roycewilliams/crackthecon-nsec3-argon2i-puzzle.txt Secret

## crackthecon-nsec3-argon2i-puzzle.txt
# As told to a friend on IRC - 2019-04
# Line breaks added and a few edits for readability

omg you should have heard me yell

so you download a 7z before the contest starts
but it's password-encrypted ;)
and they give you the password when the contest starts

normally when they unzip there are some text files, with hashes in them

one of the text files contained only this single line:
$ cat InTheZone.txt
dig +short +dnssec starthere.crackthecon.0x23.pw TXT

... which is [in other words, which, when run, returns this DNS response]:

TXT 13 4 3600 20190423031048 20190409014048 38593 crackthecon.0x23.pw. P7B6eCR2dR784OLFFj75Ka8VC2qvZ8ssCJqq+akuPzsLSuIqLVbP2Fzm iD5ixoDWdMgZ8xzVDHXEOsRm8A7rTA==

we never did crack the 128-byte hash that is behind that base64 part
but
it turns out that because of how some DNSSSEC works, there's a zone enumeration problem (like a zone transfer)
that they can't really work around, except they *hash the hostnames*
they're called NSEC3 hashes
and they're one of those cases where hashes are public by design
so

https://www.google.com/search?q=crack+dnsssec+hashes
first hit is:

https://github.com/anonion0/nsec3map

basically it does a binary walk by searching for randomly named hostnames within the zone
and the server has to either say "yep, that's a host" or, crucially, "no, that's not a host, but here's a hash of the next available hostname"
next available by hash, i think

when i learned about this a couple of years ago
i actually used censys.io data to get a list of all zones doing dnssec nsec3
and used this tool to harvest all of the hosts i could find
and try to crack them
and if anyone looked at the issue history for the project, you'd see me, e.g. https://github.com/anonion0/nsec3map/issues/6
i know these guys, and i think they knew about my interest in this
so in some ways they crafted this puzzle for me specifically

i had to figure out what name server to hit
there were no NS records for the zone:
$ host -t ns starthere.crackthecon.0x23.pw
starthere.crackthecon.0x23.pw has no NS record
$ host -t ns crackthecon.0x23.pw
crackthecon.0x23.pw has no NS record
$ host -t ns 0x23.pw
0x23.pw has no NS record

... but there is one mentioned in the WHOIS!
$ whois 0x23.pw | grep 'Name Server'
Name Server: NS.0X23.PW


[the actual n3map command was:]
$ n3map -v --ldh --max-retries=1 --timeout=30000 -o crackthecon.0x23.pw.zone ns.0x23.pw crackthecon.0x23.pw

there were like 35000 hashes
so i'm happily cracking them
and then i think
they're kinda long and random-ish
but valid DNS hostnames - lower, digits, and dash

so i think to myself
"hey, these are real hostnames, i wonder if these are real hosts"

so I do a dig on one of the cracked hostnames
0beo6hqibsaj4q4aafi5o670ka0isfun:.crackthecon.0x23.pw:4754464f214e6f7468696e6748657265:19:heartyomonon
^ that's what the crack looks like, and 'heartyomonon' is the hostname

and the DNS lookup reveals:
$ host -t any heartyomonon.crackthecon.0x23.pw
heartyomonon.crackthecon.0x23.pw descriptive text "$argon2i$v=19$m=131072,t=3,p=2$M6YUQqg1BkAIwVgrRYjRGg$RaiqjFwP7/nAF6c8z5/EX+HMYli0YXvMnZa1mkWwjkk"
heartyomonon.crackthecon.0x23.pw has RRSIG record TXT 13 4 3600 20190423031048 20190409014048 38593 crackthecon.0x23.pw. GXvOrxMXL1ar8LnXXpvPkgFSuMOx8cNgTb9Q/evuL3DqLbV4IXyNalox Bf8NQiS85HTTasNdC1NCzfXN0SpOSw==

that TXT record
contains
a DIFFERENT PASSWORD HASH

type argon2i is SUPER HARD
like, so hard that hashcat hasn't even bothered to add *support for it*
only software that currently support it is john the ripper

so
the contest dynamics are interesting, right?
i have to crack the nsec3 to even get the corresponding argon2i
the nsec3 is only worth 100 points (or 200 if you crack it before anyone else does)
the argon2i is worth 1000 points, or 2000 if first

so
it's like scavenger hunt + capture-the-flag
so one guy is cracking nsec3s, and feeding them to another guy who is trying to crack them
the argon2is i mean
but its suuuuuuuuuuuper slow to crack argon2i
and so then we realize that the argon2i plains are either the hostname itself, or the hostname modified by a password-mangling rule (all caps, leet, reversed, etc.)
so it was a race

that's just one example
there were many puzzles some of which we never solved at all
it also sucked because it was in the middle of the work week, so i couldn't devote as much time/attention to it, nor sleep as little as usual :)

[comment from friend about polyphasic sleep]
heh, did dabble in that briefly in college but couldn't pull it off for an extended period
but during contest, I'd sleep 2 hours, then be up for 22

finding those argon2is was the killer edge for us - other teams found and cracked the NSEC3s but appear to have never explored that they might be real hostnames
argon2i cracks were literally 1/3 of our total score
	# As told to a friend on IRC - 2019-04
	# Line breaks added and a few edits for readability

	omg you should have heard me yell

	so you download a 7z before the contest starts
	but it's password-encrypted ;)
	and they give you the password when the contest starts

	normally when they unzip there are some text files, with hashes in them

	one of the text files contained only this single line:
	$ cat InTheZone.txt
	dig +short +dnssec starthere.crackthecon.0x23.pw TXT

	... which is [in other words, which, when run, returns this DNS response]:

	TXT 13 4 3600 20190423031048 20190409014048 38593 crackthecon.0x23.pw. P7B6eCR2dR784OLFFj75Ka8VC2qvZ8ssCJqq+akuPzsLSuIqLVbP2Fzm iD5ixoDWdMgZ8xzVDHXEOsRm8A7rTA==

	we never did crack the 128-byte hash that is behind that base64 part
	but
	it turns out that because of how some DNSSSEC works, there's a zone enumeration problem (like a zone transfer)
	that they can't really work around, except they hash the hostnames
	they're called NSEC3 hashes
	and they're one of those cases where hashes are public by design
	so

	https://www.google.com/search?q=crack+dnsssec+hashes
	first hit is:

	https://github.com/anonion0/nsec3map

	basically it does a binary walk by searching for randomly named hostnames within the zone
	and the server has to either say "yep, that's a host" or, crucially, "no, that's not a host, but here's a hash of the next available hostname"
	next available by hash, i think

	when i learned about this a couple of years ago
	i actually used censys.io data to get a list of all zones doing dnssec nsec3
	and used this tool to harvest all of the hosts i could find
	and try to crack them
	and if anyone looked at the issue history for the project, you'd see me, e.g. https://github.com/anonion0/nsec3map/issues/6
	i know these guys, and i think they knew about my interest in this
	so in some ways they crafted this puzzle for me specifically

	i had to figure out what name server to hit
	there were no NS records for the zone:
	$ host -t ns starthere.crackthecon.0x23.pw
	starthere.crackthecon.0x23.pw has no NS record
	$ host -t ns crackthecon.0x23.pw
	crackthecon.0x23.pw has no NS record
	$ host -t ns 0x23.pw
	0x23.pw has no NS record

	... but there is one mentioned in the WHOIS!
	$ whois 0x23.pw \| grep 'Name Server'
	Name Server: NS.0X23.PW


	[the actual n3map command was:]
	$ n3map -v --ldh --max-retries=1 --timeout=30000 -o crackthecon.0x23.pw.zone ns.0x23.pw crackthecon.0x23.pw

	there were like 35000 hashes
	so i'm happily cracking them
	and then i think
	they're kinda long and random-ish
	but valid DNS hostnames - lower, digits, and dash

	so i think to myself
	"hey, these are real hostnames, i wonder if these are real hosts"

	so I do a dig on one of the cracked hostnames
	0beo6hqibsaj4q4aafi5o670ka0isfun:.crackthecon.0x23.pw:4754464f214e6f7468696e6748657265:19:heartyomonon
	^ that's what the crack looks like, and 'heartyomonon' is the hostname

	and the DNS lookup reveals:
	$ host -t any heartyomonon.crackthecon.0x23.pw
	heartyomonon.crackthecon.0x23.pw descriptive text "$argon2i$v=19$m=131072,t=3,p=2$M6YUQqg1BkAIwVgrRYjRGg$RaiqjFwP7/nAF6c8z5/EX+HMYli0YXvMnZa1mkWwjkk"
	heartyomonon.crackthecon.0x23.pw has RRSIG record TXT 13 4 3600 20190423031048 20190409014048 38593 crackthecon.0x23.pw. GXvOrxMXL1ar8LnXXpvPkgFSuMOx8cNgTb9Q/evuL3DqLbV4IXyNalox Bf8NQiS85HTTasNdC1NCzfXN0SpOSw==

	that TXT record
	contains
	a DIFFERENT PASSWORD HASH

	type argon2i is SUPER HARD
	like, so hard that hashcat hasn't even bothered to add support for it
	only software that currently support it is john the ripper

	so
	the contest dynamics are interesting, right?
	i have to crack the nsec3 to even get the corresponding argon2i
	the nsec3 is only worth 100 points (or 200 if you crack it before anyone else does)
	the argon2i is worth 1000 points, or 2000 if first

	so
	it's like scavenger hunt + capture-the-flag
	so one guy is cracking nsec3s, and feeding them to another guy who is trying to crack them
	the argon2is i mean
	but its suuuuuuuuuuuper slow to crack argon2i
	and so then we realize that the argon2i plains are either the hostname itself, or the hostname modified by a password-mangling rule (all caps, leet, reversed, etc.)
	so it was a race

	that's just one example
	there were many puzzles some of which we never solved at all
	it also sucked because it was in the middle of the work week, so i couldn't devote as much time/attention to it, nor sleep as little as usual :)

	[comment from friend about polyphasic sleep]
	heh, did dabble in that briefly in college but couldn't pull it off for an extended period
	but during contest, I'd sleep 2 hours, then be up for 22

	finding those argon2is was the killer edge for us - other teams found and cracked the NSEC3s but appear to have never explored that they might be real hostnames
	argon2i cracks were literally 1/3 of our total score