Crack Me If You Can 2022 - Hashsets

CMIYC 2022 Hashsets and Bundles

All of the hash sets this year (except yescrypt) were cheap, fast, unsalted (or fixed-salt) hash types; the primary challenge wasn't cracking the password hashes, it was cracking the encrypted containers bundling them up in order to get to the hashes.

If you've ever been on a pentest and harvested dozens of PASSWORDS.XLS and AccountInfo.zip off of users desktops, you know the value of cracking a variety of encrypted artifacts in a hurry.

Various encrypted container file types were used, each containing hashes using a different weak cipher, of plaintexts that used one or more unique combination of source material (wordlist) and mutation rule(s).

Bundles Used

The bundles for Pro were:

Bundle	List	Hash Type	Points Each	Count	Total Points
7z	list0	yescrypt	100000	4	400000
web_url	list5	raw-sha384	46	6023	277058
ZIP-Big	list6	raw-sha512	43	5382	231426
PDF	list21	mysqlna	17	5043	85731
GPG	list23	raw-sha224	14	9999	139986
LoopAES	list4	raw-sha256	13	10231	133003
KeePass	list2	mssql05	9	10000	90000
soffice	list15	vBulletin	6	7805	46830
KeePass-Key	list3	nsldaps	5	10000	50000
KeePass-Key	list9	nsldaps	5	12006	60030
gocryptfs	list12	raw-sha1	5	17444	87220
zip-small	list1	half-md5	3	6029	18087
zip-small	list8	half-md5	3	14571	43713
rar	list7	raw-md5	1	5767	5767
rar	list10	raw-md5	1	7556	7556

And for Street:

Bundle	List	Hash Type	Points Each	Count	Total Points
7z	list20	raw-sha384	46	10004	460184
gocryptfs	list13	raw-sha512	43	2803	120529
rar	list14	mysqlna	17	4214	71638
zip	list19	raw-sha256	13	4997	64961
KeePass	list11	mssql05	9	10812	97308
soffice	list18	raw-sha1	5	5455	27275
PDF	list24	nsldaps	5	2000	10000
zip2	list16	half-md5	3	2766	8298
GPG	list17	raw-md5	1	2933	2933

Wordlists and Rules Used

Naaaah. Come back later. Sometime after the contest has ended, we will reveal more information about the ideas / wordlist sources / mutation methods used in the different lists.