Analysis of tasks of the contest Hash Runner on PHDays IV

This year, the Hash Runner competition was held for three days before the Positive Hack Days forum, from seven in the evening on May 16 to seven in the evening on May 19 (Moscow time, UTC + 4). Thus, we tried to take into account the interests of all the teams scattered around the globe, and to allow participants to effectively use all 48 hours of the weekend, no matter what time zone they are. Many wrote to us that it was really very convenient to play on the weekends, so we will try to do so in the future.

So, congratulations to the winners!

InsidePro with a score of 22.81% (write-up: www.phdays.ru/download/Write-up.pdf ) won two R290x video cards.
Hashcat with a score of 21.23% (write-up: hashcat.net/forum/thread-3397.html ) won the R290x video card.
John-users with a score of 12.78% (write-up: openwall.com/lists/john-users/2014/05/29/2 ) took the bronze.

We presented all the winners with souvenirs of the forum.
')
Over the three-year history of the competition, the winners were the teams hashcat (appearing under the name teardrop in 2012), john-users (in 2013) and InsidePro (in 2014). Each time, the participants downloaded most of the decoded passwords in the last 15 minutes of the competition, so only at the very end did it become clear who would win. In the past two years, the InsidePro team was content with second place: in 2012, hashcat bypassed them, and in 2013 - john-users. This year, the guys from InsidePro are finally the first!

Types and cost of hashes

After much discussion, we decided to assign the value of hashes based on weights reflecting our own professional interests. For example, we wanted to draw the attention of participants to certain types of hashes. However, we considered other options. For example, one could simply give one for each decrypted hash. Such an idea was also proposed: to calculate the hash cost based on the entropy of the plaintext and the average hacking time of the hashes of this type obtained on our standard equipment. Both of these options seemed to us unsuitable for the contest: in the first case, fast hashes would play the main role, and in the second - slow ones.

* coefficient for hashes in bonus tasks

Competition Rules

First of all, we divided the competition into several tasks in accordance with different systems and approaches to cracking (that is, not only by the type of hashes). It turned out similar to Hash Runner 2013, only tasks were not tied to dictionaries, the topic of which can be guessed by prompts or several recovered passwords.

One of the features of the competition this year was how exactly the participants received hashes for hacking. Previously, teams were simply provided with a text file. This year we organized a whole lab with real systems. To compile the hashes, the participants followed the instructions given and used the exploits as in pentest. The teams received an exhaustive description of the passage of these tasks, it was almost impossible to make a mistake. Of course, no one helped the participants with the hacking of hashes themselves. Thus, teams could work with PCAP files, Lotus Domino, various web applications, SCADA project files, etc. Points for getting hashes were not awarded, but the process itself was intended to create an atmosphere for penetration testing. To be honest, we spent most of our efforts on implementing this part of the competition.

Usually, when assessing the level of security, we are not interested in unprivileged users, we need an account with elevated rights. Therefore, we added to each task 23 password hashes of administrators with different maximum entropy (23 is just a number; 966/42 has nothing to do with it). After hacking such a hash, the team received 250 bonus hashes (Raw-SHA-1, GOST, bcrypt and Raw-MD5) that were not available in the main task.

Not everything went smoothly

Errors that participants learned during the competition:

When loading the results an error occurred if the decrypted text contained a colon ":". Not to say that we did not expect this :)
Due to the fact that we made some errors when dumping the hashes for task number 3 (md4 mt_rand), the contents of user.db.php and hashrunner_2014_hashes.zip did not match. Valid data was contained in the hashrunner_2014_hashes.zip archive, and hashes from it were taken as correct answers. Thus, the task has become twice as easy. During the competition, we could not publish the details, because one of the teams has already managed to detect this error on their own. Other participants were also asked to discover and use this failure to load hashes for this task.

Errors that were corrected during the competition and which we did not immediately inform the participants:

Cisco hashes were randomly generated twice and therefore were different (due to the use of different salts in the algorithms).
The database contained an incorrect estimate for one of the bonus hashes (1 point instead of 15). Fortunately, the error was discovered on the first day of the competition, when these bonus hashes were almost never cracked by anyone.
In addition, minor differences were found between the file with all hashes and the systems themselves.

Dictionaries and mutations

We compiled dictionaries based on real work experience and diversified them with the fruits of our wild imagination: random sequences of 6 and 8 characters in length, Arabic words in the English layout, words from the Arabic forum, Arabic names, Canadian cities, chemicals, Chinese names and surnames, terms go games, words from Greek mythology, Hollywood stars, Italian cities, mythical creatures, Marvel comic characters, multiplayer role-playing game websites, mental disorders, the word "tomato" in different languages, banners web applications, as well as a random sample of the packetstor dictionaries and xato 10k dictionaries.

Further, we used mutations that are usually found by specialists during consulting, and also added some unusual options:

• Rewrite everything in Leet, rewrite only some letters on Leet, rewrite random parts of words on Leet.
• Simple mutations: "word", "year", "word", "digit1", "digit2", "digit3", "word", "spec", "year", "word", "date", "word", "date", "month" .
• Replace the case of the word “word”: for example, “WoRD” and “wORD”. Such mutations were used mainly in the dictionaries of mental disorders and mythical creatures.
• “Evil” mutations “word1” “WORD2” and “word1” “word2” “word3”.
• Add special characters: “special1” “word” “special2”, “word” “special1” “special2” “special3” “special4”.
• Writing Arabic words in Latin letters can also be considered a mutation. Words from the dictionary of simple Arabic words were typed with the same keys on the keyboard, but in Latin letters in the English layout. An example of applying such an algorithm to Cyrillic words: if the word “password” is typed in the English layout, you get “gfhjkm”.

So, all the words obtained after the use of mutations were randomly distributed between tasks. As a result, the number of passwords in the database exceeded 40 thousand. In the contests, we used only a small part of this set - we hope, in this way we managed to avoid attacks on the selection of password topics.

Analysis of some tasks

TIA Portal

It was the easiest competition in the competition. The SCADA system with the usual SHA-1 hashes, the length of the passwords is known - that’s all. By changing the provided script, it was possible to get the length of the passwords, which greatly simplified the task of hacking these hashes (see the figure below).

Lotus H-hash

In addition to two well-known hash types, lotus5 and dominosec (g-hash), hashes for versions> 8 were also generated. The first two types of hashes were very popular with participants, but hashes for versions> 8 were never tried to be cracked. Well, it’s good that in practice we haven’t met with such hashes so far.

Arab Forum

This mission was dedicated to targeted attacks. You can't just pick up the hash obtained by iterating MD5 without knowing anything about the plaintext. Yes, in our task there were “simple” password hashes consisting of less than five Latin letters, but such passwords were generated by switching the Arabic layout to English. Most dictionaries (if not all) become useless when switching to another national alphabet. The only way to solve the problem is to create your own dictionary by parsing other dictionaries or target sites. The forum in this case is excellent, you can find a huge number of words that people use in real life, and make a base of possible passwords based on the information collected. However, sometimes a simple automatic analysis of texts from the site is not enough. It is always useful to think about the unusual use of ordinary things. For example, there are at least four types of Unicode characters for encoding Arabic numbers only, and as one of the mutation masks we have chosen to add Arabic numerals to the password in the Unicode encoding. In fact, we used only three mutations:

Adding three Arabic numerals not in Unicode to the beginning of a word.
Add two Arabic numerals in Unicode to the end of a word.
Translation of Arabic letters to Latin by changing the keyboard layout.

mtrand ()

This task was devoted to bad "random" numbers that inexperienced developers like to use. Suppose we have a forum, blog or some other website. We need a secure means to form the tokens that will be used to change user passwords. It would be possible to use a linear congruential generator, but for the task we chose the Mersenne Vortex. On paper, this method of generating pseudo-random numbers looks quite good: it gives a period of 219937. The initial number is 32 bits long and is a weak point from a security point of view. Knowing him, the attacker can completely reproduce the sequence of pseudo-random numbers. However, this problem is partially solved in the standard implementation of the algorithm: as soon as the generator receives an initial value, it begins to generate all-random numbers that are different from those that would be obtained from a different initial value. Thus, the attacker will have to fully realize the Mersenne Vortex and pick up not only the initial (relatively short) value, but also the position of the target random number in the pseudo-random number stream.

This approach should work equally well for h-type hashes, and for l-type hashes, but we specifically formed both types of hashes. A developer can harm himself not only by using a cryptographically insecure pseudo-random number generator, but also incorrectly processing the resulting stream of numbers. When working with integers or with floating-point numbers in a selected programming language, you should always remember what the maximum accuracy of the representation of numbers of the selected type is and what the textual representation of these numbers will be. For example, when building the cube number 123456789, we should get 1881676371789154860897069 (if we are talking about classical decimal arithmetic) and ~ 79 bits of entropy in the text representation of this result. However, if your programming language uses a floating point representation to work with such large numbers, the result of the operation will be something like 1.8816763717892E + 24, and the entropy will drop to just ~ 45 bits. Such a password can be easily matched for any fast hashing algorithm.

Unfortunately, this task was pursued by an evil rock. First, the hashes in the database were encoded only by a single pass of the MD4 algorithm; secondly, the source code of the formation of h-hashes was slightly different from the code on the web page.

Let's take a look at the open source code.

Formation of simple open texts (for l-hashes)

function generate_password($length) { $result = 1; for($i=0; $i<$length; ++$i) $result *= mt_rand(); return $result; } for ($i=0; $i<$argv[1]; ++$i) { if (($i % 32) == 0){ mt_srand(get_real_rand()); $skip = get_real_rand() & 0xFFFF + 8192; // Fix for easy attack for ($j=0; $j<$skip; ++$j) mt_rand(); } echo generate_password(3)."\n"; $skip = get_real_rand() & 0xFF; // Fix for easy attack for ($j=0; $j<$skip; ++$j) mt_rand(); }

Formation of complex open texts (for h-hashes)

 function generate_password($length) { $result = 1; for($i=0; $i<$length; ++$i) $result .= mt_rand(); return $result; } for ($i=0; $i<$argv[1]; ++$i) { if (($i % 32) == 0){ mt_srand(get_real_rand()); $skip = get_real_rand() & 0xFFFF + 128; // Fix for easy attack for ($j=0; $j<$skip; ++$j) mt_rand(); } echo generate_password(3)."\n"; $skip = get_real_rand() & 0xFF; // Fix for easy attack for ($j=0; $j<$skip; ++$j) mt_rand(); }

As you can see, the code has a concatenation operation with a non-empty string containing the number 1, so the numbers formed in this way could not be cracked, even if the participants could recreate the MT_rand generator or use the Solar Designer code (http: // www .openwall.com / php_mt_seed /).

Tomato

Ντομάτα, domat, Paradaјz, Pomidor, tomato, ulaanlool, Լոլիկ, პომიდორი, टमाटर, टोमॅटो, हिण्डीरः, ਟਮਾਟਰ, ಟೊಮೇಟೊ, தக்காளி, තක්කාලි, 番茄, 蕃茄, ...

No comments.

Wonderful

We received a lot of questions about this task, everyone wants to know how to solve it. Honestly, we do not know. This contest (like mt_rand with Arabic words) was intended to draw the participants' attention to some of the shortcomings of modern password recovery utilities. During work, we sometimes come across various old or unpopular applications. Many of them use conventional MD5, but some implement rather intricate schemes, for example, SHA1 (base64 (MD5 (base64 (SHA1 ())))). SHA1 is widely used, base64 does not cost anything at all, but hacking the resulting hash is very difficult. It would be unwise to spend forces on creating a complex self-service module for solving such a task, but it would be nice to get a tool that combines various selection modules in the required order. Oh, and don't forget to optimize the HMAC for a 1 MB key file, since in this case, the file itself can be replaced with a one-time hash :)

Statistics

Below are graphs reflecting the results of the participants. We hope you find them interesting. We apologize in advance to the winners for the possible disclosure of their strategy :)

Graph by the number of points: