Each time I teach my Security class, I give a month-long lab to crack as many passwords as possible. For this summer’s contest (opened on June 21, 2021), I used two different hash types: MD5 and SHA-512. The contest closed on July 28th at 11:59 PM EST. The password hashes (24 total):


16 submissions across two classes. The answers:

  • (MD5) belgium:GME => 10 students cracked this
  • (MD5) russia:rinforzanti => 15 students cracked this
  • (MD5) italy:buela => 15 students cracked this
  • (MD5) wales:ve3oao => 12 students cracked this
  • (MD5) switzerland:nicole => 15 students cracked this
  • (MD5) turkey:7771an => 10 students cracked this
  • (MD5) finland:747690 => 8 students cracked this
  • (MD5) denmark:fcimo8 => 3 students cracked this
  • (MD5) netherlands:5ObePg => 2 students cracked this
  • (MD5) ukraine:UJKVBXVI => 0 student cracked this
  • (MD5) austria:LAlNzChRcJ => 0 student cracked this
  • (MD5) nmacedonia:Wh@t3ver! => 0 student cracked this
  • (SHA-512) czechrepublic:AMC => 12 students cracked this
  • (SHA-512) england:H31icid43 => 9 students cracked this
  • (SHA-512) scotland:Fiend => 12 students cracked this
  • (SHA-512) croatia:Tristram => 13 students cracked this
  • (SHA-512) slovakia:aaron431 => 12 students cracked this
  • (SHA-512) spain:laak36 => 4 students cracked this
  • (SHA-512) sweden:76394953 => 0 student cracked this
  • (SHA-512) poland:ohfg => 3 students cracked this
  • (SHA-512) portugal:OzHcji => 2 students cracked this
  • (SHA-512) france:6RiZDfCXic => 0 student cracked this
  • (SHA-512) germany:=[Jh~BPc4e => 0 student cracked this
  • (SHA-512) hungary:k>Y.6%2JtD => 0 student cracked this

To earn all 10 / 10 points for the lab, students had to crack 8 or more passwords. The final distribution:

11 (x3)
10 (x2)
9 (x3)
8 (x2)

The winner’s methodology:

I installed John The Ripper (bleeding jumbo edition) and the latest
version of hashcat.Then I would submit slurm jobs in parallel (one of
JTR and one of hashcat) to either 2-4 Nvidia a100 GPUs or 3 Nvidia
p100 GPUs. Then I divided up the md5 and sha512 hashes to separate
files and got to work.
For dictionary attacks, I wrote a script that ran through all of
Daniel Meissler's SecLists. I also tried wordlists from crackstation
and the > 10GB weakpass list. With the dictionary attacks, I used
exclusivley John The Ripper.
For mask and brute force attacks I used hashcat. The cloud
infrastructure I utilized would trigger job failures if the GPUs
reached 90 degrees Celsius, so that foiled my plans for brute force of
more than 6 characters. Also I used a preempt partition for the a100
GPUs, so other jobs would sometimes take precedence over what I was
running. Overall, the a100 GPUs were amazing which I could get several
hours or days uninterrupted.

Since I was using a login server, I wrote a cronjob that emailed
myself the potfiles from JTR and hashcat every hour.

After the first 12-14 passwords, it got exponentially harder to crack
subsequent passwords, so I would check the emails less frequently

Methodologies used by students:

Overall strategy:
I initially used John the Ripper, then switched to hashcat to check my work
and crack the longer hashes. I made liberal use of shell scripting to 
automate the cracking. 

I installed JtR and git cloned Daniel Miessler's SecLists. I tested some JtR 
commands and read the documentation, then tried my first crack. I separated 
the hashes into the 2 halves (using a hash identifier online to figure out 
the difference) and began john-the-ripping the first half (MD5). I wanted a 
wordlist (since wordlisting is the best way to crack passwords), and I 
know how much Ming likes darkc0de.txt, so I started with that and got a
few out of there. Then, I wrote a script that iterated through every 
.txt file in /SecLists/Passwords and used them as wordlists for JtR. I 
had to skip some of them because they were taking too long, so after a first
pass I wrote a second script which ran on a compiled version of every 
text file, concatenated, and ran it as a background process using nohup. 
I took a day or so, and I ended up with 6 passwords. 

I knew I would need some heavy-duty material to try the SHA512 half of 
the list, so I installed hashcat and tried it out. I wrote a similar 
script and started cracking using the full combined Passwords list. 
Truth be told, it is still running and is barely 15% done after 2 full 
days of pumping, but it's yeilded (blissfully) 5 passwords so far. I'll
submit more if I get them, and am also looking into brute-force attacking. 

I tried some stuff on the Tufts Cluster but found little success. Perhaps
I'll look at it again. 

Lastly, hashcat gave me the cracks as hash:password, so I had to manually
re-insert the usernames. Please forgive any errors in re-alignment.
Methodology: separated passwords into files for those encoded
with MD5 and SHA512, then used john. First used basic wordlist, then
downloaded a bunch of files from Daniel Miessler's SecLists and used
those with John. Passwords above were found in: dutch_passwordlist,
darkc0de, darkweb2017-top10000, xato-net-10-million-passwords-1000000,
and the horrendously enormous wordlist I downloaded from crackstation.

I've tried a bit with hashcat but I'm mostly missing the SHA512
passwords now and John is a bit faster at those. I'm still plodding
away with John on Kali on VMware - I have tried many times and wasted
many hours trying to install John on native, both using a linux
emulator and straight Windows, and cannot for the life of me get it to
work - despite being a CS student, I am NOT tech inclined.
 My methodology was exceedingly simple. I started by googling any
extra information and similar projects that I could find online as
references and jumping off points. I stumbled upon a certain blog with
some very relevant information. I found that by far the most
successful strategies were just throwing dictionaries and dictionaries
and dictionaries at the hashes to see if anything sticks.  I spent
about 10 minutes with a python script to try to download every
dictionary off the seclists github repo that I could programatically
until I said screw it there aren't that many anyway and hand
downloaded the raw files of each. I started with John The Ripper and
used a GUI called Johnny because I'm a weak, weak person. I threw all
the dictionaries I could find at all of the hashes, obviously
separated into MD5 and SHA files using Johnny.

I also found out that John the Ripper wants '.lst' files, which from
research seem to be just Linux plaintext files. My machine being
Windows threw me a weird little quirk that took me a while to fix and
I hope to save time for someone in the future if they run into the
same problem. You can download a '.txt' file and change the extension
to '.lst', and John will accept the file UNLESS you open the file even
once with Notepad, which seems to leave artifacts in the file that
violate the '.lst' protocol. So if you're using John on Windows with
'.txt' files, DON'T OPEN THEM!!!

After messing with dictionaries for a while to great success, which
took me all the way into the 10/10 zone, I decided to just brute force
and see if I could get anything else. I got Hashcat working on my
computer, which had some issues with my AMD graphics card, and having
to use the '-O' flag for optimized kernel mode. I used Hashcat since,
from my research, Hashcat uses the GPU and John the CPU, and Hashcat
has various levels of 'intensity' on the device. I cranked that bad
boy up and let it rip on both password files. I tried 6 and 7
character passwords with the '?l', '?u', and '?d' default charsets,
basically '[a-z][A-Z][0-9]'. This took about a week to finish, then I
added in the '?s' special character charset '[ !"$#.....]' and the
expected time of completion rocketed up. I could do 6 character
passwords with this extended alphabet, and then stopped, because 7
character passwords were expected to take 330 days to exhaust. Goes to
show how potent added special characters to your password is, and
structuring your password in such a way that a brute force attack is
necessary. It got me thinking of going back to all of my current
passwords and appending a ' $$' string or something to the end, which
I feel would make them significantly stronger.

So that was my overexplanation for a very simple
strategy. Dictionaries, and when I ran out, brute force attacks of
increasing complexity.