10-18-2024, 05:59 AM
(03-14-2019, 08:38 AM)atom Wrote: I'd be happy to add this to hashcat. Just need the details.
Given the current state and work of the proxmark3 repository, this could be actually reduced to a function to crack 40 bits.
TLDR:
The initial scope described by Iceman was to crack a 64 bit key.
Now, a faster way to do this instead would be to retrieve 24 bits of that key and crack the remaining 40.
This is currently done with a CPU implementation and it takes a significant time to complete.
The details are as follow:
User intake:
- The known 24 key bits, these are distributed as the last 3 bits of each byte in an 8 byte sequence.
- The epurse value (a string of 8 bytes used for macs generation)
- Two nr-macs traces
What the hashcat module should do:
In a bruteforce fashion it should generate the remaining 40 bits of the 64 bits key, leaving the specified 24 bits unchanged.
It should then use the generated 64 bits key to compare it against the epurse+mac1 trace and see if there's a match
If there's a match it should repeat the previous step against epurse+mac2 trace.
If there's a match also with the second generated mac, end the process and return the identified key (40bits bruteforced + 24bits provided), otherwise continue by incrementing the 40 bit value.
It is relatively easy to extract the required c code from the Proxmark3 repository for these calcualtions and I'd be happy to help with this, but I do completely lack the hashcat knowledge to implement this.