

The Basics:

What: A password cracking contest sponsored by KoreLogic.



Where: DEFCON 23 at Paris & Bally's in Las Vegas.



When: The main contest lasts 48 hours:

11:59:59 PM PDT Thursday Aug 6 - 11:59:59 PM PDT Saturday Aug 8, 2015



Who: Teams with at least one team member attending the conference.



Why: To help push the envelope of password cracking techniques / methodologies and win a prize while you are at it.



Winning: There were prize pools for a "Pro" class and a "Street" class of competitor.



Updates: Watch



A password cracking contest sponsored by KoreLogic.DEFCON 23 at Paris & Bally's in Las Vegas.The main contest lasts 48 hours:, 2015Teams with at least one team member attending the conference.To help push the envelope of password cracking techniques / methodologies and win a prize while you are at it.There were prize pools for a "Pro" class and a "Street" class of competitor.Watch @CrackMeIfYouCan for updates.

Back to Top



Contest Registration



To register for the contest and be eligible to win, several things must happen. They do not need to happen all at the same time. You can pre-register now and receive the hashes as soon as the contest starts, or register during the conference, after the contest has started.

Import our PGP keys - All messages to us should be encrypted to our key(s).





- All messages to us should be encrypted to our key(s). Submit your PGP key to us - We will only accept PGP-signed emails from keys that have been registered with us.





- We will only accept PGP-signed emails from keys that have been registered with us. Reply to a confirmation challenge - Verifying your email address and PGP key.





- Verifying your email address and PGP key. Tell us your team name - Optional, as your primary identifier is your PGP KeyID.





- Optional, as your primary identifier is your PGP KeyID. Tell us if you are a Pro team





Submit a registration code - To prove your team attended DEFCON. Otherwise you can still play, but you can't win.



Detailed instructions for each step are below. To register for the contest and be eligible to win, several things must happen. They do not need to happen all at the same time. You can pre-register now and receive the hashes as soon as the contest starts, or register during the conference, after the contest has started.Detailed instructions for each step are below. Import our PGP keys There are two PGP keys you need to import: The key for sub-2015@contest.korelogic.com, the submission autoresponder, available here. That's the email address and PGP key you'll use for all the steps below.

The key for defcon-2015-contest@korelogic.com, the group alias for the humans running the contest, available here. You really only need this if something goes wrong, and you need to contact us (or we contact you; our correspondence will always be signed with that or our individual @korelogic.com keys). Submitting your PGP key You can use an existing PGP key or create a new one - however, the key you use must have only one UID (email address), so don't use an existing key if you have multiple UIDs attached to it. You must send us the key in an email that is encrypted to us and signed by that key. You do not have to send all mails to us From: the email address in the key, but you must be able to receive emails sent to that address. I.e. if alice@example.org and bob@example.org create a PGP key for foo@gmail.com, it does not matter if all their mails to us come from either alice@ or bob@ or wherever, as long as they will receive replies we send to foo@gmail.com. You may use ASCII-armored, inline PGP messages or MIME messages with PGP'ed attachments (either sign+encrypt the whole message, or add a signed & encrypted attachment to a plaintext message). A suitable way to compose your key-registration email after you've made your key using GnuPG would look like this, assuming your new PGP key has keyid 0xDEADBEEF: $ gpg -a -o my-key.pub.asc --export DEADBEEF $ gpg -a -o keysub-email.asc -r sub-2015@contest.korelogic.com \ -se my-key.pub.asc And then either email that as an inline-PGP message: $ mail -s "PGP key" sub-2015@contest.korelogic.com < keysub-email.asc Or, attach the file keysub-email.asc to a regular email to sub-2015@contest.korelogic.com, such as if you are using Gmail. And then either email that as an inline-PGP message:Or, attach the file keysub-email.asc to a regular email to sub-2015@contest.korelogic.com, such as if you are using Gmail. The Subject: is not really important, nor is the From: - we only trust what is inside the encrypted+signed message. Don't forget to add '--default-key DEADBEEF' if you have more than one secret key, such as if you already had a key but created an additional one just for use during this contest. Note: the submission processor does not support detached signatures, separate from the encrypt stage. So for instance if you create your message so that it looks like: mime(encrypt(mime(payload.txt, signature.asc))) Then that will not work. In particular we have seen in past years' contests that the Apple Mail client likes to create messages that way. They will be silently dropped by the submission handler. We might or might not have time to notice and contact you directly about it. Try pre-generating the encrypted+signed file, and then attach it to a non-PGP'ed email.



Confirmation Challenge Then thatIn particular we have seen in past years' contests that the Apple Mail client likes to create messages that way. They will be silently dropped by the submission handler. We might or might not have time to notice and contact you directly about it. Try pre-generating the encrypted+signed file, and then attach it to a non-PGP'ed email. When we have learned your PGP key, we will send an encrypted challenge to the email address in the PGP key. This is to make sure we are able to reach you at that address and using that key. Once you decrypt that, it will have instructions on what to send back to us PGP signed + encrypted to confirm your address, which you would do something like: $ gpg -a -o response-email.asc -r sub-2015@contest.korelogic.com -se [cut-and-paste the challenge line] ^D $ mail -s "Challenge Response" sub-2015@contest.korelogic.com < \ response-email.asc ...Or attach response-email.asc to a gmail message, etc.



When we receive and verify that response from you, you will get another email acknowledging it. Your email address will be on the list to receive the password hashes, and to submit cracked passwords to us. However you will not be eligible to win until we have received a registration code from you to prove that someone from your team attended DEFCON (see below). ...Or attach response-email.asc to a gmail message, etc.When we receive and verify that response from you, you will get another email acknowledging it. Your email address will be on the list to receive the password hashes, and to submit cracked passwords to us.you will not be eligible to win until we have received a registration code from you to prove that someone from your team attended DEFCON (see below). Team Names Your primary identifier, as far as we are concerned, is your PGP keyid. Team names are sugar for the stats pages, etc. Team names must be from 4 to 40 characters long, and consist of only letters, numbers, spaces, hyphens, and underscores, and start and end with a letter or number. In other words, they must match: ^[A-Za-z0-9][-_A-Za-z0-9 ]{2,38}[A-Za-z0-9]$ We reserve the right to reject or mangle your submitted name. We reserve the right to reject or mangle your submitted name. Register your team name with us by sending a signed, encrypted email as described above, containing the line: Team: team_name ...in the encrypted body. You can include this when you are first sending us your key; just include the Team: line as the first line of the payload, followed by the PGP public key block, that you encrypt+sign into keysub-email.asc in the example above. ...in the encrypted body. You can include this when you are first sending us your key; just include the Team: line as the first line of the payload, followed by the PGP public key block, that you encrypt+sign into keysub-email.asc in the example above. We will notify you (after you've confirmed your email address; see above) if we reject your team name for some reason (duplicate, contained nothing but profanity, etc). In the meantime your team will be identified by its PGP keyid. Pro Teams Once you have received the confirmation email that your team's public key has been registered (after you have sent in your Challenge response), if you want to compete in the "Pro" category, please send a PGP-signed email to our human contact address, defcon-2015-contest@korelogic.com, telling us so. Registration Code (at DEFCON) All of the steps above can be done before you've physically arrived at DEFCON. You can (and we recommend you do) submit your PGP key and team name, and answer the confirmation challenge in advance. Once you have submitted your PGP key and confirmed its email address, you can start participating in the contest. So, if you are not arriving at DEFCON until late Friday, you can still start cracking at midnight with everybody else. But you will not be eligible to win unless you complete the final step, submitting a valid registration code. At our table at DEFCON, we will be handing out little pieces of paper with registration codes on them. Come visit us, get a registration code, and then send us an encrypted, signed email containing the line: Code: 1234-5678-90AB-CDEF If you have not pre-registered your PGP key, you can do all three steps something like this: If you have not pre-registered your PGP key, you can do all three steps something like this: $ echo "Team: awesome" > reg-email $ echo "Code: 1A2B-3C4D-5E6F-7081" >> reg-email $ gpg -a --export DEADBEEF >> reg-email $ gpg -a -o keysub-email.asc -r sub-2015@contest.korelogic.com \ -se reg-email $ mail -s "Registration" sub-2015@contest.korelogic.com \ < keysub-email.asc (Again, remember --default-key DEADBEEF if this isn't your only key.) (Again, remember --default-key DEADBEEF if this isn't your only key.) After this you will still need to wait for the confirmation challenge, decrypt and respond to it. Now you are ready to submit cracks; look here for instructions.







