Back to Top

The Details:

Scenario:

We will release a collection of encrypted password hashes from various types of systems--UNIX servers, Windows AD, LDAP servers, webapps, etc, plus a number of encrypted files ("challenges") such as .doc, .zip, private key files, etc. Teams will have 48 hours to crack as many passwords and encrypted files as they can.

Prizes:

KoreLogic will be giving away the following prizes for first, second, and third place:

• First Place: $600 (or equivalent)
  
• Second Place: $300 (or equivalent)
  
• Third Place: $100 (or equivalent)
  

In addition, each challenge a team wins (up to the limit, see below) earns a $65 donation in their name to either EFF or Child's Play. A 65 dollar EFF donation is enough to obtain a "Copper" Membership.

Logistics:

At the start of the contest, KoreLogic will release a .zip containing one password file per hash type, and also various encrypted files (challenges). Hashes will be things like MD5, Salted MD5s, Blowfish, SHA1, SHA256, SSHA, DES, NTLM, etc. Challenge files will be encrypted .zip files, .doc's, private key files, truecrypt volumes, etc.

The passwords will range from being "easy" to extremely difficult to crack. They are not simply randomly generated passwords, which would favor the person or group with the most GPU/CPU bruteforcing horsepower. Instead, the password files contain passwords based on what we believe are challenging real-world patterns. Passwords will be of varying lengths, patterns, and complexity. Creative password cracking techniques, rules, dictionaries, and tools will be needed. The teams who are smart about the methods they use (i.e., teams who can crack more, with less work) will most likely be the most successful.

The goal of the contest is simple: score the most points.

Scoring Points:

Points are earned in several ways:

1. Each cracked password is worth some points, more points each for harder/slower hash types. For example, FreeBSD MD5 hashes are worth more than UNIX DES; bcrypt (blowfish-based) are worth more than FreeBSD MD5.
2. Bonus points for having the most hashes of a specific type (the most FreeBSD MD5, the most NTMD4, etc).
3. Each solved challenge is worth a big chunk of points, and there are also sub-prizes for solving challenges. However, teams are limited as to how many challenges they can win (see below), so big teams cannot sweep all the challenges.

The points per hash type, challenge, and bonuses will be announced soon.

Teams must provide their results directly to KoreLogic at multiple intervals during the 48 hour contest window. (See the HOWTO for details on how to submit.)

Challenges
We will publish a list of challenge file types a few days before the contest, so teams can prepare.

We typically have three or four teams that dominate the competition. We want to make sure that large teams do not sweep everything.

So this year, teams will only get credit for the first few challenges they win / solve. There are 37 challenge files, and the limit is 6 per team. Teams will score for solving up to six of them, and no points for any beyond that. Between them, the biggest/fastest teams could claim at most about half of the "first to solve" credit, but then they would max out.

If a team maxes out on points but not wins (by solving six challenges that have all already been won by some other team), they can keep trying to win others if they wish; they could not earn any more points, but would still be eligible to win new challenges (up to their max of six).

Note that while challenges won't all be of equal difficulty / amount of CPU cycles to crack. But, they will each be worth the same amount of points. So teams going for the most overall points will probably want to burn up their quota of challenges quickly on easy ones. Other teams may want to focus on winning side-prizes for being the first to crack harder challenges. Note also that the same eligibility rules apply to challenges--your team has to have someone attending DEFCON to claim the prize for a challenge win. This is a DEFCON contest, after all.

Rules:

The rules are intended to maintain good fair-play across the board. Basically, "Don't be a dick." Besides following the directions about how to register and submit, the rules are:

• You MAY use as many systems/cores/CPUs as you wish.
• You MAY use systems NOT located at DEFCON.
• You MAY work with other team members not attending DEFCON. To be eligible for a prize, your team must have at least one team member physically attending.
• You MUST ONLY use systems that you are authorized to use.
• You MUST NOT attempt to gain unauthorized access to any system used by KoreLogic or another team.
• You MUST NOT attempt to interfere with the efforts of another team (DoS, etc).
• You MUST NOT attempt to steal passwords from or techniques/methods used by another team (that they are trying to keep private).
• To be eligible for a prize, you MUST agree to share your techniques / methodologies and describe the resources/tools used to crack the passwords.
• Generally, you MUST NOT be on multiple teams, or switch teams during the contest--we will assume you stole all the cracks from the team you left, or the team you join. Plus, it's an unfair surprise to the other competitors. Exceptions include:
  • Being part of a team, but also registering individually, so that your progress can be tracked independently. This is OK as long as you tell us this is going on (email the human contact address). In this case, the sub-team(s) would not be eligible to win, only the larger team they were part of.
  • Starting the contest as a small/solo team, and then deciding you don't have the time to commit to see it through, and want to join another existing team. We don't want any last-minute surprises, but if you do this within the first 12-18 hours or so the contest, email the human contact address to let us know.
• KoreLogic staff are not eligible for the contest.
  
• The files containing the password hashes will not be released until the start of the contest.
  

Any violation of the rules will result in (up to) immediate disqualification from the contest. Any illegal activity will be reported.

Differences from the 2011 Contest:

Please note the following differences from the 2011 contest:

• Side-prizes for being the first to crack a given challenge.
• Limits on how many challenges a single team can get points for and/or win side-prizes for.
• Challenge files don't contain hashes inside that need to be cracked; once you crack a challenge file, send us the plaintext for it (we will add a challenge-specific portion to the how to submit page to clarify).
• Restrictions on merging teams (see above).
• We may choose to tweet some hints periodically during the contest.

Results:

During the contest, KoreLogic will publish updated scores as often as possible.
Challenge wins will be announced throughout the contest. We will attempt to keep the delay to a minimum, so that teams know as soon as possible if a challenge they're working on has been won, but we don't make any promises about latency.

After the contest ends, KoreLogic staff will validate each submission and will announce the winning teams on Sunday, (time TBD, but certainly before the DEFCON closing ceremonies). The eligible team with the highest score will be the winner. If there is a tie in total points, the team that submitted their entry first will place higher.

The winning teams will be required to write up their techniques / methodologies, describe the resources/tools used to crack the passwords, and describe any lessons learned.
At the conclusion of the contest, KoreLogic will:

• Announce the winners and award the prizes.
  
• Release the entire password list.
  
• Provide details on how each team did over time, for each hash type.
  
• Provide statistics on which types of passwords were totally missed by all teams.
  

Good luck!

Please contact defcon-2012-contest@korelogic.com with any questions (PGP key)