Hash Olympics - A Hash Cracking Contest Without Good Hardware
I was always a big fan of “Crack The Hash” contests where all participants are given a hash value, some hints and they try to crack it in a short amount of time. I wanted to make a similar contest for my Twitch followers. While hash cracking contests are fun, they require good hardware to be successful. Unfortunately, my followers are mostly students and due to the economic crises in Turkey, they are not able to buy computers with good hardware.
So, I had to create a contest format in which both rich and poor students can participate equally. It should be a contest of knowledge and hardworking, not money. As a result, I created a format named “Hash Olimpiyatları (Hash Olympics)”. In this format, I announce an attack combination one week before the contest (see details at process and rules section). In one week, the participants are doing analyze and preparing the best lists for the given attack combination. They are not cracking hashes by themselves but they are sending required lists (wordlist, mask, rule) to me before the contest. I’m cracking the hashes in the target database live at Twitch with the lists that they sent.
Contest Process
- Contest is held with a moderator (streamer) and participants.
- Moderator finds an actual database leak, removes the PII data and saves the hashes.
- Name of the leak is not announced before the contest. However, if there is a password policy, it should be announced.
-
Moderator should define an attack combination by using the elements below (the combination would be different in every contest)
-
Wordlist size
-
Number of Hashcat rules
- Number of Hashcat masks (and its complexity limit)
Example combinations: 1) A wordlist with 30 passwords, 15 rules, 0 mask - 2) A wordlist with 50 passwords, 10 rules, 1 mask
- Participants should prepare those lists to crack most of the hashes. The lists will be sent to the moderator via e-mail before the contest. An example scenario:
Moderator announced the following attack combination: A wordlist with 5 passwords, 5 rules, 1 mask. The participant should send those lists:
| Passwd.txt | Rules.txt | Mask.txt |
|------------|-----------|----------|
| 123456 | : | ?l?l?l?d |
| 1234567 | l | |
| qwerty | u | |
| 19231923 | c | |
| besiktas | ^X | |
- Moderator starts a live stream during the contest
- Moderator announces the target leak
- Moderator starts to crack hashes in the leaked database with the lists sent by participants
- Moderator takes a note of: Number of cracked total hashes, unique hashes and percentages
- Moderator announces the winner
Our experience
We run two hash oliympics. It was lots of fun and everything went smoothly. The participants spent one week by analyzing previously leaked databases to create optimal attack combinations.
In the first contest, the attack combination was: A wordlist of 30 passwords, 15 Hashcat rules, 0 Hashcat mask. The target database was containing 50,000 hashes. The results were very close.
| Participant | Total Cracked Hashes| Cracked Hash Percentage|
|-----------------|---------------------|------------------------|
| Mustafa Akbulut | 1206 | %2,687 |
| Tolunay Yılmaz | 1196 | %2,665 |
| Hakan Sonay | 1194 | %2,660 |
In the second contest, I wanted to increase the scope of the attack combination. It was: A wordlist of 50 passwords, 15 Hashcat rules, 1 Hashcat mask (mask had specific limits). The result was very close again. The third and fourth places have only 3 hash differences. It was crazy.
| Participant | Total Cracked Hashes | Cracked Unique Hashes | Cracked Hash Percentage |
|-----------------|---------------------|---------------------|----------------------------|
| Ebubekir Türker | 271752 | 44405 | %47,372 |
| Nur Pabuççu | 271698 | 44351 | %47,363 |
| Can Taşdemir | 271688 | 44341 | %47,361 |
| Canberk Ayran | 271685 | 44338 | %47,360 |
Conclusion
Hash oliympics was a good experience for both having fun and teaching people how to analyze databases and using the Hashcat efficiently. People who can’t afford good hardware could also have fun. That was my point and we achieved that. You can contact me if you have any questions.