KoreLogic's Password Cracking Contest at DEF CON

Submitting Results

Note: The DEF CON contest has finished

Once you have cracked some passwords or encrypted files, submit them to us in a PGP signed & encrypted email.

Password hashes

Every time you submit cracked passwords, send us the new cracks as hash:plaintext, each on one line by itself. Hashcat's potfile or --output-mode 3 output, including possibly $HEX[] encoded plaintexts, or John the Ripper's potfile format (where hashes may have a prefix indicating type) are all supported. Don't include anything else on the lines such as usernames.

Note this is different from past years, when we wanted just bare plaintexts, and wanted every cumulative hash. We only want new cracks this time. We will verify them, and update the stats page, and provide some feedback/mechanisms for teams to confirm which cracks we've verified and credited them with.

Initially, re-submitting repeated cracks will only be a warning, not an error that might cause a team to be blocked. Sometime as the contest goes along, that will change, but only enforced if a team is sending a large proportion of repeats.

We made this change for multiple reasons: with the much larger number of hashes, the data volumes will get painful otherwise; being able to submit only new cracks should give teams more options to arrange who/how to submit new cracks w/o necessarily needing to be given access to all cumulative cracks, etc.

But we're not going to enforce new-only strictly right at the start of the contest, because we know this may take teams some time to adapt their workflows to, and, they may want to keep resubmitting cracks a couple times until they're sure we've processed and counted them. We have added some feedback to help with that (see "Submission feedback" below).

If you keep sending us junk that's not correct cracks, we will assume you are spewing /dev/random at us and may shun all future mail from you.

Submit often

It is important that you submit new cracks frequently. Since each hash is worth bonus points to the first team to crack it, teams should submit their new cracks as often as is practical, both to maximize their points and to prevent other teams from taking the credit. We encourage teams to work out some shared and/or automated way to submit cracks.

For teams that are small and/or can't automate their submissions, you may not be able to submit for some long stretches due to sleep, etc. But a team that suddenly submits a big jump in cracks/points after a long silence could mean that a team has stolen cracks from another team. If a team goes more than 12 hours without an update, we may decide you gave up or died of alcohol poisoning.

But not too often

Do not flood us with submissions. We will assume you are trying to DoS us. We may throttle submissions from a team sending faster than once per minute, especially if you are also sending repeats.

Repeatedly sending us multiple submissions per minute may get your team temporarily or permanently banned.

In past years we had fairly strict throttling (postgrey, fail2ban, iptables rate limiting) in place. We are going to try without such limits, but if we see abuse we may change that.

Submission feedback

New this year, there are two kinds of feedback teams can use to verify we digested your submission.

First, the auto-responder will reply to a submission (unless it is complete garbage) with a short summary showing the successful cracks received, and the types of errors encountered if any.

Second, the stats page) now contains link(s) to CSV file(s) that list all hashes that somebody has successfully cracked, and the timestamp of the first recognized crack. If teams are in doubt, they can check that list (updated every 5 minutes or so) to see if every hash they think they have submitted shows as having been cracked, and if they think they cracked it earlier than we show, they can contact a human.

As always, we will try to contact teams whose submissions we see fail, but no guarantees if or when we will have time to do so.

Example submission

Here is what a submission process might look like.
$ cat cracked
{SSHA}JeDh50j/LODCxVvrNz0zJqbO96xYOUNJMA==:plaintext1
$1$MksuXYyK$QNVKsIPu8zE/pgFoou19a.:plaintext2
$7$C6..../....okOpBMwYsgCr$cWxnyaHOozEwUVXPZN381peKMjkblMcfxJIoZPck/z5:plaintext3

$ gpg -a -o submission-email.pgp.asc -r sub-2018@contest.korelogic.com \
-se cracked
$ mail -s "cracked" sub-2018@contest.korelogic.com \
< submission-email.pgp.asc
Or attach the file keysub-email.pgp.asc to an empty email to sub-2018@contest.korelogic.com, such as if you are using Gmail.

Don't forget to use --local-user 0xDEADBEEF if you created a dedicated PGP key just for this event.