What kind of hash is this? - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Deprecated; Previous versions (https://hashcat.net/forum/forum-29.html) +--- Forum: General Help (https://hashcat.net/forum/forum-8.html) +--- Thread: What kind of hash is this? (/thread-2892.html) Pages:
1
2
|
What kind of hash is this? - Tinnuel - 12-05-2013 Hello guys. I've been looking all day to figure this out, but no luck yet. I've run it through identifiers and such. This key is from IOS 7, off of an iPhone 5s. I use the restrictions to remove unwanted apps, prevent me from accidentally buying in-app purchases, etc. Somehow I have forgotten the pin at this point and can't get back in. From what I gather, I could reset my phone, but I would have to set it up as a new phone (pain in the butt), and I would rather avoid that if all possible. This is pulled from the com.apple.restrictionspassword.plist file Code: <key>RestrictionsPasswordKey</key> The code is numerical pin with 4 figures XXXX Any ideas? If so, how would I go about decrypting it (if its even possible)? Thanks in advance. RE: What kind of hash is this? - magnum - 12-06-2013 The key has the size of a SHA1 hash. Of course it's possible, you just need to figure out if it's just sha1(p.s) or sha1(s.p) or something else (like iterated, or sha1(sha1(s).sha1(p)) for example). RE: What kind of hash is this? - Tinnuel - 12-06-2013 Thank you, that's helpful. One thing I've been confused about is when running a p.s or s.p am I supposed to append the salt to the password? If so, what conjunction do I use? Thanks again. RE: What kind of hash is this? - Si2006 - 12-06-2013 you'll append the salt to the hash, and usually separate them with a colon, your hash in hex is 27de197171e6d49fc5f55c9ef06c0d8751cd7250:fd11cde0 RE: What kind of hash is this? - phantom23 - 01-03-2014 Hello, did you ever figure out how to decrypt this hash? I have the same problem with my iOS 7 device. Thanks RE: What kind of hash is this? - magnum - 01-03-2014 (01-03-2014, 02:39 AM)phantom23 Wrote: Hello, did you ever figure out how to decrypt this hash? I have the same problem with my iOS 7 device. If the posted hash above was real, it's not plain sha1 nor HMAC. If someone posts a hash for a *known* key we might be able to figure it out. The keyspace is miniscule. Maybe it's pbkdf2-hmac-sha1 but we don't know how many iterations. RE: What kind of hash is this? - philsmd - 01-03-2014 Here it seems to be very easy to find the algorithm... you just need to look for (or have) some known hashalt:plain tuples. E.g. this list (hashalt masked): 1. hashalt above (231cXXXX18a4cee66XXX7cd4XXXX670XXX80XXf9:XXX6XX5e) 2. for instance this one: http://forum.insidepro.com/viewtopic.php?t=24434 (3XXX2711XXXXXc2d2deaXXXX785343XXXX4dXXX:9XXcbXdX) 3. the most important: at least one w/ known plain, e.g. https://discussions.apple.com/message/23872506 (27XXX97171eXXX9fc5fXXX9ef06cXXXX51XX7XXX:fdXXcXeX) Since we have a known hashalt:plain (number 3) and we know: 1. "length" of hash seems to be the same as SHA1 2. apple recently tend to use PBKDF (7100 = OS X v10.8 , http://hashcat.net/wiki/doku.php?id=example_hashes ) We just need to (automatically) try to crack it w/ some different iterations, either: 1. some known one first 2. all from e.g. 1 - 10000 (well, some of those seem to be very unlikely, but still) The result, we get: 231cXXXX18a4cee66XXX7cd4XXXX670XXX80XXf9:XXX6XX5e:1000:1234 3XXX2711XXXXXc2d2deaXXXX785343XXXX4dXXX:9XXcbXdX:1000:5490 27XXX97171eXXX9fc5fXXX9ef06cXXXX51XX7XXX:fdXXcXeX:1000:3956 Well, since we got those 3 output lines, it is very likely that 1000 (only!!!) is the number of iterations Ps. this format is not yet supported by *hashcat (PBKDF2-HMAC-SHA1). PPS. good hints, magnum RE: What kind of hash is this? - phantom23 - 01-03-2014 (01-03-2014, 02:02 PM)philsmd Wrote: Here it seems to be very easy to find the algorithm... you just need to look for (or have) some known hashalt:plain tuples. Thanks so much for the tips...this definitely points me in the right direction. However, if PBKDF2-HMAC-SHA1 is not yet supported by hashcat, how does one go about decrypting these hashes? RE: What kind of hash is this? - philsmd - 01-03-2014 Do it like I did: since there are only pins of length 4 and the range is 0000 - 9999, you can just quickly iterate through this list w/ a few lines of code... Below are some lines of perl... run it as ./ios7.pl hash salt for instance (masked): ./ios7.pl 27XXX97171eXXX9fc5fXXX9ef06cXXXX51XX7XXX fdXXcXeX ios7.pl Code: #!/usr/bin/env perl This should be fast enought for the ios7 bruteforcing, it takes just some seconds on my system for a full bruteforce 0000 - 9999... But ofc... we could think of adding a pbkdf2-hmac-sha1 w/ variable iterations to *hashcat (if you insist in this feature, you could request it on trac... but for sure not needed for this kind of bruteforce - 4 digits only). PS. we do not "decrypt" hashes (because they are not encrypted) - we crack them PPS. you need to know how to run perl script otherwise it won't help RE: What kind of hash is this? - phantom23 - 01-03-2014 Thank you so much, philsmd! The script worked perfectly, and I was able to crack the passcode - you rock! |