Positive Hack Days (PHD) is a well-known conference that is organized since 2011 by the company Positive Technologies. The PHD conference is held annually at Moscow and every year contains great talks and even greater CTF – Capture the Flag – challenges. One of the CTF challenges is called Hash Runner. This year Hash Runner was held during the last weekend. Hash Runner is a hands-on exercise where the participants are given the chance to test their skills at cracking passwords. Basically, there is a list of hashes available at the beginning of the contest. These hashes have been generated using a variety of algorithms and different password complexity schemes. It’s the participants job to guess the password by only having the password representation that was produced using one of the algorithms. As soon as there is a match it should be submitted to the contest. Points will be given according to the difficulty/cost of computing such the algorithm that produced the hash. For example computing LANMAN, MD5 or SHA1 hashes will give you the less points. On the other hand, algorithms such as HMAC-PBKDF2-SHA512, Bcrypt or GOST-512 will give you the most points but they are very resource intensive to compute.
Anyone could take part of the CTF and join a team or participate alone. Of course if you are in a team you will have more chances to succeed. Every year teams such as Hashcat, InsidePro and John-Users – that are well known for their computing power and very smart people – participate to dispute the first place.
This year I had the chance to participate. Thanks to Aleksey Cherepanov and Solar Designer – Alexander Peslyak – for accepting me in John-Users team.
The attempt to recover a password just by knowing its encrypted representation can be made mainly using three techniques. Dictionary attacks, which is the fastest method and consists of comparing the dictionary word with the password hash. Another method is the brute force attack, which is the most powerful one but the time it takes to recover the password might render the attack unfeasible. This is of course dependable on the complexity of the password and the chosen algorithm. Finally there is the hybrid technique which consists of combining words in a dictionary with word mangling rules. This technique is one of the strengths of JtR. The only tool used by John-Users during the all contest.
The team with the biggest muscles have an advantage to win the competition due to the resources that they have at their disposal. Having a GPU monster like Brutalis will definitely help. However, brains are also important to find patterns and logic behind the password generation which will increase the likelihood to find passwords generated with demanding computing algorithms. Nonetheless, this year there were notable coding efforts that needed to be made to support different encoding formats, salts and algorithms. This adds excitement and an extra challenge to the competition. Here is where my skills lack however it was noteworthy to see throughout the all contest very smart people working extremely hard developing on-the-fly code to JtR.
In addition during the contest there were bonus hashes that will give you extra points. This bonus hashes will be available to the teams when they reach a certain threshold in their score – great to see the organizers adding this different levels to the contest format.
This type of events are very good to practice information security skills. In this particular case was great in order to understand and learn more about passwords, algorithms, John the Ripper and learn from experienced team members. Bottom line we got silver medal and Hashcat won gold – here the last scorecard.
Great fun, excellent learning exercise, great team!
Count Upon Security 