Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: 12Next
Current Page: 1 of 2
OWASP Challenge 9: Crack 'Em Hashes
Posted by: ManJIT
Date: February 21, 2010 09:27AM

February's AppSec Research 2010 challenge is about breaking hashed passwords. It starts off easy with the old LM hash and ends with SHA256 and GOST3411.

http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden#tab=Challenges

*** How To Win (with a twist) ***
The first one to publish each broken password gets points according to the table below but at the same time helps the others since the password is the salt of the next hash. So you have to decide -- should you publish your cracked password and collect your points before the others or should you keep it a secret to get a head start cracking the next one?

To collect points for a password you must be the first one to publish that broken password on this sla.ckers.org thread. Please send an email to john.wilander@owasp.org at the same time so we can correct any misunderstandings. For instance we can happen to run into hash collisions, where someone finds another mixed alpha password of max 5 characters that concatenated with the right salt produces the same hash. In such a case we will publish the real password and give points to the one who found the collision.

The one with the most points on March 21st wins a free ticket to the conference!

*** Points to Earn ***
pwd1 (LM) => 1 point
pwd2 (MD2) => 3 points
pwd3 (MD4) => 5 points
pwd4 (MD5) => 9 points
pwd5 (RIPEMD160) => 15 points
pwd6 (SHA1) => 25 points
pwd7 (SHA256) => 50 points
pwd8 (GOST3411) => 100 points

*** The Hashes ***
Each password comprises of a-zA-Z (mixed alpha) and is max 5 characters long. With salt that means max 10 mixed alpha characters as input to the hash function. All hashes here are in hex format. The Java source code has all the details. The plus operator means string concatenation.

LM(pwd1) 0C04DACA901299DBAAD3B435B51404EE
MD2(pwd2 + pwd1) 16189F5462BF906E9D88CF6F152DE86F
MD4(pwd3 + pwd2) FA8F46A6D347087D6980C3FA77DD4DE9
MD5(pwd4 + pwd3) 425B33D6F60394C897B8413B5C185845
RIPEMD160(pwd5 + pwd4) 35F34671D30472D403937820DCABC1C78C837071
SHA1(pwd6 + pwd5) AE81A30510B2931921934218636B26A803330EB1
SHA256(pwd7 + pwd6) B2FF0269E927C6559804A37590A0688C45DF143F85CEE0E3F239F846B65C9644
GOST3411(pwd8 + pwd7) 16CC9F1FF65688E040F5ADA82A41A258FF948769CDA4C4A17D85228A6F358971

Example: Given that pwd1 is "Win" and pwd2 is "You", the hash 16189F5462BF906E9D88CF6F152DE86F is the result of MD2("YouWin"). Now pwd2 will be the salt when you crack pwd3.

*** The Source Code ***
The source code we've used to produce the hashes is available here (http://www.owasp.org/images/7/79/OwapsAppSecResearch2010HashChallenge.zip). It's Java and all but the LM hash is done with Bouncy Castle 1.4.5 (http://www.bouncycastle.org/latest_releases.html).



Edited 2 time(s). Last edit at 02/21/2010 09:43AM by ManJIT.

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: ethicalhack3r
Date: February 21, 2010 10:10AM

1 = OWASP

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: sundancekid
Date: February 21, 2010 10:24AM

2: GnuOWASP

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: ManJIT
Date: February 21, 2010 10:25AM

Yes, LM(pwd1) = OWASP, so ehticalhack3r earns 1 point.

As stated above -- the first one to publish a certain password *here* on sla.ckers earns the points. The email to me (John) is just to track progress and correct any misunderstandings.

Good luck with MD2!

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: ManJIT
Date: February 21, 2010 10:26AM

Yes, MD2(pwd2+pwd1) = GnuOWASP, so sundancekid earns 3 points.

Good work!

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: sundancekid
Date: February 21, 2010 10:31AM

3rd pw: lOOp

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: ManJIT
Date: February 21, 2010 10:34AM

Yes, MD4(pwd3+pwd2) = lOOpGnu, so sundancekid earns another 5 points for a total of 8 points.

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: thornmaker
Date: February 21, 2010 10:40AM

1: OWASP
2: Gnu
3: lOOp
4: Sthlm
5: klue
6: ZaQx
7: pryL

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: ethicalhack3r
Date: February 21, 2010 10:45AM

That was damn fast!

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: Reiners
Date: February 21, 2010 10:50AM

8: jzbTa



Edited 1 time(s). Last edit at 02/21/2010 02:18PM by Reiners.

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: thornmaker
Date: February 21, 2010 10:53AM

@Reiners: you rock :)

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: ManJIT
Date: February 21, 2010 10:54AM

Phew, that's fast! But I can only confirm the cracked hashes. So we have pwd8 left to break -- GOST3411(pwd8 + "pryL").

Current standing:

Thornmaker 99 points
Sundancekid 8 points
Ethicalhack3r 1 point

... and the final hash (GOST3411) gives 100 points so it's still an open game!

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: sirdarckcat
Date: February 21, 2010 10:57AM

lol, "The one with the most points on March 21st wins a free ticket to the conference!", less than 24 hours.. but well, 5 alnum chars was kinda-easy.. arbitrary length dictionary words, would have left it open for a week I think..

ethicalhack3r=1
sundancekid=8
thornmaker=99
Reiners=100

haha

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 02/21/2010 11:00AM by sirdarckcat.

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: ManJIT
Date: February 21, 2010 11:01AM

@Reiners

hasher.convertToUpperCaseHex(hasher.gost3411.digest("jZbTapryL".getBytes())) = E375ED0770C66195B6566987B41EF4B071F4EB5316B67D9638D4934CD3436DE8 != 16CC9F1FF65688E040F5ADA82A41A258FF948769CDA4C4A17D85228A6F358971

... according to the Java code supplied. So as far as I can see the compo is still open.

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: thornmaker
Date: February 21, 2010 11:02AM

@reiners btw, what tool did you use to get GOST3411?
[edit:] hm, well, maybe not... the hash doesn't match?



Edited 1 time(s). Last edit at 02/21/2010 11:03AM by thornmaker.

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: sundancekid
Date: February 21, 2010 11:05AM

hmm which sboxes shall be used for gost challenge?
01,02 or 01.ex?

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: ethicalhack3r
Date: February 21, 2010 11:05AM

@thornmaker

"It's Java and all but the LM hash is done with Bouncy Castle 1.4.5 (http://www.bouncycastle.org/latest_releases.html)."

I suppose you just use Bouncy Castle to generate hashes and then compare them to the hash given.

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: sirdarckcat
Date: February 21, 2010 12:49PM

well.. I made this code, and it "finished"..

http://pastebin.ca/1804883

so, either there's a problem with my code, or.. well.. maybe a typo or something?

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: chosi
Date: February 21, 2010 01:17PM

me too.
seems like you have a typo in your challenge :P

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: ManJIT
Date: February 21, 2010 01:21PM

@sirdarckcat

If I replace the strToHash on line 70 with the correct password the boolean expression in the conditional on line 71 becomes true.

My workspace is set to UTF-8 if that helps.

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: chosi
Date: February 21, 2010 01:28PM

"mixed alpha" does not include weird letters like ö, does it? ;)

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: ManJIT
Date: February 21, 2010 01:29PM

@sirdarckcat, @chosi

I also tried with my default locale (sv_SE), US locale (en_US), and UK (en_GB) and I get the same result.

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: ManJIT
Date: February 21, 2010 01:30PM

@chosi

No, mixed alpha is a-zA-Z.

åäöÅÄÖ are nice though :).

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: sirdarckcat
Date: February 21, 2010 01:34PM

it must be a bug in the way I generate the subsets then! thanks manjit.

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: sundancekid
Date: February 21, 2010 01:53PM

Hrm, could it be that the gost implementation of bouncy castle is not standard conform? I tried two C implementations which produced both different output.

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: ManJIT
Date: February 21, 2010 02:03PM

@sundancekid

I browsed some BC version comments and there might (have) be(en) such issues. That's why we wanted to publish the exact code and BC version we produced the hashes with.

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: sundancekid
Date: February 21, 2010 02:46PM

8th pw: winna (winnapryL)

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: ManJIT
Date: February 21, 2010 02:51PM

And we have a winner! sundancekid gets the hundered with the last password "winna".

Congratulations and a warm welcome to the conference in Stockholm, June 21-24. We'll get in contact with you regarding registration.

Sundancekid 108 points
Thornmaker 99 points
Ethicalhack3r 1 point

Thanks everyone for the hard work and exciting end!



Edited 1 time(s). Last edit at 02/21/2010 02:52PM by ManJIT.

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: chosi
Date: February 21, 2010 02:56PM

ugh, congrats man..
and of course the bruteforce starts with A and ends with z :P

Options: ReplyQuote
Re: OWASP Challenge 9: Crack 'Em Hashes
Posted by: sirdarckcat
Date: February 21, 2010 03:01PM

awesome! congrats :D

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Pages: 12Next
Current Page: 1 of 2


Sorry, only registered users may post in this forum.