Help modifying a .restore file?
#1
Well, I've gone and done it...  I committed the cardinal sin of not naming my session, then not realizing that it would be overwritten by the next unnamed one...  no previous files, no backups of the .restore file...  so, I need to modify the new one to start nearby where I previously left off.  

Luckily, I DID manage to get a screen shot and copy / paste of that.


Code:
Session..........: hashcat
Status...........: Aborted (Checkpoint)
Hash.Type........: iTunes backup >= 10.0
Hash.Target......: Redacted
Time.Started.....: Sun Sep 15 04:37:27 2019 (12 hours, 18 mins)
Time.Estimated...: Mon Sep 30 18:35:09 2019 (15 days, 1 hour)
Guess.Mask.......: ?1?2?2?2?2 [5]
Guess.Charset....: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined
Guess.Queue......: 5/15 (33.33%)
Speed.#1.........:      77 H/s (5.59ms) @ Accel:2 Loops:250 Thr:256 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 3428352/104136192 (3.29%)
Rejected.........: 0/3428352 (0.00%)
Restore.Point....: 55296/1679616 (3.29%)
Restore.Sub.#1...: Salt:0 Amplifier:61-62 Iteration:9750-9999
Candidates.#1....: Xaz32 -> Xqoki
Hardware.Mon.#1..: Util:  0% Core:1312MHz Mem:2000MHz Bus:16



Yes, I'm brute forcing it...  idk how on earth I managed to type anything but my standard backup password twice, but I've tried all the typo generators out there and generated word lists including all the typical things I do.  No love.  I also know it'll be at least 6 characters, so I'd love to start around there, but this is what I have so far.

This is a restore file I created after overwriting the existing restore file mistakenly, which I cannot seem to get correct to jump ahead.  I'm unsure where the dicts_pos, words_cur, masks_pos, are supposed to come from the above?  I know they'll need to be converted to hex, of course, but I'm just not sure.

https://hashcat.net/wiki/doku.php?id=restore is what I'm going from.

Code:
Redacted



Any assistance would be greatly appreciated.
Reply
#2
the main problem with your command:
Code:
hashcat64 -d 1 -m 14800 -a 3 -w 3 --session itunes backuphash.txt

is that you didn't specify a mask at all. mask attacks are really most useful if you have some clue about the pattern/length/charset etc... if you do not specify any mask the default one is used (see https://hashcat.net/wiki/doku.php?id=mask_attack and https://hashcat.net/wiki/doku.php?id=has...ult_values)

in your case it was already at length 5 of the default mask ?1?2?2?2?2?2?2?3?3?3?3?d?d?d?d with --custom-charset1 ?l?d?u --custom-charset2 ?l?d --custom-charset3 ?l?d*!$@_ (look the values up yourself, they might have changed depending on when you are reading this. it's mentioned here: https://hashcat.net/wiki/doku.php?id=has...ult_values)

so in your case the mask was

--custom-charset1 ?l?d?u --custom-charset2 ?l?d ?1?2?2?2?2

(-3 and ?3 do not matter because the mask didn't increment yet to that length).

so in theory you could just use

Code:
hashcat64 -d 1 -m 14800 -a 3 -w 3 -s 55296 --session itunes --custom-charset1 ?l?d?u --custom-charset2 ?l?d  backuphash.txt ?1?2?2?2?2

the -s (or long --skip) value is the most important one here, it will tell hashcat to start from that specific restore point


after length 5 is done, you would actually need to continue with 6,7,8

but honestly, it's very very bad to use hashcat like this... just think and use about the information you have about the password length, pattern, characters used etc.

Furthermore, it's very bad to start with mask attack for very slow hashing algorithms like itunes. Why don't you use a wordlist attack with rules etc ?
Reply
#3
(09-16-2019, 07:50 PM)philsmd Wrote: Furthermore, it's very bad to start with mask attack for very slow hashing algorithms like itunes. Why don't you use a wordlist attack with rules etc ?

I'd already tried a pair of wordlists with combinations of everything I could think I may have used.  Even used a few typo generators for the whole of it...  turns out though, your recco worked out great.  I found the password to be one of my wife's old ones before I convinced her to use more secure ones.  After I asked her about it she remembered...  that look in her eye was ...  PRICELESS!

Thank you for the assist.  Really made my morning!
Reply