Back to Top
As a part of an authorized penetration test of a company's
internal corporate network and external e-commerce websites,
you have captured a large number of password hashes. The hashes
are from Active Directory, UNIX systems, LDAP servers, various web
application and/or forums, routers, etc. As part of your analysis,
your client has asked for password complexity statistics, what their
users are doing right and/or wrong related to generating passwords,
and identification of weak passwords. You only have 48 hours to
complete this effort.
At the start of the contest, KoreLogic will release a file containing
thousands of password hashes. The file will contain hashes of varying types (such
as MD5, Salted MD5s, Blowfish, SHA1, SHA256, SSHA, DES, NTLM, etc.) and will range from being "easy" to
extremely difficult to crack. The password file is not simply randomly
generated passwords, which would favor the person or group with the most GPU/CPU
bruteforcing horsepower. Instead, the password file contains passwords based on
what we believe are challenging patterns. Passwords will be of varying lengths,
patterns, and complexity. Creative password cracking techniques, rules,
dictionaries, and tools will be needed. The teams who are smart about the
methods they use (i.e., teams who can crack more, with less work) will most
likely be the most successful.
The goal of the contest is simple: score the most points.
Points are scored in several ways:
- Each cracked password is worth some points (more points each, for harder/slower
hash types). For example Raw-MD5, NTLM and SHA1 hashes are only worth 1 point.
But, DES hashes are worth much more.
- Bonus points for having the most hashes of a specific type (the most FreeBSD MD5,
the most NTMD4, etc).
The points per hash type, account type, and bonuses will be announced soon.
Teams must provide their results directly to KoreLogic prior to the end of the
48 hour contest window. (See the HOWTO for details on how to submit.)
- You MAY use as many systems/cores/CPUs as you wish.
- You MAY use systems NOT located at DEFCON.
- You MAY work with other team members not attending DEFCON.
To be eligible for a prize, your team must have at least one team member physically attending.
- You MUST ONLY use systems that you are authorized to use.
- You MUST NOT attempt to gain unauthorized access to any system used by KoreLogic or another team.
- You MUST NOT attempt to interfere with the efforts of another team.
- You MUST NOT attempt to steal passwords from or techniques/methods used by another team.
- To be eligible for a prize, you MUST agree to share your techniques / methodologies and describe the resources/tools used to crack the passwords.
- KoreLogic staff are not eligible for the contest.
- The file containing the password hashes will not be released until the start of the contest.
Any violation of the rules will result in immediate disqualification from the contest. Any illegal activity will be reported.
Differences from the 2010 Contest:
Please note the following differences from the 2010 contest
- More points for more complex hashes.
- Bonus points for being the team that cracks the most of each hash type.
This will be determined at the _end_ of the contest by KoreLogic.
- The introduction of "challenges". These challenges are worth LARGE
amounts of points. The contest cannot be won without winning at least
some of these challenges. Be aware that some of the challenges are
2-step challenges. And you must pass both challenges to be awarded
points. (This will be obvious once you see the challenges).
- The hashes for the contest will not be delivered in a .txt file.
During the contest, KoreLogic will publish updated scores as often as possible.
After the contest ends, KoreLogic staff will validate each submission and will
announce the winning teams on Sunday, (time TBD). The eligible team with the
highest score will be the winner. If there is a tie in total points, the team
that submitted their entry first will place higher.
KoreLogic will present the winning team's results, which will include what
passwords were cracked and what passwords were not. The winning team will be
required to present their techniques/methodologies, describe the
resources/tools used to crack the passwords, and describe any lessons learned
(arrangements can be made for the camera-shy).
At the conclusion of the contest, KoreLogic will:
- Announce the winners and award the prizes.
- Release the entire password list.
- Provide statistics on which types of passwords were totally missed by all teams.
KoreLogic will be giving away the following prizes for first, second, and third place:
- First Place: $600 (or equivalent item)
- Second Place: $300 (or equivalent item)
- Third Place: $100 (or equivalent item)
We will be announcing more details soon. In the meantime,
please contact firstname.lastname@example.org
with any questions