bobbyroode:abc123 => Using john the ripper without wordlistsdefcon:P@ssw0rd => :Gopal => :yaruga7 => :sojjjsojj9 => Hashcat with 10-million-wordlistundertaker:L!verpool => Hashcat with 10-million-wordlist and rulesromanreigns:11128 => Hashcat with rockyou.txtsethrollins:kane311 => Hashcat with rockyou.txt and best064 rulesniajax:Competitive => Hashcat, 10-million passwords, ORTRTAcharlotteflair:L7L8oPwK => Hashcat, brute force 8 character alphanumeric strings on gCloudrandyorton:divvsdivu => Hashcat, Crackstation list, hob064 rulekevinowens:game-destroying => Crackstation list, ORTRTAbraywyatt:5pin873 => Hashcat, 15GB wordlistsashabanks:im46in312 => Hashcat, 15GB wordlistajstyles:syphilitic => Crackstation listrubyriott:re2404 => brute force alphanumericfinnbalor:frobnitz => Wordlists with rulesrondarousey:yagubets1d => Wordlists with rulesalexabliss:Mlsw => brute force alphanumericandyrose:q59dds => Wordlists with rulesthemiz:p3yh28 => Wordlists with rulesbrocklesnar:v2p6jc => Wordlists with rulessonyadeville:YIM1 => brute force alphanumericshanemcmahon:kJmL => brute force alphanumericcarmella:VG;q => brute force special chars
Defcon 16 Crack
My method was as follows. Follow this tutorial (gist.github.com/koenrh/801766782fe65b279b436576d935d5d3) to set up Google Cloud GPUs. Then, run Crackstations 15GB wordlist through it ( -wordlist-password-cracking-dictionary.htm. Obviously you want to use rules, to keep it simple: Use short rules for hard to crack hashes such as SHA512 ( -code/Hob0Rules/blob/master/hob064.rule, and use more extensive rules for faster hashes like NTLM ( _cracking_rules.
I first began by using online tools for the NTLM passwords to obtain 4/31 passwords. Then I used John the Ripper and over 100GB of password lists (many came from: -cracking-dictionarys-download-for-free/ (Links to an external site.)) to reach 19/31 by cracking a total of 15 MD5 and SHA512 passwords. I used the same lists on the NTLM passwords with Hashcat, but had no luck. At this point, I started a brute force approach to try to ensure that no short passwords slipped through. I ultimately cracked a total of 4 more MD5 and SHA512 passwords, bringing my total to 23. I also tried brute force on NTLM but had no luck. Finally, I tried rules with Hashcat (hob064 and ORTRTA) on all categories but had no luck. Ultimately, I started about 10 days late used only my own hardware, so I am pleased with the results. But, I am surprised that I did not have better luck with the NTLM passwords.
Three of these hackers talked to me, the other four were covert about their hat hacking. The top scorer used a shell script to automate logging-in with the cracked passwords and putting his name on the scoreboard.
At a high level the contest consisted of cracking a variety of encrypted files, each of which would have individual hashes to crack. For the street teams, the password to crack the encrypted files were fairly simple, so the real challenge there was getting your tooling setup properly to handle those files.
Still, there are times when you have a larger set of rules you quickly want to apply one or more additional mangling rules to. One of the easier ways to to this is to pipe one instance of JtR or Hashcat into another instance of your cracking program of choice.
Of course I need to make a new tip utilizing the PCFG toolset! The PCFG trainer is a really powerful tool to create input dictionaries from cracked passwords. During this contest, one thing I noticed from the passwords I was cracking was that KoreLogic added a large number of two/three letter prefixes/suffixes to the base word. For example, here is some of the mangling rules I started using.
It was harder, but not impossible, for Rose and Ramsey to crack the Mesh Motion Bitlock bicycle lock. Using free software, they replicated the lock's wireless profile on an Android phone, then were able to stage a man-in-the-middle attack on the traffic flowing between the Bitlock, its smartphone app and Mesh Motion's cloud servers.
We may not all be Macgyver, but we can certainly channel our inner detective by bolstering our lock picking skills. And some of the hardest locks to crack open are combination locks, which have several disks are require advanced lockpicking skills.
To sum up, with only one simple filter, around 62% of cloaked packets were removed (126K cloaked in the cloaked packets file + 48K in the filtered file) and it helped cracking the file but we will do better with the other filters and the combined filters.
DEFCON hackers will share their skills with the next generation at a first-ever children's version of the infamous gathering of software renegades, lock pickers and social engineers. googletag.cmd.push(function() googletag.display('div-gpt-ad-1449240174198-2'); ); DEFCON Kids will take place in Las Vegas on August 6-7 during the 19th annual DEFCON started by hackers such as "Dark Tangent" when they were young computer coding or hardware cracking rebels."Hackers are getting older and having kids," said Joe Grand, a DEFCON veteran known as 'Kingpin' who has wowed attendees with event badges made of circuit boards that could be hacked to serve as radios or other gadgets."It is interesting to follow the process of other people's backup units; how they are coming along."Grand, 35, recalling teen years in which his electronics skills got him benefits such as free telephone calls and trouble like an arrest for "computer-related stuff" he didn't detail."I was scared straight and there was nobody there to guide me straight," said Grand, who will teach hardware hacking at DEFCON Kids, which is open to children ages eight to 16."It feels nice to have an opportunity to be a mentor for kids who might be outcasts at school for having skills that aren't cool; that other kids don't understand."Grand's two-and-a-half-year-old son has his own work space in dad's lab where he excitedly looks forward to being old enough to solder circuits.A hacker conference for children is controversial even in the DEFCON community.Prime targets for criticism include lock picking and social engineering, the art of manipulating people into revealing sensitive information."Everyone is up in arms that we are going to teach kids to be evil, but that is not the case," said Chris Hadnagy, who trains companies to guard against slick-talking hackers and runs the website social-engineer.org."Think critically, think objectively -- that is what this industry teaches people," continued Hadnagy, a DEFCON Kids mentor."The Internet is a breeding ground of predators, and not falling for those things is a skill I want my kids to have when someone is trying to manipulate them into something; whether it is peer pressure or a malicious adult."Hadnagy and others behind DEFCON Kids were adamant that in a world where children are surrounded by technology it is smart to provide guidance and a place where they can safely, and legally, test hacker skills. (adsbygoogle = window.adsbygoogle []).push(); Hadnagy, whose book Social Engineering: The Art of Human Hacking came out this year, tailored a "Capture the Flag" game for the event.The game will include deciphering clues, picking locks, and reading body language and subtle facial expressions."Kids are great at it," said Hadnagy. "This gives them a chance to grow into what we are now, the ones who keep companies secure."Since DEFCON debuted in 1993, many once-nefarious attendees have become computer security good guys bent on defending companies and homes against cyberattacks.Government agents once flushed out in a game called "Spot the Fed" at the world's largest hacker gathering are now welcomed on panels such as "Meet the Fed." National police agencies recruit talent at DEFCON.DEFCON founder Jeff Moss, whose hacker handle is Dark Tangent, is on a White House homeland defense council and heads security for the agency in charge of Internet addresses.The US National Security Agency is to bring a museum-quality cryptography exhibit this year."While DEFCON has a bit of edgy counter-culture to it, there is a need to harness, direct and encourage children," said Christofer Hoff, a hacker dad and a lock picking tutor at DEFCON Kids. "It is a natural complement."Hoff has taught his daughters to pick locks and launched HacKids camps in the United States about a year ago after peers in the security industry wondered how to hook children on science and math skills."I got to learn about computers and do fun stuff like trebuchets and marshmallow gun fights," said his 10-year-old daughter and hackid.org camp attendee Chloe. "It was really cool to figure out how things work."Hoff's girls will be volunteer "goons" helping at DEFCON Kids, where his session was renamed "The physics of locks.""When we talk about teaching kids hacking it is about the creative, sometimes interesting out-of-the-box embracing of science, math, computers...to get their creative juices flowing," Hoff said."If you teach a kid how to light a match, does it mean he will turn into an arsonist?" he asked rhetorically. "Probably not, but he will learn how not to burn himself."Information was online at defconkids.org. (c) 2011 AFP
The next target was the transportation network security camera system. After various steps on the wireless access points, things that included antennas, scanning, air-cracking, Wireshark, and MITM attacks, Illera got an invalid certificate, and then finally Siemens login. This means SCADA and critical infrastructure that can be instantly controlled and operated over the Internet.
During Positive Hack Days V, I made a fast track presentation about eCryptfs and password cracking. The idea came to me after using one feature of Ubuntu which consists in encrypting the home folder directory. This option can be selected during installation or activated later.If you select this option, nothing changes for the user except that data in his home folder is encrypted. I was interested to know how this process works since the passphrase for decryption is never requested. I discovered that eCryptfs is included in the GNU/Linux kernel and tools called ecryptfs-utils are used to setup the home folder encryption by the Ubuntu distribution. 2ff7e9595c
Comments