help with hashcat 5.1.0 and itunes backup recovery
#1
hi all...

i'm new to hashcat and i'm having some problems...
i'm trying to run  version 5.1.0  on a  macbook pro 15  i9  2.9ghz  32gb ram,  with the latest  Mojave Os...

i'm trying to recover a lost password for an encrypted itunes backup...
the back up is from an  iphone 6s running  ios 12...

i watched a  video linked to  hashcat page  for directions on how to recover the password,  Avairy solutions...

i have run  philsmd  itunes_backup2hashcat.pl
copied the  extracted data  into a  text file  and named it  Manifest.txt,  and placed it into the  hashcat 5.1.0 folder...

i have copied the  Manifest.plist  file  from within the  itunes backup folder
and placed it into the  hashcat 5.1.0  folder...
the file name is still   Manifest.plist

when i open  Terminal,  i type  cd  and drag the hashcat folder to  Terminal  and hit enter...

this is a screen shot of my  Terminal window, 
i haven't been able to get  hashcat to run/scan...

although it will run the script,  itunes_backup2hashcat  against the  Manifest.plist

it would be great if someone could help me with what i'm doing incorrectly,  doh...

thanks heaps,
ted...


teds-MBP:hashcat-5.1.0 tedz$ ls
Manifest.plist            example500.hash
Manifest.txt            example500.sh
OpenCL                extra
charsets            hashcat.hcstat2
docs                hashcat.hctune
example.dict            hashcat32.bin
example0.cmd            hashcat32.exe
example0.hash            hashcat64.bin
example0.sh            hashcat64.exe
example400.cmd            itunes_backup2hashcat.pl
example400.hash            layouts
example400.sh            masks
example500.cmd            rules
teds-MBP:hashcat-5.1.0 tedz$ ./hashcat Manifest.txt -14800 -a 3
-bash: ./hashcat: No such file or directory
teds-MBP:hashcat-5.1.0 tedz$ ./hashcat Manifest.txt -14800 -a 3 ?a
-bash: ./hashcat: No such file or directory
teds-MBP:hashcat-5.1.0 tedz$
Reply
#2
for macOS you need to compile the executable/binaries first.

You can use git and compile it with make:

Code:
git clone https://github.com/hashcat/hashcat

Code:
cd hashcat/

Code:
make

Code:
./hashcat -m 14800 -a 3 -w 3 Manifest.txt ?a

btw: this assumes that make/gcc/git etc are installed (installed by using brew etc)

It is also advised to not use notebooks for long running cracking jobs... This is intensive work, you will probably break your notebook if it can't handle the heat/temperature etc
Reply
#3
hi phil...

thank you lots for helping me to get going,  wonderful...

i have done what you recommended and  hashcat is running at the moment...

i did receive a message as  hashcat was starting

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

the estimated time is around 9 hours...

i have placed the laptop on blocks to allow plenty of air around the air/fan ducts,  it doesn't feel very warm so far...

i really hope i can get this password,  i have some very important data in the backup...

thanks again for your help,
ted...
Reply
#4
hi phil...

i thought i should post a screen shot of the current process...

Session..........: hashcat
Status...........: Running
Hash.Name........: iTunes backup >= 10.0
Hash.Target......: $itunes_backup$*10*818a32e06d89163dc621c83b77f77b4f...0d990b
Time.Started.....: Tue Feb 26 23:50:55 2019 (1 hour, 9 mins)
Time.Estimated...: Wed Feb 27 09:36:58 2019 (8 hours, 36 mins)
Guess.Mask.......: ?a [1]
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........: 0 H/s (8.12ms) @ Accel:2 Loops:250 Thr:8 Vec:1
Speed.#3.........: 0 H/s (6.19ms) @ Accel:2 Loops:250 Thr:64 Vec:1
Speed.#*.........: 0 H/s
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 11/95 (11.58%)
Rejected.........: 0/11 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#2...: Salt:0 Amplifier:11-12 Iteration:2273000-2273250
Restore.Sub.#3...: Salt:0 Amplifier:0-0 Iteration:0-250
Candidates.#2....: t -> t
Candidates.#3....: [Generating]

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>

thanks again,
ted...
Reply
#5
well, you probably shouldn't run that specific mask.... and probably you shouldn't run a mask attack (see https://hashcat.net/wiki/?id=mask_attack , -a 3 ) at all for itunes backups.

I would suggest starting with a dictionary attack (-a 0) or dictionary attack with rules (-a 0 -r, see https://hashcat.net/wiki/doku.php?id=rule_based_attack and the rules/ folder in the hashcat directory, e.g. hashcat -m 14800 -w 3 -a 0 -r rules/best64.rule hash.txt rockyou.txt)

I also would suggest to try remember as much as possible from the password and make your attack more clever and targetted depending on how much you remember/know about your password.

Good luck

(btw the above command posted by you - the test if everything is working - with -a 3 ?a only tries a one-length-only character password, alphanumberic with symbols a-zA-Z0-9 + !" #$%%&'()*+,-./:;<=>?@[\]^_`{|}~)
Reply
#6
hi phil...

thanks for responding to my posts...

i'm a bit confused now,  i need to do some more reading on the correct attack and code to start hashcat...

thanks again,
ted...
Reply
#7
If you just want to get started try a different hash mode. The iTunes backup >= 10.0 is the slowest algorithm around.
Reply
#8
hi atom...

thanks for your help...

do you any suggestions on hash modes that i could try...

apple replaced my phone with a new unit, 
created an itunes backup of my old phone to my laptop in store,
kept my old phone,  and handed me the new phone and sent me on my way...
they erase the old phone immediately for security reasons/protocol...

so when i get around to trying to restore the backup to the new phone,
itunes asks for a password to unlock the backup,  doh...

i'm not sure that i did encrypt the backup that i did 6 months prior on an old dell laptop,
although there is a padlock next to both backup folders,  1 current laptop and 1 older laptop...

i have tried to unlock the itunes backup restore phone function, 
with passwords that i usually use for various accounts,  with no success...

i would think that i would have used the phone unlock code and maybe something added to it...

so i am unsure  how,  and if i  should try to get  hashcat set up to use my unlock code plus some extras...

is there a section in the help pages that i can learn how to do that...

thanks for your help,
ted...
Reply
#9
success?
Reply
#10
hi...

no success, need to learn more about how to use/run hashcat...

do you have any advice...

thanks,
ted...
Reply