Results of a Password Cracking Contest in My Security Class (Fall 2023)
Each time I teach my Security class, I give a month-long lab to crack as many passwords as possible. For this fall’s contest (opened on October 2, 2023), I used two different hash types: MD5 and SHA-512. The contest closed on November 10th at 11:59 PM PDT. The password hashes (16 total):
jackbear:$1$tLqWPL3x$hTIUCQLLEKbMlPjhTOmR3.:1001:1001:,,,:/home/jackbear:/bin/bash brotherbear:$1$C4qXyAjR$J1oL3RYmHaFldTbYjtASZ/:1002:1002:,,,:/home/brotherbear:/bin/bash fancybear:$1$Ymmh93Qp$4Laygm7i4UDmNfNGAiRF91:1003:1003:,,,:/home/fancybear:/bin/bash barneybear:$1$LvAdkCl3$mzHq8zre6oW2/vPSKZVPc/:1004:1004:,,,:/home/barneybear:/bin/bash pandabear:$1$ldmSUyKK$2WYaaRzLS8bDc7wzJFtu61:1005:1005:,,,:/home/pandabear:/bin/bash yogibear:$1$y7DJOyR4$ro0Oe1wWuToZF3g8tZ2Pf/:1006:1006:,,,:/home/yogibear:/bin/bash papabear:$1$P54r4/XD$VnEJFiCLP75m/zxUhCGY80:1007:1007:,,,:/home/papabear:/bin/bash grizzlybear:$1$veIFirtd$RtmKrUCjJMlF6V4B3y00B1:1008:1008:,,,:/home/grizzlybear:/bin/bash sisterbear:$6$PSouL3fjntaUDkH3$j5h1OZG/2Hg58x9fBH/uEZxEYVvv5UTgM9YKc98TE6bm93ad2jDDTPFjGF0gIU7Eqh.ARwaWG.mMddbDqE.VK0:1009:1009:,,,:/home/sisterbear:/bin/bash teddybear:$6$AAQBNuTnQ8z/PFM/$xg2fDO5VpwLtNjszFm2EzzlngUwiVYEWZQCjHssZznG9M5i2SJ/BvI4wJ1O9Oh/IwZ9tb7v/5jiLxNpIqJgOB.:1010:1010:,,,:/home/teddybear:/bin/bash polarbear:$6$MJlp5Pg66tr34Dk5$SbD48g3ePIaza.0P52e1cwfHO9rndZ6b2ToxlhXnaUxib3kGbByPRzia4kXjNadlf2zSnJwf36oRNFQASXOut1:1011:1011:,,,:/home/polarbear:/bin/bash bluebear:$6$IP3BEwahNiAUsrR6$GHhXZHP0BmLdEfsz9kOtqZZCNFj/3L2UjG3HeL/yPmcLEOwbYKMxUdpaM1b6rjuoE46HmipB7ls8qm/sMxYOL.:1012:1012:,,,:/home/bluebear:/bin/bash blackbear:$6$dlFpQsHHaXg8QumO$/UyhZH.GSS8/Z8Z.8hr7U9K.1HuOaUeZjFMAoIE36.vB0/Tk044UxFJpAx84bET6JuOUkuoU.Z.8QVmnU/7Lh0:1013:1013:,,,:/home/blackbear:/bin/bash mamabear:$6$mo205g6IoHx8xUcS$IK6lhefS88BEb/nSUdDOhDnP.O0T6kGTCOTFPbvo.6yWEAzg.P6L.AnP.zJzBHP/P3oKa/tdoII642QFkclD41:1014:1014:,,,:/home/mamabear:/bin/bash carebear:$6$05gfSCen6gtcVJ8g$cnl6zUX2SYbJUGxZWbC.i0rxbO1gmFyZhTPpjymCy9h0k7eb7Ew5JJqJQqRt96KxMoq71ueSa.wnJaz07XT3K.:1015:1015:,,,:/home/carebear:/bin/bash cozybear:$6$delqV7KMicfdLoR1$AxREbM10wv0CQTRci0.eQiDQPAElqMuZ.lrsJ1vMH8P2u522Xp8j/RHZscsLNBhHvxGbgExBAdZaHilyqTiJw/:1016:1016:,,,:/home/cozybear:/bin/bash
118 submissions across two classes. The answers:
- (MD5) jackbear:Everyb0dyKnow$My$ecret => 8 students cracked this
- (MD5) brotherbear:200368 => 115 students cracked this
- (MD5) fancybear:jeronimo => 114 students cracked this
- (MD5) barneybear:gxfzveko => 2 students cracked this
- (MD5) pandabear:chudy => 117 students cracked this
- (MD5) yogibear:IntrepidPursuits => 0 student cracked this
- (MD5) papabear:buggs => 117 students cracked this
- (MD5) grizzlybear:lovehurts => 113 students cracked this
- (SHA-512) sisterbear:jeremiah => 115 students cracked this
- (SHA-512) teddybear:1980-04-24 => 16 students cracked this
- (SHA-512) polarbear:Arthur1 => 112 students cracked this
- (SHA-512) bluebear:182365 => 53 students cracked this
- (SHA-512) blackbear:procaccio => 42 students cracked this
- (SHA-512) mamabear:I%8}JqoT6r{# => 0 student cracked this
- (SHA-512) carebear:4n7id370n47in6 => 35 students cracked this
- (SHA-512) cozybear:eminem123 => 100 students cracked this
The passwords barneybear, bluebear, and mamabear were randomly generated; all other passwords were taken from wordlists, namely from Daniel Miessler’s SecLists. UPDATE: I forgot that I made the password for yogibear –it’s this semester’s troll password 😂.
To earn all 10 / 10 points for the lab, students had to crack 8 or more passwords. The final distribution:
13 (x5) 12 (x6) 11 (x10) 10 (x13) 9 (x28) 8 (x48) 7 (x3) 6 (x2) 5 (x2) 3 (x1)
Methodologies and hauls from students:
john crackme-fall2023.txt (default wordlist)
papabear:buggs
brotherbear:200368
pandabear:chudy
john –wordlist=SecLists/Passwords/xato-net-10-million-passwords.txt crackme-fall2023.txt
fancybear:jeronimo
grizzlybear:lovehurts
hashcat -m 1800 sha512.txt SecLists/Passwords/xato-net-10-million-passwords.txt -o cracked_sha512.txt
polarbear:Arthur1
hashcat -m 1800 sha512.txt SecLists/Passwords/openwall.net-all.txt -o cracked_sha512.txt
blackbear:procaccio
./hashcat -m 1800 Other/sha512.txt Other/Passwords/Leaked-Databases/md5decryptor-uk.txt -o Other/cracked_sha512.txt
tried using a crazy tufts cs lab computer
cozybear:eminem123
sisterbear:jeremiah
./hashcat -m 1800 Other/sha512.txt Other/Passwords/Leaked-Databases/alleged-gmail-passwords.txt -o Other/cracked_sha512.txt
bluebear:182365
carebear:4n7id370n47in6
cat dblist.txt | xargs -I {} ./hashcat -m 1800 Other/sha512.txt {} -o Other/cracked_sha512.txt
with dblist.txt containing Other/Passwords/mssql-passwords-nansh0u-guardicore.txt
teddybear:1980-04-24
cat dblist.txt | xargs -I {} ./hashcat -m 500 Other/md5.txt {} -o Other/cracked_md5.txt
with dblist.txt containing Other/Passwords/scraped-JWT-secrets.txt
jackbear:Everyb0dyKnow$My$ecret
Used John the Ripper with these password lists:
https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10-million-password-list-top-100000.txt
https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm
Used hashcat with the first list to get the second group passwords.
Used hashcat with lists from danielmiessler to get the third group, specifically openwall.net-all.txt, darkc0de.txt, and alleged-gmail-passwords.txt.
I separated the password list into two files depending on the hash method depicted by $1$ or $6$ and then ran both files with the command john so it would use the default wordlist for all 6 of the username password pairs that it was able to crack.
bluebear:182365
papabear:buggs
brotherbear:200368
pandabear:chudy
sisterbear:jeremiah
polarbear:Arthur1
After using the default list, I also wanted to use this wordlist I got from SecLists on github under Common-credentials. These wordlists gave me three additional passwords:
cozybear:eminem123
fancybear:jeronimo
grizzlybear:lovehurts