In the previous two posts on the CMIYC competition [Part 1, Part 2], I had focused on how to integrate data science tools into your password cracking workflow and showed how to crack passwords on limited hardware (E.g. my laptop without using a GPU). Of course it’s better to have some firepower to crack hashes! One of the hurdles to overcome is I don’t have a lot of firepower at my disposal. Despite being super interested (OK, obsessed) about password cracking, I’ve never invested in a dedicated cracking rig. Still, when I do get serious about cracking passwords I turn to Hashcat and GPU based attacks to do the heavy lifting even if I only have a single NVIDIA GeForce GTX 1070 GPU. That’s still significantly faster than trying to run CPU only attacks.
To that end, let’s talk about how to leverage Hashcat when competing in these competitions. Full disclaimer: I’m going to go full spoiler in how I’m approaching my cracking. At this point, I’ve been running cracking sessions way longer than the competition would have lasted if I had competed. Also, I’ve been on the various Discord and Twitter conversations about the contest this year and know how the hashes were generated. Heck, KoreLogic even posted themselves how they created the challenges [Full Spoiler Link]. So I’m not going to even pretend that this post represents how I would have done. Instead I want to focus on “given what we know, how can someone use Hashcat to crack those hashes”.