hashcat Forum
mozilla - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: mozilla (/thread-8491.html)



mozilla - pff - 07-16-2019

Hello!

I am interested in an old mozilla profile.

i have already tried using john via mozilla2john but he doesn't want to use graphics cores, only processor. I think we can do better.

So i am trying hashcat but not doing very well.
I don't think hashcat supports mozilla key3.db directly, however i think that this is only to decode username/password encrypted with 3DES.

Perhaps i can crack the 3DES directly?

I am using this as a reference of how it should work: https://github.com/lclevy/firepwd/blob/master/mozilla_pbe.pdf
I can take a single entry from signons.sqlite and use a base64/ASN1 tool to get IV and cypher no problem.

I'm not sure how to put these into hashcat, 3DES takes two values, are these them?

Finally, 3DES plaintext is 24 characters exactly, padded using PKCS#7 standard apparently! i don't suppose there is a way to tell hashcat to do this for me? I can't seem to insert a hex value into a mask, for example:
-1 0x01 ?a?a?a?a?a?1?1..etc

results in an overflow, but the keyspace is only really 5 characters? it's no bigger (my intention is it is no bigger, but clearly i have misstepped!?)

also i'm a little confused as to how e.g. an email address that is longer than 24 characters could be stored in here so clearly i have gone wrong somewhere.

any help is appreciated.


RE: mozilla - philsmd - 07-16-2019

-1 0x01
^ this is wrong syntax. where did you read about this 0x notation ? did you just guess this?

hashcat has an option called --hex-charset and you can use it like this

--hex-charset ?a?a?a?a?a010101010101....

-1 0x01 means to use "0" and "1" and "x" as chars


RE: mozilla - pff - 07-16-2019

Thanks that helps. yes i didn't think it was right but i think it explained what i was trying to do.
Now you have shown me i can see at the bottom of the mask page it is there! very embarassing i thought i had read everything several times, not enough!

Ultimately I think my voyage is fruitless, i am trying to decrypt rather than collide a hash, clearly this will not work i think. unfortunate.
thank you.