Dealing with eCryptfs hash with default Salt (CVE 2014-9687)
#1
Hello guys,

I found my old laptop from 2014 that uses Debian 7. I have the root access to laptop but I don't remember the password for my particular user home partition.

After using ecryptfs2john.py https://github.com/openwall/john/blob/bl...pt2john.py
on wrapped-passphrase I got $ecryptfs$0$a31852a99dfe3XXX

Because of using the default salt 0011223344556677 (CVE 2014-9687) the full  like $ecryptfs$0$1$0011223344556677$a31852a99dfe3XXX

Guys, How to provide the known salt to hashcat?

According hashcat examples, I expected something like that:
$ecryptfs$0$1$0011223344556677$a31852a99dfe3XXX:0011223344556677 - > But in this case throws length exception.

Normaly if default salt is used, then should be decrpyted/bruteforced only 8 bit instead of 16: "...To encrypt a passphrase, ecryptfs-utils uses AES 128-bit in ECB mode of operation. The passphrase is 16-byte (128-bit) long. The wrapping process encrypts the hexlified version of the passphrase which lies on 32 bytes (256 bits). It means two AES blocks will be process during the key wrapping. In the (unlikely) case were the passphrase has the upper 8-byte part equal to the lower 8-byte part then its wrapped version will also have the same property. If an adversary sees an encrypted key in the wrapped-passphrase file with the lower part equal the upper part he will now that he have only to bruteforce 8 bytes and not the full 16-byte key ..." https://bugs.launchpad.net/ecryptfs/+bug/1480532

Is there any possibility to use the short form like $ecryptfs$0$a31852a99dfe3XXX
or providing the know salt 0011223344556677 to hashcat?
hashcat -m 12200 -a 3 -w 3 withDefaultSalt -o ecryptfs-pwd.txt
Reply
#2
Ok gus, after some researches I found much better solution: using /etc/shadow and /etc/passwd files. If you currently updated your root/$USERpasswords, you can get copy from /etc/shadow- and /etc/passwd-. Using thes both files for particular username, for example "bob", extract and execute unshadow passwd shadow > unshadowed.txt
This line contains SHA-512 (5000 times hashed) password. Use hashcat or john to obtain the real pwd Smile for example hashcat -m 1800 or john unshadowed.txt.

According https://gist.github.com/Chick3nman/e4fce...2106d73fef using 3090:

Hashmode: 1800 - sha512crypt $6$, SHA512 (Unix) (Iterations: 5000)
Speed.#1.........: 469.5 kH/s (70.69ms) @ Accel:8 Loops:256 Thr:1024 Vec:1
vs
Hashmode: 12200 - eCryptfs (Iterations: 65536)
Speed.#1.........: 45432 H/s (57.60ms) @ Accel:2 Loops:1024 Thr:1024 Vec:1

Also, 469.500 H/s vs 45.432 H/s -> factor 10 !! Cheers Smile
Reply