Category Archives: Gamification

Hash Runner CTF – 2015

Image retrieved from Hack Days (PHD) is a well-known conference that is organized since 2011 by the company Positive Technologies. The PHD conference is held annually at Moscow and every year contains great talks and even greater CTF  – Capture the Flag – challenges. One of the CTF challenges is called Hash Runner. This year Hash Runner was held during the last weekend. Hash Runner is a hands-on exercise where the participants are given the chance to test their skills at cracking passwords. Basically, there is a list of hashes available at the beginning of the contest. These hashes have been generated using a variety of algorithms and different password complexity schemes. It’s the participants job to guess the password by only having the password representation that was produced using one of the algorithms.  As soon as there is a match it should be submitted to the contest. Points will be given according to the difficulty/cost of computing such the algorithm that produced the hash. For example computing LANMAN, MD5 or SHA1 hashes will give you the less points. On the other hand, algorithms such as HMAC-PBKDF2-SHA512, Bcrypt or GOST-512 will give you the most points but they are very resource intensive to compute.

Anyone could take part of the CTF and join a team or participate alone. Of course if you are in a team you will have more chances to succeed. Every year teams such as Hashcat, InsidePro and John-Users – that are well known for their computing power and very smart people – participate to dispute the first place.

This year I had the chance to participate. Thanks to Aleksey Cherepanov and Solar Designer  – Alexander Peslyak – for accepting me in John-Users team.

The attempt to recover a password just by knowing its encrypted representation can be made mainly using three techniques. Dictionary attacks, which is the fastest method and consists of comparing the dictionary word with the password hash. Another method is the brute force attack, which is the most powerful one but the time it takes to recover the password might render the attack unfeasible. This is of course dependable on the complexity of the password and the chosen algorithm. Finally there is the hybrid technique which consists of combining words in a dictionary with word mangling rules. This technique is one of the strengths of JtR. The only tool used by John-Users during the all contest.

The team with the biggest muscles have an advantage to win the competition due to the resources that they have at their disposal. Having a GPU monster like Brutalis will definitely help. However, brains are also important to find patterns and logic behind the password generation which will increase the likelihood to find passwords generated with demanding computing algorithms. Nonetheless, this year there were notable coding efforts that needed to be made to support different encoding formats, salts and algorithms. This adds excitement and an extra challenge to the competition. Here is where my skills lack however it was noteworthy to see throughout the all contest very smart people working extremely hard developing on-the-fly code to JtR.

In addition during the contest there were bonus hashes that will give you extra points. This bonus hashes will be available to the teams when they reach a certain threshold in their score – great to see the organizers adding this different levels to the contest format.

This type of events are very good to practice information security skills. In this particular case was great in order to understand and learn more about passwords, algorithms, John the Ripper and learn from experienced team members. Bottom line we got silver medal and Hashcat won gold – here the last scorecard.

Great fun, excellent learning exercise, great team!

Tagged , , ,


NetWars logo used with permission from SANSUser engagement, return on investment and learning. Those are key benefits of gamification. Gamification might be a new term but it has been used on specific industries since years. One example is the militaries that have been using games, challenges and simulations to resolve problems and engage audiences.  NATO is considering gamification using the Internet. The Office of Naval Research a department from the US Navy recently ran a Massive Multiplayer Online Wargame Leveraging the Internet. Deloitte call it the engagement economy.

Gabe Zichermann and Christopher Cunningham on the preface of their latest book wrote that “Simulation and gaming is a promising, and rapidly-expanding, field of study. This new methodology is being adopted in a wide variety of disciplines. Complicated computer models have helped inform everything from finance to engineering, a new wave of “serious games” have begun to change the way we think about gaming as a told for learning, and true-to-life simulations have changed the way professionals train for intensive, on the job-skills.”

Then, how can we use and apply gamification to information security? Well, learning information security skills through gamification is what this post is about. And is where NetWars comes in. NetWars is a product from SANS and it illustrates how gamification can be used to help you increasing your information security skills. The concept is not new and there are others. Similar is the Overthewire and Smasthestack challenges, which are also known as capture the flag or wargames. However, NetWars was made by Ed Skoudis. That alone is already a differentiator. Last year at London, SANS hosted the first EMEA Netwars tournament session. It consisted of 5 levels, where each one consists of several challenges that will give you points from 1 to 15 based on its difficulty. To be able to pass to the next level you need to reach a certain threshold. The levels are designed to help participants develop skills areas such as Vulnerability Assessments, System Hardening, Malware Analysis, Digital Forensics, Incident Response, Packet Analysis and Penetration Testing.

Should business leaders invest in this type of simulations to train their employees? Absolutely, the marriage between pedagogy and technology is a fact. In addition from a pure return on investment, employee training might be the best business expense.  According to Professor Bartel, who is the Director of Columbia Business School’s Workforce Transformation Initiative and an expert in the field of labor economics and human resource management. The estimated return on employee training range from 7% to 50% per dollar spent and on two specific case studies it can grow with returns of 100% to 200% on investment. Further details on her paper “Measuring Employer Return on Investments in Training”.

To give you an example on how gamification can be used to engage people and learn. You might remember, back in 90s, there was a famous video game called Where in the World is Carmen Sandiego?. The game challenges player to track the thief who is hiding out in one of 30 cities using a world almanac as investigative tool (for example, “What country uses keroner as its currency?  Check your connections to find out which cities the thief might have fled to). The game basically teaches you knowledge of world geography and cultures.

But back to NetWars and his director, Ed Skoudis, check his presentation on “Using InfoSec Challenges to build your skills and career”. Among others the presentation describes the benefits of gamification information security challenges. The presentation also provides guidelines on how to develop your own challenges and simulations.

Teaching and training systems like NetWars are designed to mimic real life situations. In this case it represents real-world security issues with their respective flaws and resolutions on an  interactive and hands-on laboratory environment. Historically books contain theories and examples. But with simulations, challenges and games, the dynamic and a temporal element can be added. It will also allow difficult concepts to be vibrantly illustrated.

Zichermann, Gabe; Cunningham, Christopher (2011) : Gamification by Design : O’Reilly
Information Resources Management Associations (2011) :Gaming and Simulations : IGI Global

Tagged , , , , , ,
gb_master's /dev/null

... and I said, "Hello, Satan. I believe it's time to go."

Source Code Auditing, Reversing, Web Security

Finding Hidden codes in the software

BruteForce Lab's Blog

security, programming, devops, visualization, the cloud

Count Upon Security

Increase security awareness. Promote, reinforce and learn security skills.

Naked Security

Computer Security News, Advice and Research

Didier Stevens

(blog \'DidierStevens)


Adventures in double-clicking malware / by Anuj Soni

Rational Survivability

Hoff's Ramblings about Information Survivability, Information Centricity, Risk Management and Disruptive Innovation.

SANS Internet Storm Center, InfoCON: green

Increase security awareness. Promote, reinforce and learn security skills.


Increase security awareness. Promote, reinforce and learn security skills.

Schneier on Security

Increase security awareness. Promote, reinforce and learn security skills. Blog

Increase security awareness. Promote, reinforce and learn security skills.

Lenny Zeltser

Increase security awareness. Promote, reinforce and learn security skills.

Krebs on Security

In-depth security news and investigation