Korelogic Logo
"Crack Me If You Can" - DEFCON 2011
  Insidepro team 2011 has won the contest!  
Back to [Teams] [Top]

Team Phx2600


Active Members 2
Nicks AltF4, Phlak
Software John the Ripper with Jumbo patches
Hardware One i5 with 2 cores.


So, unfortunately, the Phoenix 2600 suffered from a lack of organization this year. I blame myself, as I was the one trying to do the organization. Ultimately, our team turned into a mostly one-man-show. Phlak put in a great effort near the end of day 2 to give me some NTLM cracks, but alas they weren't worth many points. We (I) also suffered from some miscommunication. When the competition started, it was postponed by an hour due to some technical difficulties. (understandable) So I was then under the ostensibly false impression that the competition would correspondingly last for an hour longer, which it didn't. [We wish we had clarified that ahead of time -Kore.] So I had a group of valuable MSCASH cracks that would have put us in 8th place that I submitted at 12:30. But oh well. I blame only myself.

The competition itself was super fun, just like last year. And all things considered, we did extraordinarily well. We actually managed to get a decent score with an astoundingly low total number of cracks, due to the rules this year.


I knew I was at a hardware disadvantage compared to probably every team, so I tried to work smarter rather than harder. Luckily, the rules this year permitted such a thing. It quickly became apparent in the competition that the higher valued hash types were worth so much more than the lower ones, that there was little point in bothering with the lower valued hashes at all.

But I needed somewhere to start, and so I ran some simple brute forces and word lists against the easy types (NTLM, etc...) to get an idea of what kind of words are being used. I noticed some interesting things:
  • Some pokemon related names

  • Every iteration of DEFCON, VEGAS, BLACKHAT, etc... (like last year)

  • But most notably there was a reasonable population of alphanumeric names. Or names with simple transforms. All 6 characters and 7, so they're easy to run through. More than that, I noticed that this same pattern wasn't just present in the NTLMs, but also in the valuable types. So that's where I went next.

I ran this pattern looking for passwords in the one of the MD5 types worth 1000 pts each, overnight. After submitting, I was in the top 8 with well fewer than a tenth of the total number of cracks than every team above or below us.

I then started looking at what hash types the top teams were working most on. Team Hashcat and InsidePro (the two real contenders for 1st place) had gotten at this point the majority of their points in the MSCASH2 hash type. There was only about 12 hours left in the competition at this point so I had to take the risk and go for it. I was starting to bleed the 1000 pt MD5 type dry of the easy pattern I found, so I switched to MSCASH2.

I had found an additional 34 of these MSCASH2 passwords, which doesn't sound like much, but happens to be worth 544,000 pts. Nearly doubling my score. In retrospect, I shouldn't have bothered with anything else but the MSCASH2 type since it was worth so much. But like I said earlier, these didn't wind up counting on the official tally.

Things I didn't get to, but should have given more resources

Knock out all the unsalted types with rainbow tables first thing. That's a great way to bootstrap the process of looking for patterns. I kind of got lucky that I found the pattern I did.

Try some of the "challenges". I never even got a chance to look at them, unfortunately. I bet they were worth a lot of points.

Use a GPU. Man, this is really the way to go in the future. Too bad my laptop doesn't have one.

Final Thoughts

I definitely look forward to performing again next year. I promise to put together a more compelling and competitive effort as well. Also, look for the Phoenix 2600 in other competitions unil then.


Please contact us if you would like more information about our services, tools, or careers with us.
Privacy Policy : Copyright 2012. KoreLogic Security. All rights reserved