For the past couple of years KoreLogic Security has had a wonderful presence at Defcon with their 'Crack Me If You Can' contest where some of the best password crackers in the world join up in teams or go solo to compete against each other. Although I haven't competed in this competition (mainly due to lack of hardware and wanting to spend most of my time at briefings) I always make it a point to stop by the KoreLogic booth and grab a shirt. No, I'm not doing it because it's 'free swag', I always stop by for great conversation and to get one of their shirts which have relatively simple hash(es) on them. It's rather fun to practice even the simple things with password cracking. This year for Defcon 21 the shirt they gave out looked like this:
Clearly there is a hash in there somewhere.. looking a little closer it's clear there is a 32 character pattern which wraps around the logo. Hmm.. the most common 32 character hash.. md5! Let's give it a try.
Wait.. how do we know where the hash starts and ends? We don't. There are 32 characters which means 32 different possibilities for the correct hash. To generate the different permutations I wrote a quick python script which writes all of the possible hashes to the file hashlist.hash.
#!/usr/bin/python
hashArray = ['b','2','c','b','b','e','c','9','1','6','d','c','8','2','b','2','f','b','2','0','d','1','2','b','e','1','d','7','e','3','d','b']
hashList = list()
fullHash = ''
charIndex = 0
while charIndex < len(hashArray):
hashArray = hashArray[charIndex:] + hashArray[:charIndex]
for i in range(len(hashArray)):
fullHash += hashArray[i]
hashList.append(fullHash)
fullHash = ''
charIndex += 1
f = open('hashlist.hash', 'w')
for item in hashList:
f.write(item + '\n')
print item
We now have the following possibilities:
b2cbbec916dc82b2fb20d12be1d7e3db
2cbbec916dc82b2fb20d12be1d7e3dbb
bbec916dc82b2fb20d12be1d7e3dbb2c
c916dc82b2fb20d12be1d7e3dbb2cbbe
dc82b2fb20d12be1d7e3dbb2cbbec916
2fb20d12be1d7e3dbb2cbbec916dc82b
12be1d7e3dbb2cbbec916dc82b2fb20d
e3dbb2cbbec916dc82b2fb20d12be1d7
bec916dc82b2fb20d12be1d7e3dbb2cb
2b2fb20d12be1d7e3dbb2cbbec916dc8
be1d7e3dbb2cbbec916dc82b2fb20d12
cbbec916dc82b2fb20d12be1d7e3dbb2
b2fb20d12be1d7e3dbb2cbbec916dc82
7e3dbb2cbbec916dc82b2fb20d12be1d
6dc82b2fb20d12be1d7e3dbb2cbbec91
e1d7e3dbb2cbbec916dc82b2fb20d12b
16dc82b2fb20d12be1d7e3dbb2cbbec9
1d7e3dbb2cbbec916dc82b2fb20d12be
c82b2fb20d12be1d7e3dbb2cbbec916d
dbb2cbbec916dc82b2fb20d12be1d7e3
20d12be1d7e3dbb2cbbec916dc82b2fb
916dc82b2fb20d12be1d7e3dbb2cbbec
3dbb2cbbec916dc82b2fb20d12be1d7e
d12be1d7e3dbb2cbbec916dc82b2fb20
82b2fb20d12be1d7e3dbb2cbbec916dc
ec916dc82b2fb20d12be1d7e3dbb2cbb
bb2cbbec916dc82b2fb20d12be1d7e3d
d7e3dbb2cbbec916dc82b2fb20d12be1
2be1d7e3dbb2cbbec916dc82b2fb20d1
0d12be1d7e3dbb2cbbec916dc82b2fb2
b20d12be1d7e3dbb2cbbec916dc82b2f
fb20d12be1d7e3dbb2cbbec916dc82b2
Since I am using a netbook instead of a crazy GPU rig I decided to use hashcat which does CPU cracking (plus and lite for GPU). I then downloaded the rockyou.txt wordlist from skullsecurity. Everything is now ready, I have my cracking tool, list of hashes, and wordlist. Since I am assuming it's md5 I use the following hashcat command:
./hashcat-cli32.bin -m 0 -r rules/best64.rule hashlist.hash rockyou.txt
After about 30 seconds of running we get a hit!
3dbb2cbbec916dc82b2fb20d12be1d7e:DEFCON
A little anticlimactic but fun nonetheless. This was rather simple, some would say trivial, but the script to make multiple hash permutations with only characters may be helpful to someone. Big thanks to KoreLogic for putting on the CMIYC contest and giving out shirts with challenges.
