Scenario:The premiere password cracking contest "CrackMeIfYouCan" is back again. Passwords so two-thousand and late. Remember, remember, the cracks of November.
We're preparing hashes from easy to hard, so there'll be something for you if you want to compete casually as a Street team, or go all out in Pro.
Where we're going, we don't need roads. Purely a penchant for puzzles, perhaps a plethora of processors.
Logistics:Prior to the start of the contest, KoreLogic will disseminate large encrypted file(s), that teams should pre-download. The decryption key(s) will be published once the contest starts.
More files might be released once the contest starts.
If you are entirely new to password cracking, check out the Password Village at DEF CON, and then come back.
The goal of the contest is simple: score the most points.
Types of Teams:You have a choice of how you compete:
- "Pro" Teams: Teams of people who want to compete for
all the glory of being the best password cracking team on the
- "Street" Teams: Individuals or groups who are more casual.
People who want to play around, small teams of 1-3 people who
want to compete but don't want to be competing with the "big
guns". Or big GPUs, whatever the case may be.
Scoring Points:Points are earned by cracking hashes and submitting plaintexts.
Teams should plan to submit their new cracks often / promptly, and check the stats page (once available) frequently.
Teams are encouraged to pre-register. See the registration HOWTO for instructions on generating a PGP keypair and registering a team.
Once registered, see the submission HOWTO for instructions on exactly what and how to submit cracks.
Rules:For everyone competing, besides following the directions about how to register and submit:
- You MAY use as many systems/cores/GPUs/CPUs as you wish.
- You MAY use systems NOT located at DEF CON.
- You MAY work with other team members not attending DEFCON.
- You MUST ONLY use systems that you are authorized to use.
- You MUST NOT attempt to gain unauthorized access to any system used by KoreLogic or another team.
- You MUST NOT attempt to interfere with the efforts of another team.
- You MUST NOT trade/share plain-texts between teams.
- You MUST NOT attempt to steal passwords from or techniques/methods used by another team.
- You MUST NOT be on multiple teams, or switch teams during the contest - we will assume you stole all the cracks from one or the other.
- KoreLogic employees are not eligible for the contest.
- To be eligible to be named as a "Winner", you MUST agree to share your
techniques / methodologies and describe the resources/tools
used to crack the passwords afterwards.
- Pro teams' roster of members must be FIRM before the
start of the contest.
Any violation of the rules can result in immediate disqualification from the contest. Any illegal activity will be reported.
Differences from previous contests:Watch this space...
Results:During the contest, KoreLogic will publish status and statistics.
After the contest ends, KoreLogic staff will validate final submissions and will announce the winning teams on Sunday, (time TBD, but certainly before the DEFCON C&E Awards Ceremony). The eligible team with the highest score will be the winner.
We invite all teams that participate to write up a post-event report. The teams with the most points will be required to write up their techniques/methodologies, describe the resources/tools used to crack the passwords, and describe any lessons learned, in order to be officially declared winners.
After the contest concludes, KoreLogic will:
- Announce the winners.
- Release some details about the plaintexts' composition.
- Provide statistics on successful cracks.
Please watch this site and @CrackMeIfYouCan@infosec.exchange for updates. You can also contact firstname.lastname@example.org with any questions, but we may not be able to respond if we do not have time or if we can't answer you directly without giving an unfair hint.