Posts

Showing posts from 2023

Jupyter Lab Framework Example: Revisiting CMIYC2022

Image
Everything that happens once can never happen again. But everything that happens twice will surely happen a third time. -- Paulo Coelho Introducing the JupyterLab Password Cracking Framework:  For the last couple of months, I've been (slowly) working on building out a new backend/framework to be able to manage password cracking sessions using JupyterLab as the frontend/GUI. The current version of this framework is available [here] . This project is under active development (well active for me anyways), and I'd really appreciate feedback and suggestions on how to extend and improve it. My goal is to have an opensource, community driven alternative for Team Hashcat's List Condense (LC) collaboration server ready by CMIYC2024. About The Framework: I view JuypterLabs as a stone soup. It provides a good interface, interactive Python debugger, and a way to save and share analysis results. But it is still up to you to do all of the backend analysis. That became very evident when I...

Hashcat Tips and Tricks for Hacking Competitions: A CMIYC Writeup Part 3

Image
  I want to know1 and understand1 But I will not1 -- Hashes cracked from the KoreLogic CMIYC 2023 competition In the previous two posts on the CMIYC competition [ Part 1 , Part 2 ], I had focused on how to integrate data science tools into your password cracking workflow and showed how to crack passwords on limited hardware (E.g. my laptop without using a GPU). Of course it's better to have some firepower to crack hashes! One of the hurdles to overcome is I don't have a lot of firepower at my disposal. Despite being super interested (OK, obsessed) about password cracking, I've never invested in a dedicated cracking rig. Still, when I do get serious about cracking passwords I turn to Hashcat and GPU based attacks to do the heavy lifting even if I only have a single NVIDIA GeForce GTX 1070 GPU. That's still significantly faster than trying to run CPU only attacks. To that end, let's talk about how to leverage Hashcat when competing in these competitions. Full disclaim...

Using JupyterLab to Manage Password Cracking Sessions (A CMIYC 2023 Writeup) Part 2

Image
 “Tools?" scoffed Kalisti, "Tools are for people who have nothing better to do than think things through and make sensible plans.” ― Laini Taylor, Muse of Nightmares When we left off in  Part 1 of my CMIYC2023 Writeup , I had cracked a measly 437 passwords. Yes I had a Jupyter Notebook set up to perform analysis, but what I really needed was more cracked passwords to do analysis on. To that end, I started off doing some basic exploratory attacks very similar to what I detailed in previous competitions [ Crack the Con , CMIYC2022 ]. These included running JtR Single Mode with the RockYou, dic-0294, Alter_Hacker, and the sraveau-Wikipedia wordlists. Basically these attacks are about as dumb and untargeted as you can get. But they are also easy and quick to run against fast hash types. And they can be helpful! The Wikipedia wordlist in particular highlighted that Cyrillic passwords would likely play a role in this competition. Running an attack using a Russian wordlist ( from he...