Posts: 1
Threads: 1
Joined: Nov 2016
I am looking for information on how to retrieve the hash value from the plist file of an encrypted iTunes Backup. I know if i drop the file in Passware or Elcomsoft it'll do it automatically, but I don't feel like paying $1000 and then renewing licenses every year. I have been using hashcat for a few months now on NTLM and various others and love that it makes my job a lot easier.
And as someone gave the answer in a similar thread, Google it, I have and haven't had much luck. I have seen some reference to the keybag and looking at it in a plist editor or Hex editor, I guess I'm just missing the part of where the hash is within the data set that follows.
I apologize if it is that simple and I'm that stupid, but I'm just looking for some guidance or an answer. I get how to put the hash in to hashcat once I get it. I know it's in the manifest. It is for phone forensics for work, and I'm just running out of ideas. Thanks for any help.
If this is in the wrong area or inappropriate, please delete/move/yell at me.
Posts: 3
Threads: 0
Joined: Dec 2016
12-10-2016, 12:06 AM
(This post was last modified: 12-10-2016, 12:07 AM by IncognitoEntity.)
Hi Warren,
I'm currently working on the same thing within Digital Forensics (law enforcement uk). Our current software passware is not as fast as I was expecting, so I started to look at how I could get the necessary information out. I too am currently stuck. If you have X-Ways/Winhex (WinHex for this is better so you can edit/copy etc) open the manifest.plist file of the encrypted backup and it will be the backupkeybag. You will see tags like ITER, SALT, WPKY, CLAS etc. From reading the other posts (from what I can gather) the hash format is PBKDF2-HMAC-SHA1.
sha1:10000:salt:somehashordatabase64?
The ITER tag shows the iteration count for the PBKDF2 algorythm. In hex (big endian) it will show as 27 10 decimal 10000. This is the number of rounds.
The SALT tag appears to have 20 bytes of data proceeding it. I've been ignoring the 00 00 00 14 hex values before it, however i'm unsure this is necessary. I've then been converting the 20 bytes to base64 using WinHex, which is what the PBKDF2-HMAC-SHA1 -m 12000 option wants to take in as a salt. Again i'm unsure if this is right.
The last section that I have said I have tried the WPKY, UUID etc as base 64 but with no luck.
Please let me know your thoughts if you have something different. I really want to use hashcat for this task!
(11-15-2016, 09:50 PM)jwarren Wrote: I am looking for information on how to retrieve the hash value from the plist file of an encrypted iTunes Backup. I know if i drop the file in Passware or Elcomsoft it'll do it automatically, but I don't feel like paying $1000 and then renewing licenses every year. I have been using hashcat for a few months now on NTLM and various others and love that it makes my job a lot easier.
And as someone gave the answer in a similar thread, Google it, I have and haven't had much luck. I have seen some reference to the keybag and looking at it in a plist editor or Hex editor, I guess I'm just missing the part of where the hash is within the data set that follows.
I apologize if it is that simple and I'm that stupid, but I'm just looking for some guidance or an answer. I get how to put the hash in to hashcat once I get it. I know it's in the manifest. It is for phone forensics for work, and I'm just running out of ideas. Thanks for any help.
If this is in the wrong area or inappropriate, please delete/move/yell at me.
Posts: 1
Threads: 0
Joined: Dec 2016
12-21-2016, 11:52 AM
(This post was last modified: 12-30-2016, 10:54 AM by goclukee.)
There should be a way to retrieve it. Take a loot at UUkeys, which has a program called
iTunes Backup Unlocker i guess it retrieves the value from manifest.plist file and brute-force the password accordingly.
Posts: 2
Threads: 0
Joined: Jan 2017
(12-10-2016, 12:06 AM)IncognitoEntity Wrote: Please let me know your thoughts if you have something different. I really want to use hashcat for this task!
Maybe these two resources help?:
http://stackoverflow.com/questions/14983...one-backup
https://www.theiphonewiki.com/wiki/ITune...ckupKeyBag
Posts: 14
Threads: 3
Joined: Dec 2016
I also look for a possibility to read out the hash from the PLIST file.
iTunes Backup Unlocker Does not run on Linux
Posts: 2,936
Threads: 12
Joined: May 2012
For extracting the hash and salt from the .plist file, you can use
https://github.com/stricture/hashstack-s...hashcat.pl
Posts: 14
Threads: 3
Joined: Dec 2016
Thank you...
Unfortunately comes as output only
sha1:1000::
Posts: 2,936
Threads: 12
Joined: May 2012
Then that .plist file doesn't contain the RestrictionsPassword key.
Posts: 3
Threads: 0
Joined: Jan 2017
(01-16-2017, 11:01 PM)epixoip Wrote: Then that .plist file doesn't contain the RestrictionsPassword key.
The restrictions backup key is useful for deriving the user's pin, but that will not allow access to an iTunes encrypted backup.
The encrypted password is located in the manifest.plist file of an iTunes encrypted backup. Cellebrite, Elcomsoft, and the other iTunes backup cracking tools need only the manifest.plist file to run an attack on the pw. The 'keybag' part of this file contains several attributes that would need to be decoded to find the hash, salt, and sha1 iteration count.
Posts: 2,936
Threads: 12
Joined: May 2012
I'm not that familiar with Apple products or iTunes but assuming the algorithm is one that Hashcat supports, we should be able to modify plist2hashcat.pl to support both iOS and iTunes. Can you provide me with an example of a manifest.plist that contains the required keys?