Skip to main content

Crack Me If You Can - Hash Cracking Contest

August 20, 2014

The fifth annual Korelogic “Crack Me If You Can” contest took place this past weekend at the 22nd annual DEF CON. Crack Me If You Can (CMIYC) is an annual DEF CON contest that simulates real-world penetration testing scenarios where you might obtain large lists of hashed passwords from a client or clients. Password hashes are used to store passwords securely for anything from WPA/WPA2 for wireless communications to the passwords you use to login to websites. The CMIYC contest continues to improve year after year with this year providing the most real world scenario to date.

Many think of password cracking as something that can be accomplished quicker by using more CPU/GPU power, however, the Crack Me If You Can contest concentrates on ability by rewarding those skilled in pattern matching. In this year’s contest there were multiple fake companies where you might find similar patterns just like at real companies where you might see password patterns related to the locale itself.

The Crack Me If You Can contest consists of a “Pro” class for teams who want to compete for bragging rights of the best password cracking team on the Internet and a “Street” class for individuals or small teams who want to compete without going up against the larger teams. This year Team Hashcat won for the third time in the last five years the CMIYC contest has existed. Accuvant team members participating in this year’s contest on Team Hashcat included me, Alex “dakykilla” Kah, and Martin “purehate” Bos. A third participant, Eric “Brav0Hax” Milam, assisted by cracking password hashes and uploading results to Team Hashcat via myself and Martin. All three of us primarily used oclHashcat and Hashcat which are both available for download/use free of cost. The hardware used by Accuvant team members included an Ubuntu server with four 280X’s, another Ubuntu server with four 280X GPU’s, an Ubuntu server with 2 7970 GPU’s, an Ubuntu server with four 7970 GPU’s and multiple other servers using only CPU’s. Team Hashcat consisted of 24 other members from around the globe including Jens “atom” Steube the developer of Hashcat. The Team Hashcat write-up below lists all team members, the hardware used for the contest and password cracking methodologies.

For more information about the contest and Team Hashcat use the links below.

Team Hashcat CMIYC Write-Up
Korelogic Crack Me If You Can Contest Details

    Alex Kah

By: Alex Kah

Senior Security Analyst

See More

Related Blogs

January 08, 2013

Think Your Passwords are Strong Enough? Think Again.

However, many third-party applications such as homegrown web applications and mobile applications still only require a single sign-on, leaving organiz...

See Details

November 04, 2014

Improving Reliability of Sandbox Results

Cuckoo Sandbox is an increasingly popular system for automated malware analysis. Beginning in 2010 as a Google Summer of Code project, it has quickly ...

See Details

April 05, 2016

Five Spring Cleaning Tips for Identity Protection

Spring cleaning is not just about creating space in closets, but is also a great time to organize your online passwords as well. Chances are you have ...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

January 28, 2013

iOS Passwords: Quick Tips to Maximize Your Security

Prior to joining FishNet Security, I examined mobile devices as a digital forensic analyst, actively researching and using different methods to remove...

See Details

September 11, 2015

How Not to Obfuscate Passwords in Code

Software programs, from client-server to web to mobile, often need credentials to access a resource like a database or a web service. Storing these pa...

See Details

June 13, 2017

Moving Beyond the Password

Learn the technical, security and end user considerations while trying to go passwordless.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.