Posts: 7
Threads: 2
Joined: Oct 2022
So I am experimenting with this and have several bits of information on how to do this but wanted to see if anyone can help pull it all together. I am trying to get a clear answer to the proper steps and commands needed to see if I can recover a key used with DES-OFB. I have the PT and CT, IV but trying to work out the next steps.
Happy to share more but wanted to see if anyone would be willing to jump in and help.
Posts: 5,185
Threads: 230
Joined: Apr 2010
OFB works like ECB on a single block
ECB:
Quote:$ echo -n 4142434441424344 | xxd -r -p | openssl enc -des-ecb -K 1234123412341234 -nopad -provider legacy | xxd -ps
9310d43e89fc63fa
crack:
Quote:echo 1234123412341234 | xxd -r -p | ./hashcat -m 14000 9310d43e89fc63fa:4142434441424344
Status...........: Cracked
OFB:
Quote:$ echo 4956495649564956 | xxd -r -p | openssl enc -des-ecb -K 1234123412341234 -nopad -provider legacy | xxd -ps
347545b0d3d0955b
$ printf '%x\n' $((0x347545b0d3d0955b ^ 0x4142434441424344))
753706f49292d61f
crack:
Quote:$ printf '%x\n' $((0x753706f49292d61f ^ 0x4142434441424344))
347545b0d3d0955b
echo 1234123412341234 | xxd -r -p | ./hashcat -m 14000 347545b0d3d0955b:4956495649564956
Status...........: Cracked
So basically XOR your PT with your CT manually, the result becomes the "hash". Then append the IV as salt to this hash, all in hex. Then you can crack the key.
Posts: 7
Threads: 2
Joined: Oct 2022
Ahh ok then, That's what I wanted to confirm. The part of the hashcat command with the "xxxxxxxx:xxxxxxxx" is supposed to be the "hash":"salt" and not the PT:CT
My next question is this. The "strings" of PT, CT, and IV I have are not 16 hex "digits" long but have an extra 6 making them 22. So 11 bytes instead of 8. Additionally the last 2 of that could by one of two sets. So knowing that would it be safe to just use the 16 characters from the left for each and run that?
For example my PT can be either:
AA AA AA AA AA AA AA AA AA AA BB
or
AA AA AA AA AA AA AA AA AA AA CC
and the CT and IV are that same length.
So can I just use the first 8 bytes since hashcat limits it to 8?
Posts: 5,185
Threads: 230
Joined: Apr 2010
11-02-2022, 11:25 AM
(This post was last modified: 11-02-2022, 11:26 AM by atom.)
(11-02-2022, 07:04 AM)phillipw1084 Wrote: Ahh ok then, That's what I wanted to confirm. The part of the hashcat command with the "xxxxxxxx:xxxxxxxx" is supposed to be the "hash":"salt" and not the PT:CT
You can name it how you want, in the end it's just data. Just keep in mind that you "exploit" ECB to crack OFB. From hashcat perspective it's still CT:PT (not PT:CT), but in translated to your case it's (PT^CT):IV because in OFB the PT is the IV (see the wiki page I've linked).
(11-02-2022, 07:04 AM)phillipw1084 Wrote: My next question is this. The "strings" of PT, CT, and IV I have are not 16 hex "digits" long but have an extra 6 making them 22. So 11 bytes instead of 8. Additionally the last 2 of that could by one of two sets. So knowing that would it be safe to just use the 16 characters from the left for each and run that?
For example my PT can be either:
AA AA AA AA AA AA AA AA AA AA BB
or
AA AA AA AA AA AA AA AA AA AA CC
and the CT and IV are that same length.
So can I just use the first 8 bytes since hashcat limits it to 8?
Yes, you have to. Because it's not a hashcat limit, it's how the DES cipher itself is designed. It always takes a block of 8 byte.
I'd strongly suggest you tried I with a known combination of PT, CT and IV first.
Posts: 7
Threads: 2
Joined: Oct 2022
Perfect, I planned to do just that. Also I am not seeing the Wiki link. Am I missing something?
Posts: 5,185
Threads: 230
Joined: Apr 2010
Posts: 7
Threads: 2
Joined: Oct 2022
One more thing, I had tried this command below previously. Seems like every time on ever machine I just get an error "Invalid hex character in mask charsets/DES_full.charset". Do I even need all that or just keep it simple like the command you showed in your example?
hashcat -m 14000 hash
alt -a 3 --hex-charset ?1?1?1?1?1?1?1?1 -1 charsets/DES_full.charset
Posts: 5,185
Threads: 230
Joined: Apr 2010
This is now a regular hashcat usage question.