Tired of your password rules being half-baked?
The CsP kitchen’s been cooking up something better.
RuleChef serves Markov-seasoned rules that actually make sense.
No more recipe-for-disaster rule sets.
https://github.com/Cynosureprime/rulechef

@CypherCon Test hashes are live!

Test your submission platform / scripts

Hey oh, #crackthecon is back @CypherCon this year.

Come crack some passwords.

https://crackthecon.com/

We just posted our 2023 @CrackMeIfYouCan write-up.

https://blog.cynosureprime.com/2023/08/korelogics-cmiyc-2023-def-con-31-write.html

Congratulations to team @hashcat for taking first place in @CrackMeIfYouCan this year. It was a tough battle at the end, well deserved! Always a fun contest. Thank you for your hard work organizing every year @CrackMeIfYouCan !

@CrackMeIfYouCan well yeah!

@CrackMeIfYouCan seems like submissions are not working can you verify your end?

@CrackMeIfYouCan well when you find out we will be here subjecting ourselves to your yearly torture.

@CynoPrime Looool.

I wish I could say that was some kind of deep lore hint. Wait, yes, it is, I just haven't decided what for, yet.

@CrackMeIfYouCan

Are you a password Yoda now?

Crack me you, I can.

I'm happy to announce the release of Version 4.5 of the PCFG password guess generator: https://github.com/lakiw/pcfg_cracker

So what's changed? The big items are the addition of two new cracking modes: "Random Walk" and "Honeywords".

I've talked about honeywords in the past, but the short answer is to generate them the guesses takes a weighted random walk through the PCFG grammar and generates password guesses from this. Since the walk is weighted, it'll generate common passwords like "123456" quite often, but it'll also still generate complicated passwords every once in a while. To put it another way, if you run it, it'll create realistic looking password dumps.

The real use for this mode is to help standing up deception environments. Nobody wants to create 5k fake users by hand, and if all the users have random passwords then it'll look pretty sus. This allows to you to create passwords for fake accounts that will look much more realistic.

This leads us to the "random walk" password creation mode. It's basically the same idea but aimed towards cracking passwords. Now, at first glance it appears worse in every way to the standard password guess generation mode ("Probability Order"). It generates tons of duplicate guesses, and it doesn't guess the most probable passwords first. In all honesty, you probably are not going to want to use this guessing mode in real attacks. So why did I include it, and why am I excited about it? One word: Parallelization.

The random walk mode does not need to keep track of state (no priority queue). This means its memory requirements do not grow as it runs. This is huge since it supports generating guesses to much higher keyspaces. Also the guess generation can be quite fast. I haven't optimized things yet, but since there is not state tracking and no priority queue to manage it reduces a lot of overhead when generating guesses. Finally as I mentioned, it really lends itself to running multiple different instances of it at once. Since each guess is really a random walk, you can run as many parallel sessions as you want.

So it has fixed memory requirements, is fast for generating guesses, and multiple sessions can be run in parallel. Furthermore it has an index function for stopping/restoring sessions (basically you give it the random seed). This means it might be possible to include this mode into GPU password cracking programs in the future. So even though this mode is not a precise as the current "probability order" mode, in the future it may be much more effective in real engagements. At the very least it should beat the pants off of PRINCE mode ;p

What's next? Really a ton. I'm hoping to get through Defcon and really start digging into enhancements. There's a couple of areas I'm probably going to target first:

1) Improving my analysis tools to better understand all that's going on. Having better tooling is really helpful for figuring out how to improve the grammar

2) Build out enhanced logic for the honeywords mode to generate multiple passwords for the same user. Aka people tend to make similar passwords across multiple accounts. It's be fun to include that logic when generating honeywords. On the plus side that can also be leveraged in guess generation to target a user who has known passwords

3) Start looking at getting the random walk mode included in Hashcat. This will be a year long effort, but I think it can be done.

4) Enhance the PFCG grammar when making low probability guesses. Currently the grammar really excels when targeting the first 60% of user passwords, but doesn't do well when the guesses get to a really low probability. This hasn't been too big a deal since the guess generator was so slow that most users never get to making 1 trillion guesses. With this new mode though, longer cracking sessions suddenly become very realistic. I need to look into how to enhance them more.