hashcat Forum
Modifiations to hash type 18100 to support binary seeds - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Developer (https://hashcat.net/forum/forum-39.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-40.html)
+--- Thread: Modifiations to hash type 18100 to support binary seeds (/thread-8613.html)



Modifiations to hash type 18100 to support binary seeds - slothsec - 08-30-2019

Hi All,

The pyotp library generates a 16 character base32 seed by randomly selecting 16 characters from the base32 (a-z2-7, more info here https://github.com/pyauth/pyotp/blob/master/src/pyotp/__init__.py). As a result of this the base32 string will not always decode nicely into an ascii string so the existing 18100 module wont work.

I was looking to tweak it to attempt to crack the base32 seed directly. I figured to do this I would give hashcat a custom charset of a-z2-7 and a 16 character mask. I am just trying to work out what changes are required in "module_18100c" to ensure this will work. Can someone point me in the right direction to documentation on developing custom modules? I have been struggling to find much.

Thanks,
Ryan


RE: Modifiations to hash type 18100 to support binary seeds - slothsec - 08-30-2019

Hmm on further investigation this may not be possible since running 
"hashcat -m18100 -a3 -o totp.potfile totp.hashes -1 ABCDEFGHIJKLMNOPQRSTUVWXYZ234567 ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1 --force"

results in 
"Integer overflow detected in keyspace of mask: ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1"

Is there some other way to attack the non ascii/base32_decoded seed?


RE: Modifiations to hash type 18100 to support binary seeds - philsmd - 08-30-2019

yeah, that's a too large keyspace.

it's 32 ^ 16 = 1,208,925,819,614,629,174,706,176


RE: Modifiations to hash type 18100 to support binary seeds - DanielG - 08-30-2019

"I figured to do this I would give hashcat a custom charset of a-z2-7 and a 16 character mask."

Like philsmd said, that would be 1,208,925,819,614,629,174,706,176 possibilities. Even if you were able to crack it at a non-existing speed of 100GH/s it would still take 38335 years to search the whole space. It's too big to crack this way.