Korelogic Logo
"Crack Me If You Can" - DEFCON 2011
  Insidepro team 2011 has won the contest!  
Back to [Teams] [Top]

Team hashcat


Active Members 14
Nicks |m|, atom, blaz, d3ad0ne, Superjames, K9, legion, MKv4, pure_hate, Radix, Rolf, T0XlC, Xanadrel, Dakykilla
Software oclHashcat suite, John the Ripper, egb, pwp, and others
Hardware 84 CPU cores (+ some hyperthreads), 46 GPUs


We spent a lot of time getting ready for this years contest in order to improve some of the things we felt went wrong last year. The main thing was organization. We were madly sending text files around via email, ftp, ssh and whatever else we could use and it was extremely unorganized. This year Superjames spent a vast amount of time creating a web application which tracked algorithms, uploads, found, not found, dictionary analysis and a variety of other information which we have deemed important over the last few years of cracking. This application made the entire contest a breeze to get organized and was a invaluable asset to the team.

During the Contest

Since we knew that this year's competition was not about total number of cracked passes but more like the weighting of the hash-type, we did not attack the usual suspects like MD5, NTLM oder SHA1. We immediately started to go for the hard ones, especially that ones that are supported by oclHashcat-plus such as md5crypt and phpass. Both of the hashes gave 1000 points each and are fully supported. Additionally we had an defcon edition of oclHashcat-plus that also support {SHA}, {SSHA}, raw SHA1, MySQL. This version was specificly coded for the contest since we knew the guys from KoreLogic would pick hash types which were not supported by current GPU proccessing. The rest of the team set out to find how the passes were generated. We quickly spotted the dates first, so we took the maskprocessor and ran it with -1 .-/ -2 0123 ?2?d?1?2?d?1?d?d. Soon we realized those masks are mostly used in all the algorithms. So it looks like that if you find one mask, you just have to run it on all the algorithms to get the most out of it.

Adding mscash2 Support

We realized that mscash2 gave so many points, but it's freaking slow. The only tool that supported it was John and latest omp build gave me only 545/s on my 4200+. On a Intel 17 965 Extreme we were only getting about 75/s which was seriously slow. We started to attack the Mscach2 and were able to recover a few but not enough to put us in the lead. At this point the contest had been running for about 12 hours and the first stats came up we saw that the other teams we making a run at the mscash2 hashes. We had no choice. since our focus is utilizing the GPU rather than the CPU. so Atom stopped all cracking and focused on implementing the mscash2 algorithm for the -plus version. He started with the AMD version because most of the people on the team were using AMD gpus. About 6 hours later we had our first working version but it was painfuly slow. 18000/s on my hd6990. It was however, at least 30 times faster than jtr's CPU-only version.

The rest of the team started using it to crack while Atom spent his time optimizing it a bit. Atom found out that it's possible to precompute 2/4 sha1 transforms of the PBKDF2. This and some other relevant optimizations lead to an end result of 112k/s on an stock clock hd6990.

At this point we started looking for patterns in the mscache2 since it was obvious the same patterns we present in all the hash types. Once a pattern was found it was used to attack all the other algoritms. About 8 hours before deadline Atom decided to port the mscash2 to nvidia. Once a beta version of this was done it was sent to radix who has a nice 7 gpu nvidia rig and the results kicked in massive. we got about 115 mscash2 in a single 10 minute run.

It was at this point we realized there must be a bug in the AMD version since the Nvidia version worked perfectly so Atom dropped back out of cracking to hunt down the bug. It took about 6 hours to find out that a sizeof() used the wrong datatype. Atom fixed it but at this point we only had about 30 minutes left. So we uploaded the new amd kernel to D3adone's GPU cracking box which is a an 8 x hd6970 rig, At this point we were now making 450k on mscash2. We started with 545/s and now we are at 450k/s.

Last Minutes of the Contest

In the last 20 minutes we found 30 more mscash2. We uploaded them but then Korelogic cut off the line while we were still finding more and more mscash2. 10 minutes after deadline we had 15 more mscash2 but it was to late. We are very happy to get a honorable second place and congratulate the Inside Pro team on a good battle.

Final Thoughts

This contest showed that oclhashcat-plus has the potential to be one of the best and most versatile crackers. We just need to add more algorithms and keep them secret from Minga. We could crack only 50% of the algorithms with hashcat tools, so the plan is now to add more algorithms to oclHashcat-plus. Expect a new version soon which will support:
  • SHA1
  • MySQL
  • SHA-1(Base64)
  • SSHA-1(Base64)
  • MSSQL(2000)
  • SHA256
  • Oracle11g
  • mscash2
  • MSSQL(2005)
...and more later. This will hopefully prepare us better for next year's CMIYC.

NameCPUsGPUsOSSoftware in Addition to *hashcats
|m| Q6600 x 1 5870 x 1 XP 32  
atom AMD Athlon 64 X2 6000+ HD6990 Linux 64 jtr
blaz i7 930 + AMD X6 1035T 9800gtx + 6570 Win7 64 jtr, egb, pwp
d3ad0ne x5650 x2, 980x x1 6970's x8, GTX 480's x4 Linux 64 jtr
Superjamesi7 860 5870 x 2 Linux 64 jtr
K9 E8400 4870 Win7 32, Win7 64 pwp, ighash
legion Q6600 x 2 8800 gts x 1 XP 64, Win7 64 pwp, egb
MKv4 3.1ghz x2 HD5770 Win7 x64, Linux x64 ophcrack, pwp
pure_hatei7 965 Extreme 6990 x 3 Linux x64 jtr
Radix 2x E5645 1x 1055T GTX 580 x 7 5870x2 Linux x64  
Rolf T1090 GTX 480 x 2 Win7 x64 pwp, egb, Accentsoft
T0XlC 1x E5504 GTX480 x 1 Win7 x64 pwp, egb
Xanadrel i7 950 5770 x 1 XP 32 jtr
Dakykillai7 965 Extreme 6990 x 3 Linux x64 jtr


Please contact us if you would like more information about our services, tools, or careers with us.
Privacy Policy : Copyright 2012. KoreLogic Security. All rights reserved