Hi. Let's do another puzzle giveaway, shall we?

Giveaway code is in this archive: https://drive.google.com/file/d/1aOLuB4UjaNMU146ag7SdBl5NWCgBK2GK

this is the hash for those who struggle with *2john functions:

dishonored2.rar:$rar5$16$adfcb5e35691b7a94fd9d13ab971f7d9$15$3a982d63c5cf58f9f3cef927302cc5ae$8$a65479f04f14c5aa

End date: 19.04.2020 12:00 AM UTC+3
Level: 2

Hints **:

  • password is 12 characters long
  • password only contains numbers
  • if you are using crunch, than 2@ (123456 is good, 123345 is good, 123334 is not good)
  • password does not contain 9 but contains every other digit
  • password contains one 8
  • 3 digits appear more than once
  • only one pair of digits (e.g. 99456)
  • password starts with 11
  • third digit is smaller than 5
  • seventh digit is 8
  • last digit is larger than 5

Hints will be updated over time if there are not enough solvers. **
You can share other hints if you want or need help but as always - more hints usually means less chance to win.

Mood Music

John the Ripper

Answer: 114532826037

3 years ago*

Comment has been collapsed.

I thought about creating a wordlist first but that takes way too much :D
I guess I need a new approach.

View attached image.
3 years ago
Permalink

Comment has been collapsed.

you can use crunch with john (if you plan to use it) directly, no need to create actual file ;)

3 years ago
Permalink

Comment has been collapsed.

Well it's time to install Kali I suppose. Windows is not good enough for these stuff.

3 years ago
Permalink

Comment has been collapsed.

updated hints, now it's only almost 3TB for crunch, totally doable :)

3 years ago
Permalink

Comment has been collapsed.

With the last hints, it would be probably a lot be easier but I already started crunch and john. Let's see how long it takes.

3 years ago
Permalink

Comment has been collapsed.

with hints applied, it took me 1 minute to generate wordlist and 20 minutes to get password @ 2500p/s
my end wordlist size is 64.2MB (4941258 possibilities) but i'm not using one of the hints:

  • 3 digits appear more than once
3 years ago
Permalink

Comment has been collapsed.

cool! let's try it!

3 years ago
Permalink

Comment has been collapsed.

I appreciate you doing these good giveaways, I just don't understand how to enter any of them though šŸ¤·šŸ»ā€ā™€ļø
Good luck to all the nerds out there.

3 years ago
Permalink

Comment has been collapsed.

This thing really really doesn't like windows (no matter what I do, the "..hashes loaded" problem appears)..I don't think I can get any further with it :/

3 years ago
Permalink

Comment has been collapsed.

docker?

3 years ago
Permalink

Comment has been collapsed.

Mood Music
... ... ... and jumbo

EDIT..

3 years ago*
Permalink

Comment has been collapsed.

Curious if another windows user managed anything with John..

3 years ago
Permalink

Comment has been collapsed.

john works fine on windows, have used it on windows 10. as i understood, crunch has a problem on windows but crunch is optional, just might be faster with crunch ;)

3 years ago
Permalink

Comment has been collapsed.

I'm baffled.. Used latest build and keep getting "No password hashes loaded <see FAQ>" in Win7 but I don't think it matters. Plain command, not even switches. Worked fine on another file I tried. I'll probably give up, nothing else to try.

3 years ago
Permalink

Comment has been collapsed.

did you get the hash before you use john? "No password hashes loaded" happen when you use john with file without getting hash or john can't read it

3 years ago*
Permalink

Comment has been collapsed.

...nevermind.. found the way.. It was way too obvious after all, I was doing one step fundamentaly wrong..

3 years ago*
Permalink

Comment has been collapsed.

That's the error I'm getting too. I did this:

  • Downloaded jumbo version of JTR and Johnny (GUI).
  • Since RAR isn't passwd format, I used file => open other format (*2john)
  • Chose rar as format.
  • Chose random file name to save hashes to.
  • Picked the RAR file in format options.
  • Clicked "convert". Supposedly I need Perl and Python installed, I only have Python, not sure if this matters? Conversion worked anyway.
  • When I click "start new attack", nothing happens. The console log says "No password hashes loaded (see FAQ)".
3 years ago*
Permalink

Comment has been collapsed.

I can't help you with GUI, I only use command line..

3 years ago
Permalink

Comment has been collapsed.

i added hash itself to op as i understand that windows is working against people here

3 years ago
Permalink

Comment has been collapsed.

im not even able to launch the john terminal it just close a microsecond after opening it :') so i believe its not always fine on w10

3 years ago
Permalink

Comment has been collapsed.

try opening terminal first and then just call john from it

3 years ago
Permalink

Comment has been collapsed.

unless its the default windows cmd you are talking about, i can't seem to have any terminal that open with john, i tried each and every.exe i found ni the run folder (and all the other folder) wich is a lot btw

3 years ago
Permalink

Comment has been collapsed.

powershell? but cmd should work as well. just run it and then use cd to move to john directory and then just type name of exe file into cmd

3 years ago
Permalink

Comment has been collapsed.

yes powershell, though i tried with powershell and command prompt (after a few trial and errors), but in the end it only says that the app "can't execute on my PC" (i used john-1.9.0-jumbo-1-win64) in a big orange windows. So i guess thats it x) might be some things to tweak here and there, but since my compter is running well, i won't try anything that can modify it for now. Though I do wish good luck for all the one that are still trying to get this code !

3 years ago
Permalink

Comment has been collapsed.

john is not only tool, it was just a suggestion

3 years ago
Permalink

Comment has been collapsed.

password does not contain 9

Had an idea what the password could be, no luck though. Still, could it be that

(EDIT: My question / hint has been posted: "password contains one 8")

3 years ago*
Permalink

Comment has been collapsed.

how did you know?

3 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 3 years ago.

3 years ago*
Permalink

Comment has been collapsed.

I thought i was clever when I noticed that 2003 was ā€­011111010011ā€¬ in binary which was 12 digits long. but alas my wild guess was incorrect.

3 years ago
Permalink

Comment has been collapsed.

password was generated in random.org ;)

3 years ago
Permalink

Comment has been collapsed.

Damn it! :D

3 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 3 years ago.

3 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 3 years ago.

3 years ago
Permalink

Comment has been collapsed.

it means that there are not more than 2 of the same charcters next to each other. for example, 123945 is good, 123994 is good, 123999 is not good

3 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 3 years ago.

3 years ago
Permalink

Comment has been collapsed.

well, you can guess it but it would probably take a long time. if you come up with the right algorithm based on hints for any brute force tool, it won't take long as number password can be broken in short amount of time. (if you have enough power)

it took few hours for john to crack this (without hints except length) but I have a weak cpu and gpu cracking for amd gpu on Linux is hard to set up (i haven't done it obviuosly)

3 years ago
Permalink

Comment has been collapsed.

View attached image.
3 years ago
Permalink

Comment has been collapsed.

i am to stupid

3 years ago
Permalink

Comment has been collapsed.

Can you provide an example for that: 1 digit repeats side by side?
Thx

3 years ago
Permalink

Comment has been collapsed.

1233456

3 years ago
Permalink

Comment has been collapsed.

this means ONLY 1 digit do that, or 1 digit definitely do that?

3 years ago
Permalink

Comment has been collapsed.

only

3 years ago
Permalink

Comment has been collapsed.

thx :)

3 years ago
Permalink

Comment has been collapsed.

This is great idea:) I am gonna pass that one since brute force with mask would take a long time but cheers mate:)

3 years ago
Permalink

Comment has been collapsed.

well, on my not so good laptop without hints/masks it took few hours, so not that long ;)

3 years ago
Permalink

Comment has been collapsed.

Ah - I used https://rarpasswordcracker.com/ , which has a rate of approx. 700 passwords per second (on my crappy 2007 low-end PC). With only the first two hints (12 characters, numbers only) it would take 45 years.

I also downloaded a "jumbo" version of JTR which supposedly also can handle rar archives, and a GUI for it (Johnny). Just didn't get it to work yet.

3 years ago
Permalink

Comment has been collapsed.

45 years for 12 numbers? that is wrong calculation even for bad pc

3 years ago
Permalink

Comment has been collapsed.

10^12 / 700 / 3600 / 24 / 365 = 45,3 (approx.)

3 years ago
Permalink

Comment has been collapsed.

if you say so :D

my slow cpu is doing 250 hashes per core, so it's 1k per sec. if you do random numbers, not 111,112,113, it shouldn't be so long. and if you add hints, it's much less

3 years ago
Permalink

Comment has been collapsed.

10^12 = 1,000,000,000,000 different passwords
700 passwords per second = 1,428,571,428 seconds => 16,534 days => 45.3 years

3 years ago
Permalink

Comment has been collapsed.

The problem here are the 700 attempts per second. My old 486DX 33 should be able to do better than that.

3 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 3 years ago.

3 years ago
Permalink

Comment has been collapsed.

if it's not 9, it must be there ;)

3 years ago
Permalink

Comment has been collapsed.

Already have the game, but tempted to chase the puzzle. Alas, there is too much to DL and study. XD

3 years ago
Permalink

Comment has been collapsed.

tried kraken but have no idea how to use 5-7 hints in it, so it would take around 19 years to check all the possible numbers :D

3 years ago
Permalink

Comment has been collapsed.

I am not sure how to set additional custom rules in JTR (like only 2 numbers can be repeated in a sequence)

Even setting the min and max char to 12 and using 0-8, it will take 7 years on an i5-9300H running on 8 threads.

I think you set the password length too high :| I am using incremental=digits mode

Great challenge tho!

3 years ago*
Permalink

Comment has been collapsed.

why using incremental on defined lenght?

3 years ago
Permalink

Comment has been collapsed.

it's still min and max 12, so it's defined

3 years ago
Permalink

Comment has been collapsed.

sorry, yet i had read it..

3 years ago
Permalink

Comment has been collapsed.

that is why there are hints

3 years ago
Permalink

Comment has been collapsed.

I have 1651p/s that's will take 5 years to crack...
I'm using Intel i7-8750H with 12 OpenMP threads.
Yes the password is too long.
With 1600p/s a 7 long pwd will took 1.7 hrs, so maybe give us 5 number in the pwd... ;)

3 years ago*
Permalink

Comment has been collapsed.

if you use all hints, it will take much less time

3 years ago
Permalink

Comment has been collapsed.

IMHO, the main problem here is the advanced options for JtR are very difficult to understand by noobs. It is a program for security experts, cryptographers and hackers, not a friendly tool.

With "advanced options" I mean to understand the different hints you provided and "convert" them to masks/parameters/whatever, translated to its command line syntax.

3 years ago
Permalink

Comment has been collapsed.

jrt is just a suggestion, it's not the only tool. and crunch for wordlist build is easier to understand than jrt. if you build a wordlist, you can use jrt with simple wordlist option

3 years ago
Permalink

Comment has been collapsed.

I know, but we have the same problem: how to "translate" your hints to crunch's command line syntax? ;)

Without all the hints applied we would get a unmanageable wordlist of several TBs

3 years ago
Permalink

Comment has been collapsed.

but you can do as much as you know with crunch and do filtering after that through pipes for example. that is what i'm doing to test how many passwords will crunch and filters get.

crunch foo bar | grep foo | awk bar | sed foo

3 years ago
Permalink

Comment has been collapsed.

I'm not an expert and I can't get a wordlist smaller than 3 TB. I don't have 3 TBs of free space so I can't save that huge wordlist to apply filters after.

3 years ago
Permalink

Comment has been collapsed.

you don't have to do after, you can do in runtime.

crunch 4 4 abcdef | grep cde > word.lst - this will write in wordlist only lines containing cde

3 years ago
Permalink

Comment has been collapsed.

I'm using Windows, I'm trying with findstr instead of grep but I still can't get a wordlist smaller than 2 TB because I don't know how to apply all of the hints

3 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 3 years ago.

3 years ago
Permalink

Comment has been collapsed.

Here's my thinking so far on how to interpret the hints:

  • "password is 12 characters long": 12 spots total to fill
  • "password does not contain 9" + "password contains one 8": set aside one spot for the number 8, the rest to fill with numbers from 0 to 7
  • "3 digits appear more than once" + "if you are using crunch then 2@": means we have 3 digits each appearing exactly twice, so basically we do n-choose-k with n=0..7 and k=3 then repeat the chosen numbers once, that is we filled 6 more spots in addition to one spot for the number 8
  • the remaining 5 spots should be distinct numbers from the set of numbers not previously picked above

Some quick Python to code the above:

from itertools import combinations
arr = [0,1,2,3,4,5,6,7]
res = [x+x+(8,)+tuple(set(arr)-set(x)) for x in combinations(arr, 3)]
for r in res:
  print r

We get 56 lines.

Obviously for each line the order of elements is still not accounted for, so we need to generate all permutations for each line (unrestricted there are 12! factorial per line). Fortunately we still have the following two hints to further restrict the valid permutations:

  • "password starts with odd number": self explanatory
  • "only 1 digit repeats side by side": from the 3 digits repeated, ensure only one pair of same digits is consecutive, the others are dispersed across the pattern

I haven't coded this part, but I estimate now the upper limit of number of passwords to generate is something like factorial(11)*56, or rounded down let's say 1 billion passwords. If you can check 1000 passwords/sec, that would still take over a week to crack :(

Assuming I made no mistakes, maybe someone else might improve it further, I give up šŸ¤·


EDIT2:

More hints added which cut down the possibilities significantly.

  • "password starts with 1" + "password starts with pair": so 11xxxxxxxxxx
  • "third digit is smaller than 5 "

I adjusted my code and generated all possible passwords in a ~300MB file with about 25 million passwords. At a rate of 1k pass/sec, that'll take like 7 hours to crack, much better but still a bit too much brute forcing for me...

Maybe another hint or two and it'll be within reach ;)

3 years ago*
Permalink

Comment has been collapsed.

I wrote program to generate all possible passwords and it would run for circa 1.73 days. I guess this is not the way.

edit: new hints added, now I am at 3.8 hours

3 years ago*
Permalink

Comment has been collapsed.

with all hints applied, my slow pc generated all possibilities in 2 hours

3 years ago
Permalink

Comment has been collapsed.

I am using C#, that may be slower (?).

Even if I got it, it just saves all possibilities to txt file and I don't even know how to start with multiple passwords on one archive.

Anyway, thank you for this challenge, it entertained me for some time :D

3 years ago
Permalink

Comment has been collapsed.

With the additional 2 hints you can reduce it even further (like 1/20th)
I only got 200000 possible combinations, but none worked, so Iā€˜m apparently too strict.

3 years ago*
Permalink

Comment has been collapsed.

I actually cracked it by incorporating all the new hints, but obviously didn't update my post here so not to completely give away the solution ;)

I managed to cut it down to something like 200K possible passwords before brute-forcing to get the final answer.

3 years ago
Permalink

Comment has been collapsed.

damn, adding that 8 hint sure took possibilities down :D
difference in file size between "starts with 11" and "starts with 11 and 6th is 8" is 31GB :D

3 years ago
Permalink

Comment has been collapsed.

my bad, hint was updated. must be that I haven't slept since 6 AM because someone in neighbors decided to do some construction work and was drilling something actively :(

3 years ago
Permalink

Comment has been collapsed.

Heh, I haven't finish generating last batch and new hints are already it...

3 years ago
Permalink

Comment has been collapsed.

Just a question, if you can answer:

  • if you are using crunch, then 2@ (123456 is good, 123345 is good, 123334 is not good)
  • only one pair of digits (e.g. 99456)
  • password starts with 11

Given that last hint, is it safe to assume that there are no other pairs in the password? (meaning that the first hint becomes 1@)
or is it "one pair other than the one I gave you"?

3 years ago
Permalink

Comment has been collapsed.

correct

3 years ago
Permalink

Comment has been collapsed.

That's right, the initial 11 is the only consecutive pair of digits in the password.

EDIT: Too slow, way too slow...

3 years ago*
Permalink

Comment has been collapsed.

"3 digits appear more than once" is most evil of the hints... I had to make it last check as my current implementation for this one is poor :)

3 years ago
Permalink

Comment has been collapsed.

for my test i didn't even use it and it still works pretty well with other hints excluding this one

3 years ago
Permalink

Comment has been collapsed.

password contains one 8

exactly 1?

3 years ago
Permalink

Comment has been collapsed.

yes

3 years ago
Permalink

Comment has been collapsed.

ok, following all your hints I now get 207360 possible solutions

3 years ago
Permalink

Comment has been collapsed.

none worked, was I too strict ruleswise?

3 years ago
Permalink

Comment has been collapsed.

Tried crunch, never used anything like it before....the file was going to be about 4gb but it stopped after a few seconds :/
No idea how to do >5 or <5 though....also isn't 2@ wrong? ^^

3 years ago
Permalink

Comment has been collapsed.

if you do crunch only, 2@ is one possibility. you can go around it with crunch or something else, than 2@ might not be best choice

3 years ago
Permalink

Comment has been collapsed.

Without giving too much away @ should be lowercase letters not numbers, from what I read ^^

3 years ago
Permalink

Comment has been collapsed.

there is a catch with using @ instead of %, at least as far as i have tested results of mine

3 years ago
Permalink

Comment has been collapsed.

Used all the hints I know how to use (so except the > < and the 3 digits appear more than once hint)
The wordlist has 630MB and with my i7 3770k, a 8 year old CPU, it takes 21h to crack the PW....aargh.

3 years ago
Permalink

Comment has been collapsed.

that's too much. my wordlist without 3 digits appear more than once hint is 29.1MB and it took like 10 minutes with my cpu (i5 3220M) to find it.

3 years ago*
Permalink

Comment has been collapsed.

Managed to actually lower it to 60MB, it still takes 3:30h, still quite slow with only 660p/s but it's a lot better already and I can have it running while I sleep and still do something tomorrow xD
Edit: Somehow it didn't find any password that fits, so I gotta change the wordlist.

3 years ago*
Permalink

Comment has been collapsed.

you are using john? i found out recently that even rar5-opencl is faster, it may miss correct password. rar5 works best but is way slower

3 years ago
Permalink

Comment has been collapsed.

I did, yeah but I didn't know about it but I wouldn't be able to use it anyway it uses CUDA and I have an AMD GPU.

3 years ago
Permalink

Comment has been collapsed.

i also have amd gpu and john works with it (on Linux, at least. idk about other OSs)

3 years ago
Permalink

Comment has been collapsed.

This is like a Skinner box lesson on JTH. :p

3 years ago
Permalink

Comment has been collapsed.

Bump for solved.

View attached image.
3 years ago
Permalink

Comment has been collapsed.

Closed 3 years ago by ozo2003.