12-10-2016, 12:06 AM
(This post was last modified: 12-10-2016, 12:07 AM by IncognitoEntity.)
Hi Warren,
I'm currently working on the same thing within Digital Forensics (law enforcement uk). Our current software passware is not as fast as I was expecting, so I started to look at how I could get the necessary information out. I too am currently stuck. If you have X-Ways/Winhex (WinHex for this is better so you can edit/copy etc) open the manifest.plist file of the encrypted backup and it will be the backupkeybag. You will see tags like ITER, SALT, WPKY, CLAS etc. From reading the other posts (from what I can gather) the hash format is PBKDF2-HMAC-SHA1.
sha1:10000:salt:somehashordatabase64?
The ITER tag shows the iteration count for the PBKDF2 algorythm. In hex (big endian) it will show as 27 10 decimal 10000. This is the number of rounds.
The SALT tag appears to have 20 bytes of data proceeding it. I've been ignoring the 00 00 00 14 hex values before it, however i'm unsure this is necessary. I've then been converting the 20 bytes to base64 using WinHex, which is what the PBKDF2-HMAC-SHA1 -m 12000 option wants to take in as a salt. Again i'm unsure if this is right.
The last section that I have said I have tried the WPKY, UUID etc as base 64 but with no luck.
Please let me know your thoughts if you have something different. I really want to use hashcat for this task!
I'm currently working on the same thing within Digital Forensics (law enforcement uk). Our current software passware is not as fast as I was expecting, so I started to look at how I could get the necessary information out. I too am currently stuck. If you have X-Ways/Winhex (WinHex for this is better so you can edit/copy etc) open the manifest.plist file of the encrypted backup and it will be the backupkeybag. You will see tags like ITER, SALT, WPKY, CLAS etc. From reading the other posts (from what I can gather) the hash format is PBKDF2-HMAC-SHA1.
sha1:10000:salt:somehashordatabase64?
The ITER tag shows the iteration count for the PBKDF2 algorythm. In hex (big endian) it will show as 27 10 decimal 10000. This is the number of rounds.
The SALT tag appears to have 20 bytes of data proceeding it. I've been ignoring the 00 00 00 14 hex values before it, however i'm unsure this is necessary. I've then been converting the 20 bytes to base64 using WinHex, which is what the PBKDF2-HMAC-SHA1 -m 12000 option wants to take in as a salt. Again i'm unsure if this is right.
The last section that I have said I have tried the WPKY, UUID etc as base 64 but with no luck.
Please let me know your thoughts if you have something different. I really want to use hashcat for this task!
(11-15-2016, 09:50 PM)jwarren Wrote: I am looking for information on how to retrieve the hash value from the plist file of an encrypted iTunes Backup. I know if i drop the file in Passware or Elcomsoft it'll do it automatically, but I don't feel like paying $1000 and then renewing licenses every year. I have been using hashcat for a few months now on NTLM and various others and love that it makes my job a lot easier.
And as someone gave the answer in a similar thread, Google it, I have and haven't had much luck. I have seen some reference to the keybag and looking at it in a plist editor or Hex editor, I guess I'm just missing the part of where the hash is within the data set that follows.
I apologize if it is that simple and I'm that stupid, but I'm just looking for some guidance or an answer. I get how to put the hash in to hashcat once I get it. I know it's in the manifest. It is for phone forensics for work, and I'm just running out of ideas. Thanks for any help.
If this is in the wrong area or inappropriate, please delete/move/yell at me.