Once again KoreLogic hosted the Crack Me If You Can password cracking contest during DEFCON 29. I participated in the Street Division as a solo entry. Password cracking is something that I have developed a passion for over the past 5-6 years after realizing that so many in the forensic world struggle with it. I found a ton of great resources such as the thesis and dissertation by Dr. Matthew Weir (Using Probabilistic Techniques to Aid in Password Cracking Attacks) and prior contest write-ups by @Cyno-Prime, @John_Users, and @hashcat. The YouTube videos posted from the Password Village from DEFCON 28 are a great resource, especially "Lets crack rockyou.txt, without using rockyou.txt". I decided this year I would attempt with a single machine with the goal of showing that for certain tasks, the hardware isn't as important as the intelligence, strategy and/or methodologies.
Let's start with the hardware, which was a 7 year old gaming laptop, running Windows with a GeForce GTX860M, and a fresh install of Hashcat 6.2.3. Since the rules are clearly laid out that duplicate cracks are not to be submitted, I needed to brush up on creating a workflow to not only properly form my crack submissions, but also to remove the previous cracks. While I am sure there is an easier way to handle this task, I used a combination of the --show function within Hashcat to create the submission and then used the --left Hashcat function, to create a new hash file that only contained the remaining hashes to continue cracking. Once I had my cracks in a text file, I used the find/replace feature within Notepad++, along with some GREP, to properly form the final submission text file. I know this is somewhere that I can improve my efficiency by using a Linux OS and some CLI Tools, to eliminate the extra steps of using the Notepad++ GUI.
Moving on to the strategies and methodologies, I started with the History_6 hashes, identified the hashes as NTLM and launched a plain brute force attack, which started cracking right away. While that was running in the background, I grabbed the History_5 hashes, which were also NTLM. This initially made me think that there was some kind of a trick coming, as this was the first time I have participated in the contest that the hash type wasn't mixed. I then went back to read the scenario, and immediately remembered the Password Village talk from DEFCON 28 by @Minga called "Result of Longer Passwords in Real World Application". During this talk, Minga explained how as corporate password policies evolve, the user typically keeps their passwords similar while still complying with the policy. This was a huge guess early on, and figured I would commit to this strategy as long as I didn't see anything in the cracks showing a more efficient cracking strategy. Since History_4 and History_3 wouldn't be released until later in the contest, I would have a few hours to crack and analyze to see if the methodology would benefit me in the long run.
As I began to look at the cracks, I saw several patterns that I wanted to exploit early on, so I stopped the straight brute force attack and started with various mask attacks. Some of the patterns I saw were, digits at the front, digits at the end, all lower, uppercase first character, and all digits, so I played around with several mask variations on both the History_6 and History_5 files and immediately began to see massive increased results, which was not surprising. A blind brute force should never be used as the only strategy, as that relies on luck alone, and password cracking requires some strategy and intel to be really effective. I continued with the various masks and then started to notice some of the core words such as numbers, names, cities, and books/chapters of the bible. With this realization and following the strategy that this contest was based around "users" who had an evolving password policy, I created a fresh wordlist, using all of the previous cracks as a base wordlist.
Once the History_4 and History_3 were released and I realized they were all NTLM, there was no need to keep them separate, they could all be combined into a single file. This made my work flow more efficient, as I didn't need to run each mask attack 4 times to cover each of the files, I would just run it on a single combined file. Suddenly I realized I had been missing out on a huge strategy and benefit, and I couldn't believe that I was so focused on the masks that I had forgotten about the --loopback function to load the found cracks back into the attacks. I also realized that I had not used any rules, which was also a huge oversight, as the tunnel vision had set in on the masks and patterns.
After the realization of all the missed/forgotten functions within Hashcat, I took a step back and re-evaluated my strategy, moving back to basics. When dealing with password cracking, I typically start with wordlists, so I of course started with Rockyou. As I organized my wordlists, I found a directory that I had created called Korelogic_Lists. This directory contained several wordlists that I had downloaded several years ago from the KoreLogic website. These lists included cities, female names, male names, places, books of the bible, months, numbers as words, and sports teams. This was a treasure trove, which by the way is still available on the 2010 - Crack Me If You Can Contest page. I combined all of these into a single wordlist, made sure that I was tracking which rules I had used, and started to run through the hashes. The cracks were flying by, and I had definitely found a great resource that I couldn't believe I had overlooked earlier.