started with the AMD version because most of the people on the team were using AMD gpus. About 6 hours later we had our first working version but it was painfuly slow. 18000/s on my hd6990. It was however, at least 30 times faster than jtr's CPU-only version.The rest of the team started using it to crack while Atom spent his time optimizing it a bit. Atom found out that it's possible to precompute 2/4 sha1 transforms of the PBKDF2. This and some other relevant optimizations lead to an end result of 112k/s on an stock clock hd6990.
At this point we started looking for patterns in the mscache2 since it was obvious the same patterns we present in all the hash types. Once a pattern was found it was used to attack all the other algoritms. About 8 hours before deadline Atom decided to port the mscash2 to nvidia. Once a beta version of this was done it was sent to radix who has a nice 7 gpu nvidia rig and the results kicked in massive. we got about 115 mscash2 in a single 10 minute run.
It was at this point we realized there must be a bug in the AMD version since the Nvidia version worked perfectly so Atom dropped back out of cracking to hunt down the bug. It took about 6 hours to find out that a sizeof() used the wrong datatype. Atom fixed it but at this point we only had about 30 minutes left. So we uploaded the new amd kernel to D3adone's GPU cracking box which is a an 8 x hd6970 rig, At this point we were now making 450k on mscash2. We started with 545/s and now we are at 450k/s.
Last Minutes of the Contest
In the last 20 minutes we found 30 more mscash2. We uploaded them but then Korelogic cut off the line while we were still finding more and more mscash2. 10 minutes after deadline we had 15 more mscash2 but it was to late. We are very happy to get a honorable second place and congratulate the Inside Pro team on a good battle.Final Thoughts
This contest showed that oclhashcat-plus has the potential to be one of the best and most versatile crackers. We just need to add more algorithms and keep them secret from Minga. We could crack only 50% of the algorithms with hashcat tools, so the plan is now to add more algorithms to oclHashcat-plus. Expect a new version soon which will support:- SHA1
- MySQL
- SHA-1(Base64)
- SSHA-1(Base64)
- MSSQL(2000)
- SHA256
- Oracle11g
- mscash2
- MSSQL(2005)
| Name | CPUs | GPUs | OS | Software in Addition to *hashcats |
|---|---|---|---|---|
| |m| | Q6600 x 1 | 5870 x 1 | XP 32 | |
| atom | AMD Athlon 64 X2 6000+ | HD6990 | Linux 64 | jtr |
| blaz | i7 930 + AMD X6 1035T | 9800gtx + 6570 | Win7 64 | jtr, egb, pwp |
| d3ad0ne | x5650 x2, 980x x1 | 6970's x8, GTX 480's x4 | Linux 64 | jtr |
| Superjames | i7 860 | 5870 x 2 | Linux 64 | jtr |
| K9 | E8400 | 4870 | Win7 32, Win7 64 | pwp, ighash |
| legion | Q6600 x 2 | 8800 gts x 1 | XP 64, Win7 64 | pwp, egb |
| MKv4 | 3.1ghz x2 | HD5770 | Win7 x64, Linux x64 | ophcrack, pwp |
| pure_hate | i7 965 Extreme | 6990 x 3 | Linux x64 | jtr |
| Radix | 2x E5645 1x 1055T | GTX 580 x 7 5870x2 | Linux x64 | |
| Rolf | T1090 | GTX 480 x 2 | Win7 x64 | pwp, egb, Accentsoft |
| T0XlC | 1x E5504 | GTX480 x 1 | Win7 x64 | pwp, egb |
| Xanadrel | i7 950 | 5770 x 1 | XP 32 | jtr |
| Dakykilla | i7 965 Extreme | 6990 x 3 | Linux x64 | jtr |