How much does it take to hack a mobile network?
Is electronic government secure
in the era of WikiLeaks and Anonymous?

Is SCADA hacking a Hollywood fiction
or the nowadays reality?
Internet banking: is there any chance to win
over the fraudsters?

Cyber-crimes, cyber-espionage, cyber-war: where do we draw a borderline?


Monday, July 9, 2012

Hash Cracking at PHDays 2012: The Hash Runner Competition

PHDays 2012 featured a lot of highly technological, challenging and exciting competitions, but there was one that the visitors hardly noticed – Hash Runner, a competition in hash cracking.

All competitions of this type are characterized with hegemony of a number of teams: hashcat, Inside Pro and john-users, which is not surprising because these are communities of developers, testers and common users formed around most popular hash cracking tools.  And their success is rooted not only in years of experience, good training and unity of teams, and accessibility of formidable computer powers, but in the ability to modify  the tools in the real time mode in response to ever changing circumstances.

All the above-mentioned teams took most active part in Hash Runner at PHDays 2012. For two days the contestants fought for a useful prize - an AMD Radeon HD 7970 graphics cards.


The competition was open for any Internet user. All in all, there were 19 participants from various countries participating.

The competitors will be provided with a list of hash functions generated according to various algorithms (MD5, SHA-1, BlowFish, GOST3411, etc.). Points for each decrypted password are scored according to the algorithm’s level of difficulty. To become a winner, a competitor should gain the most points in a limited period of time, leaving the rivals behind.

It's all simple: you have a number of hashes of various types and two forum days (the competition started at 10:00 a.m. on May 30 and ended at 6 a.m. on May 31) to crack as many as possible.


The participants of the competition were from different countries. The main rivals were InsidePro Team 2012, teardrop and Xanadrel.


To win the competition, the participants were to figure out password generation rules.  The generation used dictionaries in different languages, as well as name dictionaries.  The first rule guessed by the participants was a dictionary word repetition, for example:


Each hash types contained a certain number of passwords generated according to the same rules. Thus, by guessing a password to a hash encrypted with a simple algorithm and figuring out its generation algorithm, one could apply the knowledge to the rest positions in the list and guess passwords to more complicated hashes.

It was good thinking, and not good guessing, that gave the push to the three leaders.

Each team used its own tactics: one tried to brute force the passwords to the most complicated hashes, thus scoring more points, another, on the contrary, tried to outrun their rivals in the number of successfully hacked hashes, focusing on plains.

The leaders gave dust to their competitiors.

Xanadrel (France), who used to paly for Hashcat, decided to play a one-man game this time and fought on its own.

Hardware he used for the competition included PC (i7 950, 1x 5770 and 1x 7970) and i5 2300k core for 4 LM hashes.

Software tools:
  • Hashcat
  • oclHashcat-plus
  • ophcrack
  • rcracki_mt
  • passwordspro
  • maskprocessor
The passwords were cracked by wordlist attacks and generation of basic/common rules in hashcat and passwordspro for the GOST hashes. During the entire competition, the contestant wasn’t able to hack not a single DES, neither phpbb3, ssha, or wordpress hash (they were unusually long and hashcat failed to crack them).

It was not until the end of the competition when Xanadrel thought of bruteforce attacks and managed to get a couple of passwords like 6{x#_a or 9Mv)0. Besides, there were passwords of the dd<month>yyy type (for example, 08march1924). For this cases, the contestant had to create rules for appending/prepending the year/day and a wordlist with months only.

Xanadrel's original write-up

Unlike Xanadrel, who chose to fight on his own, the guys from Insidepro teamed up. Their strategy was simple: try attacking any algorithm wherever possible using whatever technique was handy (a bruteforce attack, dictionaries).

The list of hardware and software tools used by the team:
Note: Since most of the team members could contribute only when they had time to it, the listed tools were not used continuously during the competition days. Only a part of the hardware/software was used at once.

Most of the times, the participants relied on tools they developed themselves, such as nsidePro’s  Extreme GPU Bruteforcer, PasswordsPro and others because they support the saltless Wordpress and phpBB out of the box. However, right in the middle of the contest, one of the team members managed to patch JtR to support these saltless hashes, thus enabling more successful attacks.

For the details, see the details in the Insideproteam's write-up

Another leader of the competition was Teardrop, formed specially for the competition by those Hashcat, who were not able to take part in it. The team used the following software:
  • Hashcat
  • oclHashcat-plus
  • oclHashcat-plus custom build to crack saltless PHPass and DCC2
  • Hashcat-utils and Maskprocessor
  • John the Ripper
  • rcracki_mt for LM
  • PasswordsPro for GOST
In the run of the challenge, the team members had to make some modifications to oclHashcat-plus and John the Ripper to load the PHPass and BFcypt hashes.  The full story you will find on the Hashcat forum.


Some fancy graphs.

The first one depicts participants' progress in time:

It should be mentioned that in such competitions participants usually try to send their answers as late as possible to confuse the rivals.

Teams progress in hash cracking:

The following types of hashes were the easiest for the teams to crack:

Top-5 Teams


InsidePro Team 2012





The final part of the competition proved to be the most tensed; the winner was decided within the latest minutes. The participants stopped their programs in a few minutes before the end to send all the passwords they had managed to brute force.

InsidePro Team 2012 held the leading position for a long time, but Teardrop were able to make a final push and leave them 11,000 points behind.  Here is the winner's stand:

1. Teardrop (Hashcat)
2. InsidePro Team 2012
3. Xanadrel

Note that the winners managed to bruteforce passwords only to 11% of the hashes.

All the participants were awarded by the organizators and sponsors of the event. The special prize, an AMD Radeon 7970 graphics card, was presented to Teardrop (Hashcat). Our congratulations to the teams!

P.S. Visit the official blog of the PHDays forum to find the links to video and slides of the presentations.


  1. Thanks for the it is all great comment in the post.

  2. Thanks that is best posts see more like Freedom APK

  3. I had to write something similar in my thesis introduction few weeks ago. It's great that I read before writing so it was still good enough.

  4. Therefore one you could count Mixcloud on for creating the Android TV Box top box in the Get brand new Android TV Box house is really ergonomic Best Android TV Box as you just need to plug visit website as well as play.

  5. There’s no better service on the market other than Essays Tigers that can fully cater to students’ custom essay writing needs. Our writers’ mastery and craftsmanship when it comes to writing allow them to produce impeccable and flawless results for all essay writing projects via our Custom Essay UK services.

  6. Essay Writing Library is the best essay writing service UK that is presently available on the internet. Students who are constantly pressurised to meet strict deadlines are frequently found to avail their Best Online essay help. This academic forum has hired possibly the most experienced and skilled writers on board.

  7. Range anxiety and lack of chargers are two huge barriers to EV adoption. But could solar power finally solve both problems? We take a look Tracy Isselhardt

  8. It is convenient to access Top Essay Writing from Online Essay Writer at some clicks on your personal computer from Best Writing Services.

  9. Quickbooks books is an accounting software used to maintain or create accounts details and records for business and firs, if you are new you can learn how to use Quickbooks by QuickBooks help guide and in case you need any help just ask for Quickbooks assistance

  10. QuickBooks Enterprise Support Phone Number is available 24/7. If timely solution is not given to the company users of Quickbooks on occurring of any malfunction or glitch then there can be huge loss to them. These loss can be prevented from happening by the use of Quickbooks Support Phone Number. This Quickbooks customer Support Amount is actually very helpful for the one who need immediate solution for their problems. QuickBooks Enterprise Support comes out to be useful for every Quickbook user. The practice of book keeping and payroll management isn't simple as the danger of error always stays inside. As the professional services of Quickbooks differs so are the help systems and system. Weather it is the setup of a new Quickbook software or need of troubleshoot within an existing one, consumer can only dial up the QuickBooks Enterprise Support Number and avail the Quickbooks Customer services.


  11. Click the Link and Download the Brother driver from & If do you need any help to setup the Brother Printer driver .Meanwhile you can call at number for instant assistance . our 24/7 team is always available for assistance.


  12. AS if you are facing any issue in canon Printer Driver .Dn’t worry to about can ask to our canon technician to transfer the call to canon Printer support Phone Number.You can also download the Brother Printer Driver from or

  13. Use the best security software McAfee for your system protection. it provides the best threads and cyber protection. it has automatically detected the spam in your system. you can use it for your betterment. mcafee security