Apple Secure Notes Help
#1
Hey everyone!

I am brand new to this whole thing and have been trying to learn all I can. My wife has Apple Notes that are locked with a password that she can't remember. I have tried everything from using every password we know of to jailbreaking an iPad and trying to pull it down from there. 

After some research, I found hashcat. I am trying to see where a good start is. I have dabbled in it and when I run using the brute force method, it doesn't show there are any hashes available. I know there is a password on them though and can see them protected when looking at the file in a DB explorer.

I think I am pulling the correct file in (NoteStore.sqlite) and I can see data in it. 

What am I doing wrong here or where is a good start?

Thanks guys!!
Reply
#2
Use this script to extract the hash from NoteStore.sqlite
Clean the output till it has the same format as you find here. (search for Apple Secure Notes)
Try to crack it with hashcat using -m 16200.
Reply
#3
hi everyone!
so I am completely unfamiliar with all this and I have no experience with coding before. a couple days ago I lost my apple notes password and I've been trying to solve my problem since then. I used this script (https://github.com/openwall/john/blob/bl...ohn.py#L30) and saved it as a python file on my mac. Then I tried to run the script against my NoteStore.sqlite file but I don't understand what the problem is.
here is all of my actions;
illustrator@mulvib-iMac hash % python3 script.py NoteStorecopysqlite
Traceback (most recent call last):
  File "/Users/illustrator/Documents/hash/script.py", line 36, in <module>
    process_file(sys.argv[i])
  File "/Users/illustrator/Documents/hash/script.py", line 9, in process_file
    rows = cursor.execute("SELECT Z_PK, ZCRYPTOITERATIONCOUNT, ZCRYPTOSALT, ZCRYPTOWRAPPEDKEY, ZPASSWORDHINT, ZCRYPTOVERIFIER, ZISPASSWORDPROTECTED FROM ZICCLOUDSYNCINGOBJECT")
sqlite3.OperationalError: no such table: ZICCLOUDSYNCINGOBJECT

I hope someone can understand what the problem is because I have no idea

thanks so much!!
Reply
#4
The problem is printed on the last line: the table "ZICCLOUDSYNCINGOBJECT" is not present in your file.
Are you sure you are working with the right file?
Are you sure that there is a password set ?
You can manually examine all the tables with a simple SQLite viewer. Can you open the file with such a tool ?
Reply
#5
(05-20-2021, 08:49 PM)Karamba Wrote: The problem is printed on the last line: the table "ZICCLOUDSYNCINGOBJECT" is not present in your file.
Are you sure you are working with the right file?
Are you sure that there is a password set ?
You can manually examine all the tables with a simple SQLite viewer. Can you open the file with such a tool ?

or on line 1
python3 script.py NoteStorecopysqlite

did you really copied the file without the dot ending? the script is not checking whether the given file exists or not, so if the name is wrong it wont work
Reply
#6
(05-20-2021, 10:49 PM)Snoopy Wrote:
(05-20-2021, 08:49 PM)Karamba Wrote: The problem is printed on the last line: the table "ZICCLOUDSYNCINGOBJECT" is not present in your file.
Are you sure you are working with the right file?
Are you sure that there is a password set ?
You can manually examine all the tables with a simple SQLite viewer. Can you open the file with such a tool ?

or on line 1
python3 script.py NoteStorecopysqlite

did you really copied the file without the dot ending? the script is not checking whether the given file exists or not, so if the name is wrong it wont work
First I tried it with the dot but something happened and it didn't work. But I solved my problem now, I was working on a different user account then switched to the one that has the actual backup files and it worked! Maybe that was the problem idk. 
Thanks for help.
Reply
#7
Hey, first of all, I am new here, I can be wrong by posting it here, but maybe someone will see it. I just needed someone to discuss that occurred to me problem to, bc I am a little bit lost. So, I wanted to hear your opinion on recovering the dropped notes password (password that i had reset through settings) on notes from iCloud. It was just the first impulsive thing that came up to my mind, now I am indeed regretting it, but there’s nothing to change about it now. The confusing me thing is that Notes that had been secured with that password (i am looking just for one) now have zcryptoiterationcount setted to 0 in NoteStore.sqlite db. They have different zcryptosalts in 16 bytes and different zwrappedkeys in 16 bytes, even though it is still the same password. Znotedata is encrypted, they have tags, initialisation vector in there as well, they have no crypto verifier, but I don’t know how was the wrapped key gotten — it’s like a mystery. I have a little acknowledgment to the whole process, I know that they do PBKDF2-SHA256 to a password with a salt and 20000 iterations, with that they get KEK. Then they wrap key with AES key wrap algorithm and, I guess, that’s how they get 24-byte key (by adding an extra 8-bytes on to the key material during wrapping), I have read it all. If I am not right about it — pls, correct me with the explanation about steps in wrapping the key. I have all, literally all the variants of that password (I just don’t know the things like order of upper and lower cases), and I have had a thought that 1) maybe the wrapped 16-bytes (32 symbols in hex) key I saw in NoteStore.sqlite is the result of one-time PBKDF2-SHA256, maybe it was used just once. And I tried to do PBKDF2-SHA256 with one salt on my passwords as well and tried to look for coincidences with that wrapped key I have, the right one from db (to make it clear, i mentioned earlier that notes that have been protected with that one password, they have different pairs of salt and wrapped key, so i used one salt and one wrapped key from one row to that, to see the coincidences) — but all of that didn’t bring me the result I wanted, bc there is no match, so it isn’t right answer. And the second thought was that the wrapped key I saw in db NoteStore.sqlite was just somehow gotten out of salt? Or it’s just indeed the KEK? I can’t see another explanations, but maybe you’ve got something in mind. I haven’t found anything applicable to case in which you did the reset of iCloud Notes password. I would really appreciate any suggestions and I would be more than grateful if you know something and can share it or explain it to me. Cause, guys, these notes, they are life-needing. Please, shine some light on my mind.
Reply