Korelogic Logo
"Crack Me If You Can" - DEFCON 2012
  Team Hashcat has won the contest!  
Back to [Teams] [Top]

Team 16Systems

Link to original writeup (external)


Active Members 1
Names Brad Tilley
Software John the Ripper, Word Machine, TCHead
Hardware Celeron 430, Atom N270, a few extra-large EC2 instances


I was a one man cracking team again this year at the Defcon password cracking contest. I used my own software along with John the Ripper. No fancy, high-priced GPUs and no proprietary, closed-source software. I won two first place prizes by cracking most of the TrueCrypt volumes before anyone else. I cracked these on an old Intel Celeron running Debian GNU/Linux that serves as the gateway into my home network. Also, I cracked most of the fast hashes on an old Intel Atom netbook running OpenBSD. Efficiency is so under-appreciated these days. I used a few EC2 extra-large CPU instance to crack most of the harder hashes. My final, over-all position was 7th place, although I held 5th place for most of the contest. There were 17 registered teams.

List of software I used List of passwords I cracked Issue I discovered cracking symmetric PGP files Conclusion and Suggestions

It was fun. Thanks to jpd (my former colleague from the ITSO) for getting the registration code for me. Thanks to KoreLogic for hosting the contest. I found a small memory leak in TCHead and discovered a few other interesting things about TrueCrypt volumes. This is my last year participating in the contest as a one man team. The same big teams always win and the little guys stand no real chance. Here are my suggestions for future contests:
  1. Create team divisions so that big teams with dozens of members and dozens of GPUs would only compete with each other. Sort of similar to divisions in boxing (heavy weights, middle weights, light weights). That would make for a more evenly balanced contest and ensure that small teams have just as much of a chance to win as the big teams.
  2. Provide bonus points to teams that use software they wrote themselves or hardware they built themselves from scratch. Anyone can download and execute other people's software and/or buy lots of high-priced video cards. Neither of those require much thought or creativity and neither of those are a cool hack suitable for Defcon.
Final Note

Experimenting a bit this afternoon (day after the contest ended) I've seen that the focus this year seems to have been on pass phrases more so than passwords. I should have known that based on the hints provided toward the end of the contest. Here are some examples:

at him and the (RawMD4)
for some time all (RawMD4)
him to say what (RawMD4)
no out no they (RawMD4)
not get over it (RawMD4)
that she could get (RawMD4)
that would be a (RawMD4)
them as if they (RawMD4)
to use now that (RawMD4)
we the people of (RawMD4)
what could be his (RawMD4)
with me to the (RawMD4)
you know out and (RawMD4)
can just make out (paulw)
him out of this (smithjo)
if I have not (martindo)
in which he will (aslim)
now look than would (nelsons)
of what could be (sara.morgan)
the other day at (daperez)

Had I had time to work on the contest more, I would have cracked lots of these. Here's how I used word machine and John the Ripper with this word list to crack the above four word pass phrases:
wm --low --words most_common_english_words.txt | \
	wm --append 1 --chars=" " --words stdin | \
	wm --awords most_common_english_words.txt --words stdin | \
	wm --append 1 --chars=" " --words stdin | \
	wm --awords most_common_english_words.txt --words stdin | \
	wm --append 1 --chars=" " --words stdin | \
	wm --awords most_common_english_words.txt --words stdin | \
	/usr/local/bin/john-1.7.9-jumbo-6/run/john --format=raw-md4 \
		--pipe hashes-8.raw-md4.txt --pot=day_after.pot

Date: July 29, 2012


Please contact us if you would like more information about our services, tools, or careers with us.
Privacy Policy : Copyright 2012. KoreLogic Security. All rights reserved