For the past couple of years KoreLogic Security has had a wonderful presence at Defcon with their 'Crack Me If You Can' contest where some of the best password crackers in the world join up in teams or go solo to compete against each other. Although I haven't competed in this competition (mainly due to lack of hardware and wanting to spend most of my time at briefings) I always make it a point to stop by the KoreLogic booth and grab a shirt. No, I'm not doing it because it's 'free swag', I always stop by for great conversation and to get one of their shirts which have relatively simple hash(es) on them. It's rather fun to practice even the simple things with password cracking. This year for Defcon 21 the shirt they gave out looked like this:
Clearly there is a hash in there somewhere.. looking a little closer it's clear there is a 32 character pattern which wraps around the logo. Hmm.. the most common 32 character hash.. md5! Let's give it a try.
Wait.. how do we know where the hash starts and ends? We don't. There are 32 characters which means 32 different possibilities for the correct hash. To generate the different permutations I wrote a quick python script which writes all of the possible hashes to the file hashlist.hash.
We now have the following possibilities:#!/usr/bin/python hashArray = ['b','2','c','b','b','e','c','9','1','6','d','c','8','2','b','2','f','b','2','0','d','1','2','b','e','1','d','7','e','3','d','b'] hashList = list() fullHash = '' charIndex = 0 while charIndex < len(hashArray): hashArray = hashArray[charIndex:] + hashArray[:charIndex] for i in range(len(hashArray)): fullHash += hashArray[i] hashList.append(fullHash) fullHash = '' charIndex += 1 f = open('hashlist.hash', 'w') for item in hashList: f.write(item + '\n') print item
b2cbbec916dc82b2fb20d12be1d7e3db 2cbbec916dc82b2fb20d12be1d7e3dbb bbec916dc82b2fb20d12be1d7e3dbb2c c916dc82b2fb20d12be1d7e3dbb2cbbe dc82b2fb20d12be1d7e3dbb2cbbec916 2fb20d12be1d7e3dbb2cbbec916dc82b 12be1d7e3dbb2cbbec916dc82b2fb20d e3dbb2cbbec916dc82b2fb20d12be1d7 bec916dc82b2fb20d12be1d7e3dbb2cb 2b2fb20d12be1d7e3dbb2cbbec916dc8 be1d7e3dbb2cbbec916dc82b2fb20d12 cbbec916dc82b2fb20d12be1d7e3dbb2 b2fb20d12be1d7e3dbb2cbbec916dc82 7e3dbb2cbbec916dc82b2fb20d12be1d 6dc82b2fb20d12be1d7e3dbb2cbbec91 e1d7e3dbb2cbbec916dc82b2fb20d12b 16dc82b2fb20d12be1d7e3dbb2cbbec9 1d7e3dbb2cbbec916dc82b2fb20d12be c82b2fb20d12be1d7e3dbb2cbbec916d dbb2cbbec916dc82b2fb20d12be1d7e3 20d12be1d7e3dbb2cbbec916dc82b2fb 916dc82b2fb20d12be1d7e3dbb2cbbec 3dbb2cbbec916dc82b2fb20d12be1d7e d12be1d7e3dbb2cbbec916dc82b2fb20 82b2fb20d12be1d7e3dbb2cbbec916dc ec916dc82b2fb20d12be1d7e3dbb2cbb bb2cbbec916dc82b2fb20d12be1d7e3d d7e3dbb2cbbec916dc82b2fb20d12be1 2be1d7e3dbb2cbbec916dc82b2fb20d1 0d12be1d7e3dbb2cbbec916dc82b2fb2 b20d12be1d7e3dbb2cbbec916dc82b2f fb20d12be1d7e3dbb2cbbec916dc82b2
Since I am using a netbook instead of a crazy GPU rig I decided to use hashcat which does CPU cracking (plus and lite for GPU). I then downloaded the rockyou.txt wordlist from skullsecurity. Everything is now ready, I have my cracking tool, list of hashes, and wordlist. Since I am assuming it's md5 I use the following hashcat command:
./hashcat-cli32.bin -m 0 -r rules/best64.rule hashlist.hash rockyou.txt
After about 30 seconds of running we get a hit!
A little anticlimactic but fun nonetheless. This was rather simple, some would say trivial, but the script to make multiple hash permutations with only characters may be helpful to someone. Big thanks to KoreLogic for putting on the CMIYC contest and giving out shirts with challenges.