CMIYC (https://contest.korelogic.com/) will not make it to DEF CON this year. https://passwordvillage.org/ will be there! We intend to do a contest later this year.
CrackMeIfYouCan
- 154 Followers
- 22 Following
- 67 Posts
KoreLogic's password cracking contest at DEFCON
kajer :notverified:Defcon contest @CrackMeIfYouCan might be a bit slower for me this year
My plan for eliminating 10-12 of my 12 year old servers seems to be coming together.
Currently for Defcon's @CrackMeIfYouCan contest (among other things) I have a modest gpu cluster on standby for running hashcat. That cluster is a collection of old desktops with supermicro x9 generation motherboards with xeon e5-v2 era cpus. Each server in my collection can fit 1-2 GPUs with the exception being a 1U box that I crammed 3x 2080ti in to.
I am spending just as much power on server side architecture as I am running a GPU in hashcat.
Solution? Less "server" for more GPU. Thankfully the bitcoin mining industry has made high gpu density a thing, and converged AI is making all the old mining rigs outmoded. I scored this 8 slot mining rig with PSU for ~$150 shipped on ebay.
The onboard celeron and 8g memory consume a few watts leaving the rest of the power draw purely on the GPUs.
Pictured below is the initial test setup with a few spare GPUs I had laying around before the hashcat season starts. Not running 12 extra E5-2650v2 CPUs is going to save a lot of power and heat this summer.
We just dropped a couple inter-related advisories for VICIdial, open-source software used by call centers: https://korelogic.com/Resources/Advisories/KL-001-2024-011.txt and https://korelogic.com/Resources/Advisories/KL-001-2024-012.txt
Add some broth, a potato; baby you've got a stew going.
We've added a page w/info about the password sets, encrypted files, and hints: https://contest-2024.korelogic.com/password-info.html
Ok, official results are official:
Pro: HashMob super narrow victory over hashcat, Cynosure Prime taking third.
Street: ThatOnePasswordWas40Passwords dominated.
Thanks to both our returning contestants, and new! Hope you will be back next year.
We'll post more details about hash breakdowns, data sources used, and crack rates per data source, etc. in the coming weeks.
Scoreboard adjustments, maybe not finished.
We're (so far) not going to ban the rule violators but rather, void any successful cracks starting from the time they started heavily spamming us (thousands of invalid submissions, clearly just trying to bruteforce guess). Which means we can't know that they earned any of their cracks from that point forward.
When a hint file reveals the first few chars of a plaintext, that's not an invitation to stuff 40k iterations per submission...
You know who you are. Reaching for the ban hammer.
We're idling on https://discord.gg/dpKSjtTw and will kick off a post-contest talk at probably 11:30a DEF CON time; will post links in that discord.
Teams: 2h left!
And one final tidbit for you at https://contest-2024.korelogic.com/downloads.html