hashcat Forum
Success! - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: General Talk (https://hashcat.net/forum/forum-33.html)
+--- Thread: Success! (/thread-11744.html)



Success! - l008com - 12-27-2023

I've been using hashcat for the past month to try to recover a forgetful client's password on their old MacBook Pro. If it sounds fishy, I assure you it is not. This is definitely their real, legit computer. 

Unfortunately, they couldn't tell me ANYTHING about the password. I kept asking but they never got around to giving me any sort of basic info. Even basic stuff like the fact it may start with letters then have numbers for example. 

I performed this magic using a 2012 Mac Pro with 6 CPUs and an RX 480 8GB GPU. I only used the GPU though. It did about 4300 hashes per second, and getting the extra 200 hashes per second to use the CPUs too, did not seem worth it. But I was looking for another RX 480, if I could find one for $40, that would have been worth it to double the hash rate. But I never did. 

So first I did the 1.1 billion long crackstation password list. Physical login passwords are typically weak so I fully expected it to be in there. But no dice. 

Then I used the charset [a-zA-Z0-9!@?] and I tried every possible password up to 5 characters. Beyond that, it would have taken too long. 

Then I downloaded a wordlist that had 17 billion words and was about 350 GB I believe. I wrote a little PHP script to filter and sort it. It was a pretty cool script too, it read the source file in chunks, and sent those chunks to copies of itself to be processed. So it was multithreaded and it worked great, although I did use a RAM disk for part of the processing so I didn't get HDD bottlenecked. I filtered that list by the same character set, and also by whether the password started with a capital letter, lowercase letter, or number. Then I rejoined the list with caps first, then lowercase, then numbers. Hopefully this would be more likely to find the password sooner than later. The wordlist has a LOT of other symbols which I broke into another file that I would have run after all this but thankfully I didn't need to. 

Now if I had run through ALL of these chopped up and sorted wordlists and found nothing, I would really be in a bit of a pickle unless the customer could have found me ANYTHING to go on. I was assuming the pw was some amount of letter, then some amount of digits, then maybe a some amount of symbols. But confirmed that would have helped if I had to go back to bruteforcing. But thankfully I did not. 

So with ALL of that combined, I went through about 9.3 billion passwords and right around 30 days and about an hour ago, success! My PCI bay fans spin down very slowly when the PCI cards stop making heat, so I didn't even notice for an hour. I happened to be looking at that machine for something else and noticed hashcat had stopped. At first I thought it failed on its own - not a huge problem because I was using a session, just annoying. But then I realized... wait a minute, this might be success! 
The funny thing is, when hashcat finds the password, it doesn't say it succeeded. It literally just stops running. Thats an odd way to succeed in performing a very hard task but oh well. 

I already charged the customer for 2 hours of labor at their house. I think I'm going to bill them for another 3 hours to cover all the costs of getting this up and running. Which including writing the sorting scripts and doing all the sorting and re-concatenating, was pretty time consuming. Also the electricity use was pretty meaningful too. It's hard to know exactly how much power it was taking just to run this task, but I'd say it was probably around $30 worth of electricity, maybe less, maybe more. 

Oh and the password! Here was the password, written in regexp match code:

[a-z]{4}[0-9]{4}
Only those 8 characters! I'm surprised it wasn't in the first wordlist to be honest. 

I also no longer have the computer in my possession. After a few weeks, I gave it back to the customer so it wasn't just hanging around in my office. I emailed them a little while ago, so they can get back to me if it works. I think it's HIGHLY likely that it will work. Even if somehow I had messed up the hash and got a false positive, it would likely be fully random characters. The string I got is totally a common form of passwords. 

Also if anyone stumbles across this in the future - possibly including myself Big Grin . . .
I was running hashcat on my 2012 Mac Pro that was running 10.13 High Sierra. With the latest version of hashcat (6 I believe) I was not able to get it to use my GPU until I downgraded to an older version hashcat 5.1.0, that it was able to run on the GPU at a very respectable speed. 

Alright theres my story, I hope you enjoy it. This probably isn't the last time I have to do this for someone Smile


RE: Success! - jersonbtc - 12-27-2023

Nice story Bro.


RE: Success! - Banaanhangwagen - 12-27-2023

Cool find.
PS: I mentionnend this already several times on the forum: one can try to crack the keychain-hash instead, which is +/- 7 times faster than the macOS-login. 
See : https://hashcat.net/forum/thread-10129.html?highlight=keychain and https://github.com/hashcat/hashcat/issues/2457#issuecomment-645363447


RE: Success! - l008com - 12-27-2023

Interesting. BUT, how would I get the keychain hash if I don't have the login password? The computer is encrypted, which is the whole point, so I can't access any files until I crack the login/filevault password.


RE: Success! - Banaanhangwagen - 12-28-2023

you were talking about an "old macbook pro" and I assumed that there was no encryption enabled since it had to be enabled manually by the user back in the days (also because you didn't mention encryption in your explanation)

what hash did you crack? an APFS-hash or a macOS-login ?


RE: Success! - l008com - 12-28-2023

I believe it was a 10 year old Mac. It was a filevault 2 hash. Given the age and OS, I would have thought the computer would have been using APFS but somehow it was not.