01-03-2014, 07:56 PM
(01-03-2014, 02:02 PM)philsmd Wrote: Here it seems to be very easy to find the algorithm... you just need to look for (or have) some known hashalt:plain tuples.
E.g. this list (hashalt masked):
1. hashalt above (231cXXXX18a4cee66XXX7cd4XXXX670XXX80XXf9:XXX6XX5e)
2. for instance this one: http://forum.insidepro.com/viewtopic.php?t=24434 (3XXX2711XXXXXc2d2deaXXXX785343XXXX4dXXX:9XXcbXdX)
3. the most important: at least one w/ known plain, e.g. https://discussions.apple.com/message/23872506 (27XXX97171eXXX9fc5fXXX9ef06cXXXX51XX7XXX:fdXXcXeX)
Since we have a known hashalt:plain (number 3) and we know:
1. "length" of hash seems to be the same as SHA1
2. apple recently tend to use PBKDF (7100 = OS X v10.8 , http://hashcat.net/wiki/doku.php?id=example_hashes )
We just need to (automatically) try to crack it w/ some different iterations, either:
1. some known one first
2. all from e.g. 1 - 10000 (well, some of those seem to be very unlikely, but still)
The result, we get:
231cXXXX18a4cee66XXX7cd4XXXX670XXX80XXf9:XXX6XX5e:1000:1234
3XXX2711XXXXXc2d2deaXXXX785343XXXX4dXXX:9XXcbXdX:1000:5490
27XXX97171eXXX9fc5fXXX9ef06cXXXX51XX7XXX:fdXXcXeX:1000:3956
Well, since we got those 3 output lines, it is very likely that 1000 (only!!!) is the number of iterations
Ps. this format is not yet supported by *hashcat (PBKDF2-HMAC-SHA1).
PPS. good hints, magnum
Thanks so much for the tips...this definitely points me in the right direction. However, if PBKDF2-HMAC-SHA1 is not yet supported by hashcat, how does one go about decrypting these hashes?