KoreLogic's Password Cracking Contest at DEF CON

Submitting Cracks

Once you have cracked some passwords, submit them to us in a PGP signed & encrypted email.

Password hashes

Every time you submit cracked passwords, send us the new cracks as hash:plaintext, each on one line by itself. Don't include anything else on the lines such as usernames. Normally Hashcat's potfile or --output-format=1,2 output, including possibly $HEX[] encoded plaintexts, or John the Ripper's potfile format will work.

Like previous years, we only want new cracks. We will verify them, update the stats page, and provide some feedback/mechanisms for teams to confirm that we've verified their cracks.

Initially, re-submitting repeated cracks will only be a warning, not an error that might cause a team to be blocked. Sometime as the contest goes along, that will change, but only enforced if a team is sending a large proportion of repeats.

If you keep sending us junk that's not correct cracks, we will assume you are spewing /dev/random at us and may shun all future mail from you.

Submit often

You should submit new cracks frequently. We encourage teams to work out some shared and/or automated way to submit cracks.

For teams that are small and/or can't automate their submissions, you may not be able to submit for some long stretches due to sleep, etc. But a team that suddenly submits a big jump in cracks/points after a long silence could mean that a team has stolen cracks from another team. If a team goes more than 12 hours without an update, we may decide you gave up or died of alcohol poisoning.

But not too often

Do not flood us with submissions. We will assume you are trying to DoS us. We may throttle submissions from a team sending faster than once per minute, especially if you are also sending repeats.

Repeatedly sending us multiple submissions per minute may get your team temporarily or permanently banned.

In past years we had fairly strict throttling (postgrey, fail2ban, iptables rate limiting) in place. We are going to try without such limits, but if we see abuse we may change that.

Submission feedback

Like last year, there is some feedback teams can use to verify we digested your submission.

The auto-responder will reply to a submission (unless it is complete garbage) with a short summary showing the successful cracks received, and the types of errors encountered if any.

As always, we will try to contact teams whose submissions we see fail, but no guarantees if or when we will have time to do so.

Example submission

Here is what a submission process might look like.
$ cat cracked
scrypt$BCfMQsLcteOg$12$8$1$64$bF8qTKZ1YksVZtnekxPCHb8xsybvOzxpjIzm7oP33oFo9Qw71t5N/8BctV+zx8tBjkxWMAJKnvCnmFEBO2yLZQ==:plaintext1
scrypt$pD/BBOJhQYMj$15$8$1$64$UvVbMGMvaNi8AIHVmwo+zDpTew1Gkg1Dah/XVTV0zDlO1pV5LUNMw6+fxuH1GV756iwWqj7xNcIpv+adR+J1Uw==:plaintext2

$ gpg -a -o submission-email.pgp.asc -r sub-2020@contest.korelogic.com \
-se cracked
$ mail -s "cracked" sub-2020@contest.korelogic.com \
< submission-email.pgp.asc
Or attach the file submission-email.pgp.asc to an empty email to sub-2020@contest.korelogic.com, such as if you are using Gmail.

Don't forget to use --local-user 0xDEADC0D3 if you have multiple private keys and want to specify one for use for this event.