Hat Hash Hacking at DEFCON

You probably remember that for DEFCON I built a hat that was turned into a game. In addition to scrolling messages on an LED marquee there was a WiFi router hidden inside the hat. Get on the AP, load any webpage, and you would be confronted with a scoreboard, as well as a list of usernames and their accompanying password hashes. Crack a hash and you can put yourself on the scoreboard as well as push custom messages to the hat itself.

Choosing the complexity of these password hashes was quite a challenge. How do you make them hackable without being so simple that they would be immediately cracked? I suppose I did okay with this because one hacker (who prefers not to be named) caught me literally on my way out of the conference for the last time. He had snagged the hashes earlier in the weekend and worked feverishly to crack the code. More details on the process are available after the jump.

He and his compatriots really went all out on this. As a countermeasure against all the accounts getting hacked very quickly I made 8 different firmware images for the WR-703N router (which runs OpenWRT). To differentiate these I added themes. This first one is “Dune” but we also had Star Trek, Star Wars, and HitchHicker’s Guide to the Galaxy. Because of this, the hash crackers scraped a bunch of Dune themed website to build their own dictionary files. This turned out to be a red herring. I had tested dictionary passwords and cracked them in a matter of minutes. I didn’t think to use odd words like those from Frank Herbert’s books. That would have been a great idea.

The password generator I used was written in Python and can be found in this project log. I chose to use random loops to generate passwords that were 5-7 characters long and used lower case, lower case with numbers, lower case with upper case and numbers and all the punctuation on the top row of your keyboard. Even a brute force is time-consuming with 5-7 characters but limiting the character choices will get you there a lot faster. In the end, 5 of the passwords were cracked in around an hour (which was my target complexity) and about 15 more were discovered over night.

Once they had the cracked hashes they tracked me down, and without me realizing it, used ssh to get into the hat and leave their alias for the scoreboard. Furthermore they figured out that echoing to /dev/ttyUSB0 pushes messages to the hat. This means they figured out everything that could be done for this challenge.

11 thoughts on “Hat Hash Hacking at DEFCON

  1. Good work. I wonder what he cracked on. I never ended up connecting because I only saw you in the vendor area and didn’t feel like pulling out my laptop there. If I wanted to crack it I would have probably whipped our an aws instance.

  2. I used a Radeon 7970 graphics card with oclhashcat to crack the MD5s at about 200-500k/sec depending on how many hashes were left!

  3. I’d like to know more about the whole system – How exactly did the ‘8 different firmwares’ work out? Were you reflashing the hat? And how would the theme show up?

    1. The eight firmwares were just different versions of the same thing. Mike was using the ‘Dune’ firmware, where all the usernames were taken from Dune. There was a Star Wars version, a HHGTTG version, and a Star Trek version, as far as I know.

      1. Thanks!
        What I’m still thinking about is how the themes was shown? I mean, a text saying ‘oh you know, all the passwords have something to do with Dune’ would be a little too obvious ;)
        I guess that when you first know where to look for the theme clue getting the themed word lists is an obvious next step

  4. Hashes, by their nature, cannot be cracked. They can be matched via brute force, but that is not the same thing. If an algorithm can be cracked, then it is not one-way and thus not a hash.

  5. What was the complexity of the hash? Were the passwords just hashed? What algorithm (sha, sha2, md5, other)? Static or dynamic salt used? Hashed once? Or hashed many times?

    I work in information security and would be curious what kind of hashes these guys are brute forcing in under an hour.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s