Back to
[Teams] [Top]
Team Phx2600
Resources
| Active Members
| 2
|
| Nicks
| AltF4, Phlak
|
| Software
| John the Ripper with Jumbo patches
|
| Hardware
|
One i5 with 2 cores.
|
Overview
So, unfortunately, the Phoenix 2600 suffered from a lack of organization
this year. I blame myself, as I was the one trying to do the organization.
Ultimately, our team turned into a mostly one-man-show. Phlak put in a great
effort near the end of day 2 to give me some NTLM cracks, but alas they
weren't worth many points. We (I) also suffered from some miscommunication.
When the competition started, it was postponed by an hour due to some
technical difficulties. (understandable) So I was then under the ostensibly
false impression that the competition would correspondingly last for an hour
longer, which it didn't. [We wish we had clarified that ahead of time -Kore.]
So I had a group of valuable MSCASH cracks that would have put us in 8th place
that I submitted at 12:30. But oh well. I blame only myself.
The competition itself was super fun, just like last year. And all things
considered, we did extraordinarily well. We actually managed to get a decent
score with an astoundingly low total number of cracks, due to the rules this
year.
Strategy
I knew I was at a hardware disadvantage compared to probably every team, so
I tried to work smarter rather than harder. Luckily, the rules this year
permitted such a thing. It quickly became apparent in the competition that
the higher valued hash types were worth so much more than the lower ones,
that there was little point in bothering with the lower valued hashes at
all.
But I needed somewhere to start, and so I ran some simple brute forces and
word lists against the easy types (NTLM, etc...) to get an idea of what kind
of words are being used. I noticed some interesting things:
- Some pokemon related names
- Every iteration of DEFCON, VEGAS, BLACKHAT, etc... (like last year)
- But most notably there was a reasonable population of alphanumeric names.
Or names with simple transforms. All 6 characters and 7, so they're easy
to run through. More than that, I noticed that this same pattern wasn't
just present in the NTLMs, but also in the valuable types. So that's where
I went next.
I ran this pattern looking for passwords in the one of the MD5 types worth
1000 pts each, overnight. After submitting, I was in the top 8 with well
fewer than a tenth of the total number of cracks than every team above or
below us.
I then started looking at what hash types the top teams were working most
on. Team Hashcat and InsidePro (the two real contenders for 1st place) had
gotten at this point the majority of their points in the MSCASH2 hash type.
There was only about 12 hours left in the competition at this point so I had
to take the risk and go for it. I was starting to bleed the 1000 pt MD5 type
dry of the easy pattern I found, so I switched to MSCASH2.
I had found an additional 34 of these MSCASH2 passwords, which doesn't sound
like much, but happens to be worth 544,000 pts. Nearly doubling my score. In
retrospect, I shouldn't have bothered with anything else but the MSCASH2 type
since it was worth so much. But like I said earlier, these didn't wind up
counting on the official tally.
Things I didn't get to, but should have given more resources
Knock out all the unsalted types with rainbow tables first thing. That's a
great way to bootstrap the process of looking for patterns. I kind of got
lucky that I found the pattern I did.
Try some of the "challenges". I never even got a chance to look at them,
unfortunately. I bet they were worth a lot of points.
Use a GPU. Man, this is really the way to go in the future. Too bad my
laptop doesn't have one.
Final Thoughts
I definitely look forward to performing again next year. I promise to put
together a more compelling and competitive effort as well. Also, look for
the Phoenix 2600 in other competitions unil then.
