04-29-2017, 06:43 PM
(04-29-2017, 08:13 AM)kiara Wrote:(04-28-2017, 10:10 AM)wfcollins Wrote: I have a VirtualBox image that is encrypted that I have forgotten the password. I created a new test.vbox and found a PHP program - vboxdie-cracker that is able to find the correct password for the test from a wordlist. But it only guesses 2 passwords per second. Here is what the vboxdie-cracker extracts from the test.vbox file with a password of password:how did u encrypt the virtual hard drive in the first place?
[+] KeyStore contents:
Header 454e4353 (SCNE)
Version 1
Algorithm AES-XTS256-PLAIN64
KDF PBKDF2-SHA256
Key length 64
Final hash 592d0544669c3cfc4701544903cd94ff7a5e067be8ff0d9c9113ffb3d773367b
PBKDF2 2 Key length 32
PBKDF2 2 Salt 07d630d090896740baee6975d5540a7e837d3b410789924db21f7e1ebaa2120e
PBKDF2 2 Iterations 20000
PBKDF2 1 Salt ee9aa0d45159218cc493e1b8653ef34cdba5975bcf58c948b0565575b58b5f54
PBKDF2 1 Iterations 100000
EVP buffer length 64
PBKDF2 2 encrypted password 0520752245c51e7f5cc62e8397126f69eaa678a77727a991f4cebdf86ac52d28 2c06cc815b63ed5e38e455193ba7031725914242ae24a98577b53cce49d4ceb3
I have a usual pattern of characters I use and I wrote a C++ program to create a word list of several thousand permutations, but no luck so far. I need more speed. Any help on how to use hashcat to crack this would be much appreciated.
My confusion is how to use 2 salts with hashcat?
isnt it LUKS ?
So this is not the OS level encryption. It is the VirtualBox encryption of the actual .vbox image file. It is a feature when you create a VM before you even install an OS. I am not a crypto expert, but it is using two salts. Here is the PHP code that can correctly decrypt a test VM file. It makes two calls to hash_pbkdf2 and an intermediate call to openssl_decrypt. I have looked, but have not found a way to duplicate this in hashcat. I am willing to write C/C++ code to extend it if needed.
while (!feof($fp)) {
// Read each line of the file, it is the user password
$user_password = trim(fgets($fp));
// First call to PBKDF2
$EVP_password = hash_pbkdf2($hash, $user_password, $keystore['pbkdf2_1_salt'], $keystore['pbkdf2_1_iterations'], $keystore['generic_key_length'], true);
// Here, the password used for the second call to PBKDF2 is decrypted
$decrypted_password = openssl_decrypt(substr($keystore['pbkdf2_2_encrypted_password'], 0, $keystore['evp_decrypt_input_length']), $method, $EVP_password, OPENSSL_RAW_DATA, '');
if ($decrypted_password === false) {
continue;
}
// Final hash is computed
$final_hash = hash_pbkdf2($hash, $decrypted_password, $keystore['pbkdf2_2_salt'], $keystore['pbkdf2_2_iterations'], $keystore['pbkdf2_2_key_length'], true);
// If the computed hash is equal to the stored hash, then we have got the right user password
if ($final_hash === $keystore['final_hash']) {
return $user_password;
}
}