Null Key Result
#1
I'm attempting to crack an old Itunes Backup Manifest.plist file and am running into some issues.  This will "crack" the hash, but the result is always an empty (possibly null) key/password in the output file and potfile.  I'm running this command:

Code:
hashcat -m 14700 -a 0 -w 2 --f --keep-guessing manifest.txt rockyou.txt -o itunes_backup2hashcat/cracked.txt

Any suggestions would be greatly appreciated.  I've tried several other commands but haven't succeeded yet.  I spent quite some time uninstalling and reinstalling my drivers today, so I'm hoping that isn't the issue.

TIA!
Reply
#2
why do you use --f ?
Most likely that's the root of the problem. Why do you use the --force switch ? You can't work aound a problem by just forcing hashcat to continue and therefore ignore the problem.

Do you get any self-test errors without --force ?
Reply
#3
Thank you for the response. I get the same Null key when removing that option. I had originally received an error that Intel's drivers had broken and read a post in the forums here to use that option to ignore it. After updating my nvidia driver to 460, that error went away. The updated, correct command I've been using is:

Code:
hashcat -m 14700 -a 0 -w 2 -r rules/best64.rule itunes_backup2hashcat/backup_hash.txt rockyou.txt

or

Code:
hashcat -m 14700 -a 0 -w 2 --keep-guessing -r rules/best64.rule itunes_backup2hashcat/backup_hash.txt rockyou.txt

Sorry for the confusion!
Reply
#4
did you try to open the itunes backup with an empty password (zero length password) ?
I'm not sure if this is even possible, but I can't imagine that hashcat will tell you that this is the correct password even if it is not.... you could in theory even try to decrypt the file yourself and see if something useful could be recovered (if you are tech safy and/or a developer you could have a look at this to see how the decryption works: https://raw.githubusercontent.com/hashca.../m14700.pm and adapt it with your password/key etc to try to recover the data manually if iTunes doesn't let you test an empty password (anymore))



btw: the "if (defined $wpky_param)" branch in that test module (perl script) means that it tries to decrypt the specified $WPKY (the perl script makes the decision between "generating hashes"/encrypting and "testing cracks"/decryption). also note: that 12008468691120727718 is just 0xa6a6a6a6a6a6a6a6 in hexadecimal, see the optimized OpenCL/CUDA code: https://github.com/hashcat/hashcat/blob/...re.cl#L380).
Reply