Korelogic Blog Logo contact
CMIYC 2013 Encrypted Challenge Files, Password Creation, and Hints 2013-09-04 23:59

We've just published details about the Crack Me If You Can 2013 encrypted file challenges here: the passphrase for each encrypted file, and the hints that are included in each one.

Encrypted File Types
Each encrypted file type had an Easy, Medium, and Hard file, with increasingly complex passphrases. As with the main password sets, there were different passphrases for Pro and Street files. We did fewer file types than last year, and they were for fewer points, proportionately, than last time.

As before, we did not try to set point values proportionate to the difficulty of cracking one file type vs another. There be dragons.

We also didn't enforce strict rules internally about the difficulty of the different passphrases; they get longer and/or have increased character set complexity as you go up, but not all "Easy" passphrases were created equal, etc.

Password Creation

As we do every time, we spent all year generating new sets of plaintexts for the main password hash lists. A bunch of different KoreLogic staff contributed, using many different inspirations for wordlists, mangling rules, or other themes.

This time we took notes about what inspiration we used for each set. Although the plaintexts were split into multiple different "Company" subdirectories (see here for more), we kept each set of similarly-generated plaintexts local to a given company.

This sort of simulates the cultural biases that can cause an organization to have similarities in their plaintexts:
  • Staff working in a given industry may commonly gravitate towards industry-related terms
  • A bunch of users will embed the names of the local sports teams, such as the city where a company has its headquarters
  • Enterprise-wide user training and examples can lead to users following similar patterns in plaintext manipulation/modification
We also avoided a big problem from 2012: last year, we used many phrases from songs, books, and movies--including so many from current works that were still under copyright, that we were afraid to release the full corpus of plaintexts afterwards. Oops! We will be publishing all the plaintexts for 2013 in a little while.

Hints

Some of those notes then became hints that were embedded as the contents of the encrypted challenge files: crack a file, learn something that'll help crack some of the password hashes. There were typically 10+ differently-inspired sets of plaintexts that went into each Company, and we only released hints about one (at most) set per Company. So knowing the hints would give a team an advantage, but not a huge one.

We had another, hidden purpose for doing these groupings and hints, which I will write more about later. Wild speculation in comments to this post are encouraged ;)

Encrypted File & Hint Results

I think we just generally made the challenge files too hard--and/or it was so non-obvious that their contents were useful hints that, coupled with the relatively low point value, teams did not bother much with them.

Some teams do mention figuring out some common patterns among plaintexts they cracked, relevant wordlists, etc. Which is great, but I wish there had been more challenges cracked so there were more hints "in circulation" during the contest.


2 comments Posted by Hank at: 23:59 permalink

Mastercracker wrote at 2013-09-06 09:00:

It's sad that more than 1 month after the contest, almost no team made a write-up about it. It's always fun to see the contest from other teams point of view. Like you mentioned, the challenges were a bit hard to crack since we had no idea of what they could be (they were not linked to a company or anything giving a clue) and needed to have both the right wordlist and the right mangling rule to crack them. Not to mention that often the cracking speed of the program that handles them are slow and often do not support rules or attacks that would allow to crack the password provided. Finally, Challenge 9 was omitted intentionally or not. There is the password for the .pfx file...

Hank wrote at 2013-09-06 17:28:

Every year the winning team sends us their writeup the fastest ;) But yes, I do hope we get more from other teams soon.

Challenge9 is kind of weird, even though it contains hints, it was scored like passwords (mostly because they were per-user). I will add them to the table. Thanks!

Comments are closed for this story.


Please contact us if you would like more information about our services, tools, or careers with us.
Privacy Policy : Copyright 2016. KoreLogic Security. All rights reserved