Lance Grover

Lance Grover

Password cracking challenges – thinking another way

Posted date:


I was playing with the Saintcon 2019 password cracking challenges and I was over thinking this particular challenge…..Luckily someone else shared their ideas which really helped me. https://www.openwall.com/lists/john-users/2019/10/29/1

Basically the one I am referring to is a password challenge that was paying respects to Ken Thompson and his recently cracked vintage password that was based on a chess move.

Given the following hash, just by looking at it and comparing it to hashes you can see it is bcrypt:

$2b$10$YGtiAZYewmJE0Yh7O9E4AO49nQA2s4lhwDvWE./IOTyTQ.sgkGbuC

with the examples of the password being:
2. Nf3 Nc6
39. Qxh5 Bf6

I originally was building some python code using common chess python library to generate all the possible moves…however lots of flaws in this thinking because there are a LOT of possible moves and the code was giving me a headache as it continued to grow…and grow…

Luckily it was pointed out the pattern…from here:https://en.wikipedia.org/wiki/Deep_Blue_versus_Kasparov,_1997,_Game_6. one or two numbers followed by a period, followed by a space, a capitol, one or two lower (if two then the first is an x), then a number, a space, then similar 3 or 4….so I started building a hashcat mask file, keep in mind I am just playing quick and dirty and a more efficient mask file could be built….this is what I came up with:

?d. ?ux?l?d
?d. ?u?l?d
?d?d. ?ux?l?d
?d?d. ?u?l?d
?d. ?u?l?d+
?d?d. ?u?l?d+
?d. ?ux?l?d ?ux?l?d
?d. ?u?l?d ?u?l?d
?d?d. ?ux?l?d ?ux?l?d
?d?d. ?u?l?d ?u?l?d
?d. ?u?l?d+ ?u?l?d+
?d?d. ?u?l?d+ ?u?l?d+

So now I could keep building on that and it probably would have worked but the expected duration of time was WAY too long….so I had to go back to the post I listed above…. and you smarter people would have noticed this, we can limit the character sets even more, and you can apply specific character sets in the hcmask file so I did this:

KQRBN,abcdefgh,12345678,?d. ?2?3 ?2?3
KQRBN,abcdefgh,12345678,?d?d. ?2?3 ?2?3
KQRBN,abcdefgh,12345678,?d. ?1?2?3 ?2?3
KQRBN,abcdefgh,12345678,?d?d. ?1?2?3 ?2?3
KQRBN,abcdefgh,12345678,?d. ?1x?2?3 ?2?3
KQRBN,abcdefgh,12345678,?d?d. ?1x?2?3 ?2?3
KQRBN,abcdefgh,12345678,?d. ?2?3 ?1?2?3
KQRBN,abcdefgh,12345678,?d?d. ?2?3 ?1?2?3
KQRBN,abcdefgh,12345678,?d. ?2?3 ?1x?2?3
KQRBN,abcdefgh,12345678,?d?d. ?2?3 ?1x?2?3
KQRBN,abcdefgh,12345678,?d. ?1?2?3 ?1?2?3
KQRBN,abcdefgh,12345678,?d?d. ?1?2?3 ?1?2?3
KQRBN,abcdefgh,12345678,?d. ?1?2?3 ?1x?2?3
KQRBN,abcdefgh,12345678,?d?d. ?1?2?3 ?1x?2?3
KQRBN,abcdefgh,12345678,?d. ?1x?2?3 ?1?2?3
KQRBN,abcdefgh,12345678,?d?d. ?1x?2?3 ?1?2?3
KQRBN,abcdefgh,12345678,?d. ?1x?2?3 ?1x?2?3
KQRBN,abcdefgh,12345678,?d?d. ?1x?2?3 ?1x?2?3
hashcat -m 3200 -a 3 --potfile-path chess.pot chess.txt chess.hcmask