Tutorial for CMIYC2024: Registering a Team and Cracking Test Hashes

By -

 

AI generated picture of a Black Kitten wearing a tophat cracking passwords

Whenever a thing is done for the first time, it releases a little demon.

- Emily Dickinson

Getting Ready For Crack Me If You Can 2024

August is like New Years for me. With BSides Vegas, Defcon, and all the other hacker conferences, I find myself taking stock of the previous year, realizing all the plans I did not accomplish, and I find myself setting goals for the next year. One of the things I am happy about though is that I now have a password cracking framework to help me compete in this year's Crack Me If You Can competition. Like the last couple of years I plan on competing by myself on team "Reusablesec" since I think it's important to try (and probably fail) vs. just talk about password security.

I'd also like it if new players also competed and learned from this contest. The problem is, the Crack Me If You Can contest can be intimidating, and the barrier of entry can be high. I mean, you need to figure out how to use PGP, which isn't easy, and that is on top of installing/configuring/using password cracking programs! To that end, this blog entry is focused on highlighting how you can use the Password Cracking Framework to get your team registered, and will walk you through how to crack the test hashes and how to submit them. That way you can focus on the fun parts such as cracking hashes and trying to figure out whatever Led Zeppelin themed challenge Korelogic is sure to throw at you this year.

Note: While the test hashes will be "spoiled" in this blog entry, I WILL NOT be posting any actual contest solutions until after the competition is over. If you want to attempt to crack the test hashes yourself (which would be awesome) feel free to skip this blog entry and come back to it after you are done so I don't spoil the challenge for you.

Resources:

Official Contest Resources:

  • Korelogic Contest Website: [Link]
  • Korelogic Registration Info: [Link]
  • Korelogic Hash Downloads: [Link]
  • Korelogic Scoreboard: [Link]
Password Cracking Framework Resources:
  • Github Site for Code: [Link]
  • Previous CMIYC Tutorial (Part 1): [Link]
  • Previous CMIYC Tutorial (Part 2): [Link]
  • Previous CMIYC Tutorial (Part 3): [Link]
  • Previous CMIYC Tutorial (Part 4): [Link]

Using The Framework:

The rest of this tutorial is really going to focus on using the Password Cracking Framework to help automate some of the tasks in the CMIYC contest. All the Pro teams have their own frameworks, so I developed this framework to be something anyone could use. The framework is written as a Python backend for a JupyterLab Notebook. Why JupyerLabs? Well I never want to write a GUI so JupyterLabs takes care of much of the frontend for me. Also, I've found the interactive shell into my Python backend to be very helpful when playing around with data.

You can download and install the framework from the link above. The real source of truth will be the CMIYC_2024_Examples.ipynb Notebook vs. this blog entry, as I will probably be making changes and updates to throughout the contest. While I won't be posting any contest hashes, I will likely update the Framework to handle file formats that Korelogic throws at the street teams. When you are using this Notebook, I'd recommend using the example one as a tutorial, but then creating your own Notebook to manage your own personal cracking sessions. That way you can arrange your Notebook the way that works best for you, and if I make changes to to the tutorial/example during the contest you don't have to worry about git merge conflicts.

For the rest of this blog entry I'm largely going to be referencing the Notebook, so I'd recommend taking the time to download and install it before continuting.

Registering a Team:

Korelogic requires teams to perform all communications using PGP. For most people, this probaly means using the GNU PGP client. For me, GNU stands for "Going to Never Use it" since the tutorials and MAN pages are often horrible. So the first order of business for me getting ready for this year's CMIYC was to automate PGP key generation, encryption, and decryption using the Python library PGPy [Link].

If you want to use a different PGP program to create a team, absolutely go ahead and do that! But in the Password Cracking Framework I created a Python class called PGPMgr that you can call through the Jupyter Notebook instead.

The first function is generate_read_pgp_private_key. This will create a new PGP key (if one does not already exit) and write it to the key_file name that you send to it. If a PGP key already exists it'll validate the key and then return it. This way you aren't creating a new key every time this is run. Feel free to skip using this function if you already have a PGP key you want to use, but even the conference organizers recommend using a contest specific PGP key to make it easier to partner with other players. I'd also recommend backing up your key in case something happens during the contest. Here is the output of running it in the Notebook:


My apologies that it's a screenshot vs. text, but that's why it's probably easier to use this in the framework.

To encrypt/decrypt messages I then created the PGP_Mgr class in the Framework. I figured a class would be better than having individual functions since I didn't want to have to keep passing in my private key as well as KoreLogic's public key.

While I could try to integrate this with individual e-mail services, that seems like a lot of work so PGP_Mgr will output encrypted messages to this workbook as well as save the messages to a file. It's up to you then to actually copy/paste (or attach) that message into an e-mail and send it to KoreLogic at sub-2024@contest.korelogic.com



Hopefully you are getting an idea about what this framework is now! I could keep copying and pasting screenshots from it, but I really recommend you just check it out instead! Even if all you use this for is just to register a team and not to crack any actual passwords, I hope this Framework helps you out. As a side tangent, I also need to come up with a better name for this Framework. I'm thinking CRIPTs (Collaborative Research Into Password Threats), but I'm open to other suggestions!

Cracking the Test Hashes:

For the test hashes, there are two different challenge files:
  1. test_1_passwd.hash
    • Contains 5 different hashes 
      • 1 raw-md4
      • 1 nsldaps
      • 2 md5crypt
      • 1 bcrypt which is worth ALL THE POINTS
  2. test_1.zip
    • An encrypted zip file containing a note
Observation 1: It looks like we will need to crack encrypted files again this year to unlock additional hashes and get tips on how to crack the tougher hashes. If you want to crack encrypted files used in past CMIYC contests, I strongly recommend this blog post: [Link]

As far as cracking those hashes, you'll want to specify the correct format when running John the Ripper and Hashcat. Rather than look that up in the help files, I made a function to display what format name/number to use is in the Framework:



The framework unfortunately doesn't crack any passwords for you. You'll need to do that yourself. Luckily if you run default attacks against the raw-md5 hash and the nsldaps hashes using John the Ripper you should be able to crack them. Their plaintexts are:

Raw-MD5: 3-2-1
NSLDAPS: Contact

If you are a child of the late 70s and 80s you might remember "3-2-1 Contact" as a great PBS show teaching kids science (think of it as a nerdier Sesame Street). That seems like it might be useful information when creating a custom wordlist to target the other hashes. Doing some Googling led to the following link containing the show's lyrics: [Link].

Using a wordlist created from that, I managed to crack the zip password.

PKZip: When everything happens

Unzipping the file, we can see the following message:

-----------------------------------------------------------------------------------
Do not submit the zip passphrase, it is not worth anything.

user5's password is the sentence spoken by the synthesized voice
introducing itself in episode 101.

-----------------------------------------------------------------------------------


Observation 2: There will probably be a "Google/Bing" section of the contest where you will need to create solve puzzles and create customized wordlists

Wonder if I can use ChatGPT to solve this problem?






Uggg! Well I guess I don't have to worry about AI taking my job for another year. On the plus side, if KoreLogic makes me watch PBS science shows all weekend I really can't complaint too much. To watch the Episode 101 of 3-2-1 Contact yourself you can view it at the following [Link]. I forgot how much this show rocks!

Cracking the BCrypt Hash:

As far as actually cracking the passphrase for the BCrypt hash, the text in question is: 
  • "I am a computer at bell laboratories and I am learning to talk"
It's pretty easy to throw that in a wordlist and try to crack the password. But, it doesn't work.... So there obviously is something wrong with the phrase. Maybe it is capitalization?

One option is to apply passphrase mangling rules that you can find in the following passphrase cracking github repo [Link Here]. Besides common passphrase mangling rules, this site also has a huge collection of passphrases wordlists which is nice for normal cracking session. For the mangling rules you can download from that repository, they will generate guesses such as the following:
  • take the red pill
  • take-the-red-pill
  • take.the.red.pill
  • take_the_red_pill
  • taketheredpill
  • Take the red pill
  • TAKE THE RED PILL
  • tAKE THE RED PILL
  • Taketheredpill
  • tAKETHEREDPILL
  • TAKETHEREDPILL
  • Take The Red Pill
  • TakeTheRedPill
  • Take-The-Red-Pill
  • Take.The.Red.Pill
  • Take_The_Red_Pill
Unfortunately when I applied these rules to the sentence spoken by the computer, I still was unable to crack the password. I'll admit this was an area where Ivan from team John_Users also beat me to it. Turns out, I needed to capitalize 'Bell Laboratories', and then add a period at the end. So the actual password was:
  • I am a computer at Bell Laboratories and I am learning to talk.
That's some of the gotchas that can get you when cracking passwords. Close doesn't cut it. Also this shows I need to up my passphrase mangling rules!
 
Speaking about how awesome Ivan was though, while I won't be competing with team John_Users this year, I really want to wish them the best of luck and state they are the Pro team I'll be rooting for! Go Team John_Users!!!! Also if you want to compete with them, they are still taking new members. This is an amazing opportunity to learn from some really advanced password cracking experts.


Update: After the Contest Spoiler

So what about those md5crypt hashes? Well there is a good lesson to be learned from that as well. Here are their solutions given by the contest organizers:
  • user3:$1$mjlHQY$7ofnyhSdWnn6HyIMf8GIE0:It's the secret
  • user4:$1$h2lb97w8$rSnzQB3FHv9o4VXaOTEyx.:It's the moment
So that's really weird, since I mentioned I had added the show lyrics to a cracking wordlist. In fact, the wordlist is available in the JupyterLab example [Here]. Looking at that wordlist, it has the following two lines:
  • It’s the secret
  • It’s the moment
Question: Can you spot the difference?

Answer: It's the secret, it's the moment, but really it is the apostrophe

Observation 3: This is a real learning lesson for me. I need to be more careful about how I read in and normalize input scraped from webpages when creating wordlists for these contests. Changes like using the wrong apostrophe are really hard to spot if you are manually looking at the copied content, but it makes all the difference when cracking passwords. Just like with the bcrypt passphrase, getting close doesn't count. You need to make a guess exactly the right way. I guess that complication is part of what makes password cracking so fun!

Comments

Post a Comment

Popular posts from this blog

Tool Deep Dive: PRINCE

By -
Image
Tool Name: PRINCE (PRobability INfinite Chained Elements) Version Reviewed: 0.12 Author: Jens Steube, (Atom from Hashcat) OS Supported: Linux, Mac, and Windows Password Crackers Supported:  It is a command line tool so it will work with any cracker that accepts input from stdin Blog Change History: 1/4/2015: Fixed some terminology after talking to Atom 1/4/2015: Removed a part in the Algorithm Design section that talked about a bug that has since been fixed in version 0.13 1/4/2015: Added an additional test with PRINCE and JtR Incremental after a dictionary attack 1/4/2015: Added a section for using PRINCE with oclHashcat Brief Description:   PRINCE is a password guess generator and can be thought of as an advanced Combinator attack . Rather than taking as input two different dictionaries and then outputting all the possible two word combinations though, PRINCE only has one input dictionary and builds "chains" of combined words. These chains can have 1 to N wo
Read more

Cracking the MySpace List - First Impressions

By -
Image
Alt Title: An Embarrassment of Riches Backstory: Sometime around 2008, a hacker or disgruntled employee managed to break into MySpace and steal all the usernames, e-mails, and passwords from the social networking site. This included information covering more than 360 million accounts. Who knows what else they stole or did, but for the purposes of this post I'll be focusing only on the account info. For excellent coverage of why the dataset appears to be from 2008 let me refer you to the always superb Troy Hunt's blog post on the subject . Side note, most of my information about this leak also comes from Troy's coverage. This dataset has been floating around the underground crime markets since then, but didn't gain widespread notoriety until May 2016 when an advertisement offering it for sale was posted to the "Real Deal" dark market website. Then on July 1st, 2016, another researcher managed to obtain a copy and then posted a public torrent of then entir
Read more

The RockYou 32 Million Password List Top 100

By -
But first, a quick responses to one of the previous comments, (since it really did merit a front-page post). Tfcx posted: The initial vulnerability was posted 29th November on a hacking forum called darkc0de here: http://forum.darkc0de.com/index.php?action=vthread&forum=11&topic=13082 Thanks, as that really helps narrow down the timeframe, (and reading that post and related posts was interesting if a bit depressing). The hack itself appears pretty straightforward once you see it, (like most things once the solution is presented to you it's easy, but finding it in the first place is hard). I'm still interested in the hacker Igigi, and have been tossing about all sorts of theories; but I'll refrain from posting them here since they are all pure WAGs right now. Now on to the main topic: Per Thorsheim wrote: I would like to see a comparison of Twitters 370 banned passwords against the top 370 or so passwords stolen from rockyou (http://www.techcrunch.com/2009/12/27/twi
Read more