Saturday, August 3, 2013

Defcon 21: Password Cracking KoreLogic's Shirt

For the past couple of years KoreLogic Security has had a wonderful presence at Defcon with their 'Crack Me If You Can' contest where some of the best password crackers in the world join up in teams or go solo to compete against each other. Although I haven't competed in this competition (mainly due to lack of hardware and wanting to spend most of my time at briefings) I always make it a point to stop by the KoreLogic booth and grab a shirt. No, I'm not doing it because it's 'free swag', I always stop by for great conversation and to get one of their shirts which have relatively simple hash(es) on them. It's rather fun to practice even the simple things with password cracking. This year for Defcon 21 the shirt they gave out looked like this:

Clearly there is a hash in there somewhere.. looking a little closer it's clear there is a 32 character pattern which wraps around the logo. Hmm.. the most common 32 character hash.. md5! Let's give it a try.

Wait.. how do we know where the hash starts and ends? We don't. There are 32 characters which means 32 different possibilities for the correct hash. To generate the different permutations I wrote a quick python script which writes all of the possible hashes to the file hashlist.hash.

#!/usr/bin/python 

hashArray = ['b','2','c','b','b','e','c','9','1','6','d','c','8','2','b','2','f','b','2','0','d','1','2','b','e','1','d','7','e','3','d','b'] 
hashList = list() 
fullHash = '' 

charIndex = 0 
while charIndex < len(hashArray): 
 hashArray = hashArray[charIndex:] + hashArray[:charIndex] 
 for i in range(len(hashArray)): 
  fullHash += hashArray[i] 
 hashList.append(fullHash) 
 fullHash = '' 
 charIndex += 1 

f = open('hashlist.hash', 'w') 
for item in hashList: 
 f.write(item + '\n') 
 print item
We now have the following possibilities:
b2cbbec916dc82b2fb20d12be1d7e3db 
2cbbec916dc82b2fb20d12be1d7e3dbb 
bbec916dc82b2fb20d12be1d7e3dbb2c 
c916dc82b2fb20d12be1d7e3dbb2cbbe 
dc82b2fb20d12be1d7e3dbb2cbbec916 
2fb20d12be1d7e3dbb2cbbec916dc82b 
12be1d7e3dbb2cbbec916dc82b2fb20d 
e3dbb2cbbec916dc82b2fb20d12be1d7 
bec916dc82b2fb20d12be1d7e3dbb2cb 
2b2fb20d12be1d7e3dbb2cbbec916dc8 
be1d7e3dbb2cbbec916dc82b2fb20d12 
cbbec916dc82b2fb20d12be1d7e3dbb2 
b2fb20d12be1d7e3dbb2cbbec916dc82 
7e3dbb2cbbec916dc82b2fb20d12be1d 
6dc82b2fb20d12be1d7e3dbb2cbbec91 
e1d7e3dbb2cbbec916dc82b2fb20d12b 
16dc82b2fb20d12be1d7e3dbb2cbbec9 
1d7e3dbb2cbbec916dc82b2fb20d12be 
c82b2fb20d12be1d7e3dbb2cbbec916d 
dbb2cbbec916dc82b2fb20d12be1d7e3 
20d12be1d7e3dbb2cbbec916dc82b2fb 
916dc82b2fb20d12be1d7e3dbb2cbbec 
3dbb2cbbec916dc82b2fb20d12be1d7e 
d12be1d7e3dbb2cbbec916dc82b2fb20 
82b2fb20d12be1d7e3dbb2cbbec916dc 
ec916dc82b2fb20d12be1d7e3dbb2cbb 
bb2cbbec916dc82b2fb20d12be1d7e3d 
d7e3dbb2cbbec916dc82b2fb20d12be1 
2be1d7e3dbb2cbbec916dc82b2fb20d1 
0d12be1d7e3dbb2cbbec916dc82b2fb2 
b20d12be1d7e3dbb2cbbec916dc82b2f 
fb20d12be1d7e3dbb2cbbec916dc82b2 

Since I am using a netbook instead of a crazy GPU rig I decided to use hashcat which does CPU cracking (plus and lite for GPU). I then downloaded the rockyou.txt wordlist from skullsecurity. Everything is now ready, I have my cracking tool, list of hashes, and wordlist. Since I am assuming it's md5 I use the following hashcat command:

./hashcat-cli32.bin -m 0 -r rules/best64.rule hashlist.hash rockyou.txt

After about 30 seconds of running we get a hit!

3dbb2cbbec916dc82b2fb20d12be1d7e:DEFCON

A little anticlimactic but fun nonetheless. This was rather simple, some would say trivial, but the script to make multiple hash permutations with only characters may be helpful to someone. Big thanks to KoreLogic for putting on the CMIYC contest and giving out shirts with challenges.