You probably remember that for DEFCON I built a hat that was turned into a game. In addition to scrolling messages on an LED marquee there was a WiFi router hidden inside the hat. Get on the AP, load any webpage, and you would be confronted with a scoreboard, as well as a list of usernames and their accompanying password hashes. Crack a hash and you can put yourself on the scoreboard as well as push custom messages to the hat itself.
Choosing the complexity of these password hashes was quite a challenge. How do you make them hackable without being so simple that they would be immediately cracked? I suppose I did okay with this because one hacker (who prefers not to be named) caught me literally on my way out of the conference for the last time. He had snagged the hashes earlier in the weekend and worked feverishly to crack the code. More details on the process are available after the jump.
He and his compatriots really went all out on this. As a countermeasure against all the accounts getting hacked very quickly I made 8 different firmware images for the WR-703N router (which runs OpenWRT). To differentiate these I added themes. This first one is “Dune” but we also had Star Trek, Star Wars, and HitchHicker’s Guide to the Galaxy. Because of this, the hash crackers scraped a bunch of Dune themed website to build their own dictionary files. This turned out to be a red herring. I had tested dictionary passwords and cracked them in a matter of minutes. I didn’t think to use odd words like those from Frank Herbert’s books. That would have been a great idea.
The password generator I used was written in Python and can be found in this project log. I chose to use random loops to generate passwords that were 5-7 characters long and used lower case, lower case with numbers, lower case with upper case and numbers and all the punctuation on the top row of your keyboard. Even a brute force is time-consuming with 5-7 characters but limiting the character choices will get you there a lot faster. In the end, 5 of the passwords were cracked in around an hour (which was my target complexity) and about 15 more were discovered over night.
Once they had the cracked hashes they tracked me down, and without me realizing it, used ssh to get into the hat and leave their alias for the scoreboard. Furthermore they figured out that echoing to /dev/ttyUSB0 pushes messages to the hat. This means they figured out everything that could be done for this challenge.