KoreLogic's Password Cracking Contest at DEF CON

CMIYC 2022 Hashsets and Bundles

All of the hash sets this year (except yescrypt) were cheap, fast, unsalted (or fixed-salt) hash types; the primary challenge wasn't cracking the password hashes, it was cracking the encrypted containers bundling them up in order to get to the hashes.

If you've ever been on a pentest and harvested dozens of PASSWORDS.XLS and AccountInfo.zip off of users desktops, you know the value of cracking a variety of encrypted artifacts in a hurry.

Various encrypted container file types were used, each containing hashes using a different weak cipher, of plaintexts that used one or more unique combination of source material (wordlist) and mutation rule(s).

Bundles Used

The bundles for Pro were:
Bundle List Hash Type Points Each Count Total Points
7z list0 yescrypt 100000 4 400000
web_url list5 raw-sha384 46 6023 277058
ZIP-Big list6 raw-sha512 43 5382 231426
PDF list21 mysqlna 17 5043 85731
GPG list23 raw-sha224 14 9999 139986
LoopAES list4 raw-sha256 13 10231 133003
KeePass list2 mssql05 9 10000 90000
soffice list15 vBulletin 6 7805 46830
KeePass-Key list3 nsldaps 5 10000 50000
KeePass-Key list9 nsldaps 5 12006 60030
gocryptfs list12 raw-sha1 5 17444 87220
zip-small list1 half-md5 3 6029 18087
zip-small list8 half-md5 3 14571 43713
rar list7 raw-md5 1 5767 5767
rar list10 raw-md5 1 7556 7556

And for Street:
Bundle List Hash Type Points Each Count Total Points
7z list20 raw-sha384 46 10004 460184
gocryptfs list13 raw-sha512 43 2803 120529
rar list14 mysqlna 17 4214 71638
zip list19 raw-sha256 13 4997 64961
KeePass list11 mssql05 9 10812 97308
soffice list18 raw-sha1 5 5455 27275
PDF list24 nsldaps 5 2000 10000
zip2 list16 half-md5 3 2766 8298
GPG list17 raw-md5 1 2933 2933

Wordlists and Rules Used

Naaaah. Come back later. Sometime after the contest has ended, we will reveal more information about the ideas / wordlist sources / mutation methods used in the different lists.