Senior Security Analyst
Alex Kah works for Optiv’s MSS organization responding to security incidents, strengthening MSS’s security posture and assisting with other internal technology additions and enhancements.
Crack Me If You Can - Hash Cracking Contest
The fifth annual Korelogic “Crack Me If You Can” contest took place this past weekend at the 22nd annual DEF CON. Crack Me If You Can (CMIYC) is an annual DEF CON contest that simulates real-world penetration testing scenarios where you might obtain large lists of hashed passwords from a client or clients. Password hashes are used to store passwords securely for anything from WPA/WPA2 for wireless communications to the passwords you use to login to websites. The CMIYC contest continues to improve year after year with this year providing the most real world scenario to date.
Many think of password cracking as something that can be accomplished quicker by using more CPU/GPU power, however, the Crack Me If You Can contest concentrates on ability by rewarding those skilled in pattern matching. In this year’s contest there were multiple fake companies where you might find similar patterns just like at real companies where you might see password patterns related to the locale itself.
The Crack Me If You Can contest consists of a “Pro” class for teams who want to compete for bragging rights of the best password cracking team on the Internet and a “Street” class for individuals or small teams who want to compete without going up against the larger teams. This year Team Hashcat won for the third time in the last five years the CMIYC contest has existed. Accuvant team members participating in this year’s contest on Team Hashcat included me, Alex “dakykilla” Kah, and Martin “purehate” Bos. A third participant, Eric “Brav0Hax” Milam, assisted by cracking password hashes and uploading results to Team Hashcat via myself and Martin. All three of us primarily used oclHashcat and Hashcat which are both available for download/use free of cost. The hardware used by Accuvant team members included an Ubuntu server with four 280X’s, another Ubuntu server with four 280X GPU’s, an Ubuntu server with 2 7970 GPU’s, an Ubuntu server with four 7970 GPU’s and multiple other servers using only CPU’s. Team Hashcat consisted of 24 other members from around the globe including Jens “atom” Steube the developer of Hashcat. The Team Hashcat write-up below lists all team members, the hardware used for the contest and password cracking methodologies.
For more information about the contest and Team Hashcat use the links below.