09-18-2022, 12:30 PM
Hello guys,
I found my old laptop from 2014 that uses Debian 7. I have the root access to laptop but I don't remember the password for my particular user home partition.
After using ecryptfs2john.py https://github.com/openwall/john/blob/bl...pt2john.py
on wrapped-passphrase I got $ecryptfs$0$a31852a99dfe3XXX
Because of using the default salt 0011223344556677 (CVE 2014-9687) the full like $ecryptfs$0$1$0011223344556677$a31852a99dfe3XXX
Guys, How to provide the known salt to hashcat?
According hashcat examples, I expected something like that:
$ecryptfs$0$1$0011223344556677$a31852a99dfe3XXX:0011223344556677 - > But in this case throws length exception.
Normaly if default salt is used, then should be decrpyted/bruteforced only 8 bit instead of 16: "...To encrypt a passphrase, ecryptfs-utils uses AES 128-bit in ECB mode of operation. The passphrase is 16-byte (128-bit) long. The wrapping process encrypts the hexlified version of the passphrase which lies on 32 bytes (256 bits). It means two AES blocks will be process during the key wrapping. In the (unlikely) case were the passphrase has the upper 8-byte part equal to the lower 8-byte part then its wrapped version will also have the same property. If an adversary sees an encrypted key in the wrapped-passphrase file with the lower part equal the upper part he will now that he have only to bruteforce 8 bytes and not the full 16-byte key ..." https://bugs.launchpad.net/ecryptfs/+bug/1480532
Is there any possibility to use the short form like $ecryptfs$0$a31852a99dfe3XXX
or providing the know salt 0011223344556677 to hashcat?
hashcat -m 12200 -a 3 -w 3 withDefaultSalt -o ecryptfs-pwd.txt
I found my old laptop from 2014 that uses Debian 7. I have the root access to laptop but I don't remember the password for my particular user home partition.
After using ecryptfs2john.py https://github.com/openwall/john/blob/bl...pt2john.py
on wrapped-passphrase I got $ecryptfs$0$a31852a99dfe3XXX
Because of using the default salt 0011223344556677 (CVE 2014-9687) the full like $ecryptfs$0$1$0011223344556677$a31852a99dfe3XXX
Guys, How to provide the known salt to hashcat?
According hashcat examples, I expected something like that:
$ecryptfs$0$1$0011223344556677$a31852a99dfe3XXX:0011223344556677 - > But in this case throws length exception.
Normaly if default salt is used, then should be decrpyted/bruteforced only 8 bit instead of 16: "...To encrypt a passphrase, ecryptfs-utils uses AES 128-bit in ECB mode of operation. The passphrase is 16-byte (128-bit) long. The wrapping process encrypts the hexlified version of the passphrase which lies on 32 bytes (256 bits). It means two AES blocks will be process during the key wrapping. In the (unlikely) case were the passphrase has the upper 8-byte part equal to the lower 8-byte part then its wrapped version will also have the same property. If an adversary sees an encrypted key in the wrapped-passphrase file with the lower part equal the upper part he will now that he have only to bruteforce 8 bytes and not the full 16-byte key ..." https://bugs.launchpad.net/ecryptfs/+bug/1480532
Is there any possibility to use the short form like $ecryptfs$0$a31852a99dfe3XXX
or providing the know salt 0011223344556677 to hashcat?
hashcat -m 12200 -a 3 -w 3 withDefaultSalt -o ecryptfs-pwd.txt