Back to Top
We will release a collection of encrypted password hashes from various types of
systems--UNIX servers, Windows AD, LDAP servers, webapps, etc, plus a number of
encrypted files ("challenges") such as .doc, .zip, private key files, etc.
Teams will have 48 hours to crack as many passwords and encrypted files as they
KoreLogic will be giving away the following prizes for first, second, and third place:
- First Place: $600 (or equivalent)
- Second Place: $300 (or equivalent)
- Third Place: $100 (or equivalent)
In addition, each challenge a team wins (up to the limit, see below) earns a
$65 donation in their name to either EFF
or Child's Play
. A 65 dollar
EFF donation is enough to obtain a "Copper" Membership.
At the start of the contest, KoreLogic will release a .zip containing
one password file per hash type, and also various encrypted files
(challenges). Hashes will be things like MD5, Salted MD5s, Blowfish,
SHA1, SHA256, SSHA, DES, NTLM, etc. Challenge files will be encrypted
.zip files, .doc's, private key files, truecrypt volumes, etc.
The passwords will range from being "easy" to extremely difficult to
crack. They are not simply randomly generated passwords, which would
favor the person or group with the most GPU/CPU bruteforcing
horsepower. Instead, the password files contain passwords based on
what we believe are challenging real-world patterns. Passwords will be
of varying lengths, patterns, and complexity. Creative password
cracking techniques, rules, dictionaries, and tools will be needed.
The teams who are smart about the methods they use (i.e., teams who
can crack more, with less work) will most likely be the most
The goal of the contest is simple: score the most points.
Points are earned in several ways:
- Each cracked password is worth some points, more points each for
harder/slower hash types. For example, FreeBSD MD5 hashes are worth
more than UNIX DES; bcrypt (blowfish-based) are worth more than
- Bonus points for having the most hashes of a specific type (the most
FreeBSD MD5, the most NTMD4, etc).
- Each solved challenge is worth a big chunk of points, and there
are also sub-prizes for solving challenges. However, teams
are limited as to how many challenges they can win (see
below), so big teams cannot sweep all the challenges.
The points per hash type, challenge, and bonuses will be announced soon.
Teams must provide their results directly to KoreLogic at multiple
intervals during the 48 hour contest window. (See the HOWTO for
details on how to submit.)
We will publish a list of challenge file types a few days before the
contest, so teams can prepare.
We typically have three or four teams that dominate the competition.
We want to make sure that large teams do not sweep everything.
So this year, teams will only get credit for the first few challenges
they win / solve. There are 37
challenge files, and the limit is
6 per team
. Teams will score for solving up to six of them, and
no points for any beyond that. Between them, the biggest/fastest teams
could claim at most about half of the "first to solve" credit, but then
they would max out.
If a team maxes out on points but not wins (by solving six challenges
that have all already been won by some other team), they can keep
trying to win others if they wish; they could not earn any more
points, but would still be eligible to win new challenges (up to their
max of six).
Note that while challenges won't all be of equal difficulty / amount of
CPU cycles to crack. But, they will each be worth the same amount of
points. So teams going for the most overall points will probably want
to burn up their quota of challenges quickly on easy ones. Other teams
may want to focus on winning side-prizes for being the first to crack
Note also that the same eligibility rules apply to challenges--your team
has to have someone attending DEFCON to claim the prize for a challenge
win. This is a DEFCON contest, after all.
The rules are intended to maintain good fair-play across the board.
Basically, "Don't be a dick." Besides following the directions
about how to register and submit, the rules are:
- You MAY use as many systems/cores/CPUs as you wish.
- You MAY use systems NOT located at DEFCON.
- You MAY work with other team members not attending DEFCON.
To be eligible for a prize, your team must have at least one team
member physically attending.
- You MUST ONLY use systems that you are authorized to use.
- You MUST NOT attempt to gain unauthorized access to any system
used by KoreLogic or another team.
- You MUST NOT attempt to interfere with the efforts of another
team (DoS, etc).
- You MUST NOT attempt to steal passwords from or
techniques/methods used by another team (that they are trying to
- To be eligible for a prize, you MUST agree to share your
techniques / methodologies and describe the resources/tools used to
crack the passwords.
- Generally, you MUST NOT be on multiple teams, or switch teams
during the contest--we will assume you stole all the cracks from the
team you left, or the team you join. Plus, it's an unfair surprise to
the other competitors. Exceptions include:
- Being part of a team, but also registering individually, so
that your progress can be tracked independently. This is OK as
long as you tell us this is going on (email the human contact
address). In this case, the sub-team(s) would not be eligible
to win, only the larger team they were part of.
- Starting the contest as a small/solo team, and then deciding
you don't have the time to commit to see it through, and want to
join another existing team. We don't want any last-minute
surprises, but if you do this within the first 12-18 hours or so
the contest, email the human contact address to let us know.
- KoreLogic staff are not eligible for the contest.
- The files containing the password hashes will not be released until the start of the contest.
Any violation of the rules will result in (up to) immediate disqualification from the contest. Any illegal activity will be reported.
Differences from the 2011 Contest:
Please note the following differences from the 2011 contest:
- Side-prizes for being the first to crack a given challenge.
- Limits on how many challenges a single team can get points for
and/or win side-prizes for.
- Challenge files don't contain hashes inside that need to be
cracked; once you crack a challenge file, send us the plaintext for it
(we will add a challenge-specific portion to the how to submit page to clarify).
- Restrictions on merging teams (see above).
- We may choose to tweet some hints periodically during
During the contest, KoreLogic will publish updated scores as often as possible.
Challenge wins will be announced throughout the contest. We will
attempt to keep the delay to a minimum, so that teams know as soon as
possible if a challenge they're working on has been won, but we don't
make any promises about latency.
After the contest ends, KoreLogic staff will validate each submission
and will announce the winning teams on Sunday, (time TBD, but
certainly before the DEFCON closing ceremonies). The eligible team
with the highest score will be the winner. If there is a tie in total
points, the team that submitted their entry first will place
The winning teams will be required to write up their techniques /
methodologies, describe the resources/tools used to crack the
passwords, and describe any lessons learned.
At the conclusion of the contest, KoreLogic will:
- Announce the winners and award the prizes.
- Release the entire password list.
- Provide details on how each team did over time, for each hash
- Provide statistics on which types of passwords were totally missed by all teams.
Please contact firstname.lastname@example.org