Tuesday, May 26, 2015

Hashrunner - PHDays 2015

If you didn't already you must read the team write-up :
https://hashcat.net/forum/thread-4370.html (PDF).

LC

For this year I was available all 72 hours for the contest, and as last time I was managing our list management system (known as LC).
I spent a lot of time adding new algorithms and fixing issues, the tools used to verify the hashes submitted by the team members are based on rli2 (hashcat-utils), this allows us to only hash once per plaintext and requires close to no cpu or memory (all inputs have to be sorted and uniqued though).

Most of the algorithms are supported by a perl script maintained by philsmd, but for gost256 and gost512 I had to add a "rli2" behaviour to the gost crackers made by atom, as well as $HEX[] plaintext parsing.

When adding the lists we also had to reformat them in order to be loaded by hashcat (oracle, pbkdf hmac...), and of course format them back for being accepted by hashrunner's site, all of that needed to write code specific to each hash type.

Cracking

I almost only used the well known wikipedia wordlist from Sébastien Raveau, some italian and chinese wordlists other members of the team gathered and rules to basically do uppercase, duplicate, leetspeak and appending/prepending special chars.

Invuln challenge

I looked at the invuln challenge around the second day of the contest.
It was obvious that we could target the salts (la_encrypt() function) because they were based on the plaintexts, so I started writing a cracker for the salts in C, but was unfortunately too busy fixing LC at that time.
Later, the night between sunday and monday I got back to the code (and as every coder I think, I lost quite some time on a stupid thing, which was not using unsigned int this time).
The cracker worked great except that due to its use as the salt in sha512crypt it was a bit truncated and gave "only" the first 12 bytes of the plaintext, but that was good enough.
After running it with 2 rules on the wikipedia wordlist it gave 847 "pre cracks" in less than 3 minutes, and then using hashcat to get real plains using these base words we got 250 hashes cracked in around 30 minutes.

Fail

After the sleepless night, at around 9:00 I decided to take a little nap for 1 hour, set 2 alarm clocks at 10:00 and hit the bed.
When I woke I looked at the alarm clock in the opposite corner of the room, but I couldn't read without my glasses, I checked at the alarm clock on my bedside table... 18:45
Rush on the PC, switch screen on, F5 god damn it ! And breathe a huge sigh of relief as I see the team managed to stay on top.
Fortunately there was no more bug or issue with LC in the meantime, but it could have been worse.
For sure I'll invest some money in good alarm clocks.

Thanks

Hashrunner team for running the contest. Special thanks to atom & philsmd for the quick coding in a quite stressful situation. And obviously thanks to all team hashcat members as always it's an honour doing contests with you all.

Hashrunner/PHDays :

https://hashrunner.phdays.com/
https://twitter.com/phdays
https://twitter.com/GiftsUngiven
https://twitter.com/repdet