Showing posts from August, 2023

Hashcat Tips and Tricks for Hacking Competitions: A CMIYC Writeup Part 3

  I want to know1 and understand1 But I will not1 -- Hashes cracked from the KoreLogic CMIYC 2023 competition In the previous two posts on the CMIYC competition [ Part 1 , Part 2 ], I had focused on how to integrate data science tools into your password cracking workflow and showed how to crack passwords on limited hardware (E.g. my laptop without using a GPU). Of course it's better to have some firepower to crack hashes! One of the hurdles to overcome is I don't have a lot of firepower at my disposal. Despite being super interested (OK, obsessed) about password cracking, I've never invested in a dedicated cracking rig. Still, when I do get serious about cracking passwords I turn to Hashcat and GPU based attacks to do the heavy lifting even if I only have a single NVIDIA GeForce GTX 1070 GPU. That's still significantly faster than trying to run CPU only attacks. To that end, let's talk about how to leverage Hashcat when competing in these competitions. Full disclaim

Using JupyterLab to Manage Password Cracking Sessions (A CMIYC 2023 Writeup) Part 2

 “Tools?" scoffed Kalisti, "Tools are for people who have nothing better to do than think things through and make sensible plans.” ― Laini Taylor, Muse of Nightmares When we left off in  Part 1 of my CMIYC2023 Writeup , I had cracked a measly 437 passwords. Yes I had a Jupyter Notebook set up to perform analysis, but what I really needed was more cracked passwords to do analysis on. To that end, I started off doing some basic exploratory attacks very similar to what I detailed in previous competitions [ Crack the Con , CMIYC2022 ]. These included running JtR Single Mode with the RockYou, dic-0294, Alter_Hacker, and the sraveau-Wikipedia wordlists. Basically these attacks are about as dumb and untargeted as you can get. But they are also easy and quick to run against fast hash types. And they can be helpful! The Wikipedia wordlist in particular highlighted that Cyrillic passwords would likely play a role in this competition. Running an attack using a Russian wordlist ( from he

Using JupyterLab to Manage Password Cracking Sessions (A CMIYC 2023 Writeup) Part 1

“We become what we behold. We shape our tools, and thereafter our tools shape us.” -- Marshall McLuhan This year I didn't compete in the Defcon Crack Me If You Can password cracking competition. It was my wife's first Defcon, so there was way too much stuff going on to sit around our hotel room slouched over a computer. But now that a week has passed and I'm back home, I figure the CMIYC Street Team Challenge would be a great use-case to talk about data science tools! Big Disclaimer: I've read spoilers from other teams and have participated in the post-contest Discord server. I'm totally cheating here. The focus is on how you can use JupyterLab to perform analysis while cracking passwords. Not my problem solving skills (or lack there-of). Initial Exploration of the Challenge Files: The CMIYC challenge file for street teams is available here . It's a pgp encrypted file so the first thing to do is decrypt them with the password KoreLogic provided. gpg -o cmiyc_st