The Home of the Security Bloggers Network
Home » Security Bloggers Network »
— Hashes cracked from the KoreLogic CMIYC 2023 competition
In the previous two posts on the CMIYC competition [Part 1, Part 2], I had focused on how to integrate data science tools into your password cracking workflow and showed how to crack passwords on limited hardware (E.g. my laptop without using a GPU). Of course it’s better to have some firepower to crack hashes! One of the hurdles to overcome is I don’t have a lot of firepower at my disposal. Despite being super interested (OK, obsessed) about password cracking, I’ve never invested in a dedicated cracking rig. Still, when I do get serious about cracking passwords I turn to Hashcat and GPU based attacks to do the heavy lifting even if I only have a single NVIDIA GeForce GTX 1070 GPU. That’s still significantly faster than trying to run CPU only attacks.
To that end, let’s talk about how to leverage Hashcat when competing in these competitions. Full disclaimer: I’m going to go full spoiler in how I’m approaching my cracking. At this point, I’ve been running cracking sessions way longer than the competition would have lasted if I had competed. Also, I’ve been on the various Discord and Twitter conversations about the contest this year and know how the hashes were generated. Heck, KoreLogic even posted themselves how they created the challenges [Full Spoiler Link]. So I’m not going to even pretend that this post represents how I would have done. Instead I want to focus on “given what we know, how can someone use Hashcat to crack those hashes”.
What this really means is that to support both John the Ripper and Hashcat, I now have two sets of hash lists and two sets of pot files. It would be nice to incorporate some scripts in my Juypter Notebook to sync up both of the pot files between them so I’m not cracking the same hashed password twice. Given that’s a rabbit hole which would totally side-track any hash cracking, I’m going to push that project off for another day. For now I’m just going to use Hashcat, and I modified my Notebook to support the Hashcat file formats, (mostly by copying and pasting the JtR code into another cell and then making small modifications). Once again, this is one of the super-powers of using Jupyter notebooks. I can load up my JtR cracked hashes, then write and load up my Hashcat plaintexts, and perform analysis on both in a very short period of time. It’s not pretty but it works.
You probably don’t have the GPU power to brute force 8-9 character passwords during the contest, and you certainly don’t have that for the high value hashes that are worth a lot of points Therefore to be successful in a contest with Hashcat Masks you need to tailor them to find gaps in base-words or mangling-rules that you have already identified. I talked about this earlier with the attacks I ran using John the Ripper in Part 2 of these write-ups. For example, if you were looking to find more base-words for Sales passwords where many of them started with ‘2023’ and ended with a special character, then you could try something like:
Breaking this file format down:
Generate wordlist command:
The problem for me is that workflow is manually intensive, time consuming, and quite frankly boring as hell. During a competition it can be fun to get that dopamine hit as you crack new bcrypt hashes. After the contest, I’m simply wasting time while running up my power bill. So the question is, can I automate this at all? My power bill will still be high, but at least then I can watch new episodes of Asohka vs. staring at my computer screen! How about I train my PCFG guess generator on cracked passphrases and let it crunch away at generating guesses? I mean, it worked for the Hashcat team! [Link].
*** This is a Security Bloggers Network syndicated blog from Reusable Security authored by Matt Weir. Read the original post at: https://reusablesec.blogspot.com/2023/08/hashcat-tips-and-tricks-for-hacking.html