SCADA/Modicon/Schneider TM221 - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Support (https://hashcat.net/forum/forum-3.html) +--- Forum: hashcat (https://hashcat.net/forum/forum-45.html) +--- Thread: SCADA/Modicon/Schneider TM221 (/thread-12148.html) |
SCADA/Modicon/Schneider TM221 - piehole1983 - 09-06-2024 Hi everyone, new member here but I've been learning how to use Hashcat for around a week now. Reason being I am trying to recover a project password from a Schneider TM221 PLC I use at work. The guy who used to do my job will not divulge the password. I've found what I believe to be the hashed password in a .dll file and it appears to be SHA-256. Now, my understanding of the way the hash is produced is that the plaintext password is hashed, hashed again and XOR is involved somewhere in this process too. Does anyone have any experience of this type of password recovery or something similar? Presumably the way this is done will render a wordlist attack useless and brute force will be looking for standard characters when the possibility of needing to find HEX is more likely. I would appreciate any guidance at all with this and will of course do all my own leg work if I can take some help with the method. RE: SCADA/Modicon/Schneider TM221 - nick8606 - 09-07-2024 piehole1983, you need to know how password is hashed. Exact algorithm is necessary. Then you can try to find and use existing hashcat module. If suitable module doesn't exist, you can develop and use your own module. RE: SCADA/Modicon/Schneider TM221 - piehole1983 - 09-07-2024 (09-07-2024, 05:42 AM)nick8606 Wrote: piehole1983, you need to know how password is hashed. Exact algorithm is necessary. Thankyou for the quick reply. I did see an article describing how the hash is created, I'll try to locate that again and go from there. I have found the hard coded key for part of the process as well as the final hash. I guess I'm about 30% there! RE: SCADA/Modicon/Schneider TM221 - piehole1983 - 09-11-2024 I’ve done some more recon and have located the DH key exchange from both the client and the server as well as the hashed password in a given session. I used Wireshark to capture the data. The DH keys are 4 bytes long. Am I correct in saying that the prime number used is 109 and the generator is 4? Once I can calculate the DH exchange the result will be the XOR key used to encrypt the SHA256 hash. Any guidance or tips would be great! Absolute beginner here… |