Breaking Samsung Android Passwords/PIN
#41
Sad 
(05-26-2015, 12:50 PM)atom Wrote: AFAIK Android 5.x uses a different scheme, therefore it will not work

Anyone knows what kinda algorithm Android uses since version 5?
Its a shame, all the info on the topic are obsolete now! Sad

Also seems hashcat (cpu version, not ocl or cuda one) doesn't support iterations since it doesn't accept -u option. Is that true?
Reply
#42
This is very easy to crack (and to find out what algo is used), you just need to investigate a little bit and make some tests, see my tests:
Code:
./oclHashcat64.bin --quiet -m 110 7baad69b719fe341bfb23b500abd1bf673070245:e99630554b0b7899 -a 3 4870
7baad69b719fe341bfb23b500abd1bf673070245:e99630554b0b7899:4870

So basically the algo in use here is -m 110 = sha1($pass.$salt)

The same works also with MD5-based hash ( Wink ):

Code:
./oclHashcat64.bin --quiet -m 10 3556ba277abc4b98422e97b18b3f34b1:e99630554b0b7899 -a 3 4870
3556ba277abc4b98422e97b18b3f34b1:e99630554b0b7899:4870

Of course it is preferred to crack MD5, because it should crack must faster.

Hope this helps... btw it is kind of off topic here since this are 2 very different algos (iterated + iteration count within the computation vs non-iterated algo)...
If we want to discuss this in further details, I would suggest that we split this discussion into a new thread.
Reply
#43
(05-27-2015, 11:28 AM)philsmd Wrote: This is very easy to crack (and to find out what algo is used), you just need to investigate a little bit and make some tests, see my tests:
Code:
./oclHashcat64.bin --quiet -m 110 7baad69b719fe341bfb23b500abd1bf673070245:e99630554b0b7899 -a 3 4870
7baad69b719fe341bfb23b500abd1bf673070245:e99630554b0b7899:4870

So basically the algo in use here is -m 110 = sha1($pass.$salt)

The same works also with MD5-based hash ( Wink ):

Code:
./oclHashcat64.bin --quiet -m 10 3556ba277abc4b98422e97b18b3f34b1:e99630554b0b7899 -a 3 4870
3556ba277abc4b98422e97b18b3f34b1:e99630554b0b7899:4870

Of course it is preferred to crack MD5, because it should crack must faster.

Hope this helps... btw it is kind of off topic here since this are 2 very different algos (iterated + iteration count within the computation vs non-iterated algo)...
If we want to discuss this in further details, I would suggest that we split this discussion into a new thread.

oh! thanks. I thought 1024 iterations were for generic too. I guess I just couldnt believe they were just salted sha-1 and md5. sorry for mixing them up with samsung specific one.
Reply
#44
HEllo. plese need help. cant get password Sad


password.key contain : 1DF685BD010C9E45995C1542396CEFB7B9D3D632112784C3D2FFC4731E2EF01D482FF3E6

salt is : -1180738009381230676

and i know password is 4 digits

but

E:\cudaHashcat-1.36\cudaHashcat-1.36>cudaHashcat32.exe -a 3 -n 80 -u 1024 -m 580
0 1df685bd010c9e45995c1542396cefb7b9d3d632:ef9d2d094a07a7ac ?d?d?d?d
cudaHashcat v1.36 starting...

Device #1: GeForce GT 630, 4095MB, 1620Mhz, 2MCU
Device #1: WARNING! Kernel exec timeout is not disabled, it might cause you erro
rs of code 702
You can disable it with a regpatch, see here: http://hashcat.net/wiki
/doku.php?id=timeout_patch

Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable Optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: Kernel ./kernels/4318/m05800.sm_21.32.ptx
Device #1: Kernel ./kernels/4318/markov_le_v1.32.ptx
Device #1: Kernel ./kernels/4318/amp_a3_v1.32.ptx


ATTENTION!
The wordlist or mask you are using is too small.
Therefore, oclHashcat is unable to utilize the full parallelization power of y
our GPU(s).
The cracking speed will drop.
Workaround: https://hashcat.net/wiki/doku.php?id=fre...estions#ho
w_to_create_more_work_for_full_speed


INFO: approaching final keyspace, workload adjusted


Session.Name...: cudaHashcat
Status.........: Exhausted
Input.Mode.....: Mask (?d?d?d?d) [4]
Hash.Target....: 1df685bd010c9e45995c1542396cefb7b9d3d632:...
Hash.Type......: Android PIN
Time.Started...: 0 secs
Time.Estimated.: 0 secs
Speed.GPU.#1...: 93962 H/s
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 10000/10000 (100.00%)
Rejected.......: 0/10000 (0.00%)
HWMon.GPU.#1...: 2% Util, 39c Temp, N/A Fan

Started: Mon Aug 10 13:20:51 2015
Stopped: Mon Aug 10 13:20:54 2015


what can be wrong ?
Reply
#45
(08-10-2015, 10:53 AM)Diablosss Wrote: HEllo. plese need help. cant get password Sad


password.key contain : 1DF685BD010C9E45995C1542396CEFB7B9D3D632112784C3D2FFC4731E2EF01D482FF3E6

salt is : -1180738009381230676

and i know password is 4 digits

but

E:\cudaHashcat-1.36\cudaHashcat-1.36>cudaHashcat32.exe -a 3 -n 80 -u 1024 -m 580
0  1df685bd010c9e45995c1542396cefb7b9d3d632:ef9d2d094a07a7ac ?d?d?d?d
cudaHashcat v1.36 starting...

Device #1: GeForce GT 630, 4095MB, 1620Mhz, 2MCU
Device #1: WARNING! Kernel exec timeout is not disabled, it might cause you erro
rs of code 702
          You can disable it with a regpatch, see here: http://hashcat.net/wiki
/doku.php?id=timeout_patch

Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable Optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: Kernel ./kernels/4318/m05800.sm_21.32.ptx
Device #1: Kernel ./kernels/4318/markov_le_v1.32.ptx
Device #1: Kernel ./kernels/4318/amp_a3_v1.32.ptx


ATTENTION!
 The wordlist or mask you are using is too small.
 Therefore, oclHashcat is unable to utilize the full parallelization power of y
our GPU(s).
 The cracking speed will drop.
 Workaround: https://hashcat.net/wiki/doku.php?id=fre...estions#ho
w_to_create_more_work_for_full_speed


INFO: approaching final keyspace, workload adjusted


Session.Name...: cudaHashcat
Status.........: Exhausted
Input.Mode.....: Mask (?d?d?d?d) [4]
Hash.Target....: 1df685bd010c9e45995c1542396cefb7b9d3d632:...
Hash.Type......: Android PIN
Time.Started...: 0 secs
Time.Estimated.: 0 secs
Speed.GPU.#1...:    93962 H/s
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 10000/10000 (100.00%)
Rejected.......: 0/10000 (0.00%)
HWMon.GPU.#1...:  2% Util, 39c Temp, N/A Fan

Started: Mon Aug 10 13:20:51 2015
Stopped: Mon Aug 10 13:20:54 2015


what can be wrong ?

When calculate with MD5/SALT pass is 9909
Reply
#46
I need some support here
I've got a Samsung tab s 8.4, running on Android 5.0.2

Password Hash: 5CE9DBBB56EFCF2D25657EC5B407908B19F75FC0

Lockscreen Salt: -3254784570573335319
Lower case Hex:  2d2b515285722b17   Is this correct?
EDIT
Lockscreen Salt: -3254784570573335319
Salt hash hex: D2D4AEAD7A8DD4E9
Lower case  d2d4aead7a8dd4e9


<active-password quality="262144" length="4" uppercase="1" lowercase="3" letters="4" numeric="0" symbols="0" nonletter="0" recoverable="false" />

I've tried several different options but I'm not getting anywhere
Could anyone send me the password? This is a tablet that hasn't been used for a while but contains very valuable pictures and data from a relative that passed away
cudaHashcat64.exe -a 3 -m 5800 5CE9DBBB56EFCF2D25657EC5B407908B19F75FC0:2d2b515285722b17 ?l?l?l?l?l?l?l?l

All help is very much appreciated

cudaHashcat64.exe -a 3 -n 80 -u 1024 -m 5800 5CE9DBBB56EFCF2D25657EC5B407908B19F75FC0:2d2b515285722b17 ?d?d?d?d
cudaHashcat v2.01 starting...

Device #1: GeForce GTX 970, 4096MB, 1253Mhz, 13MCU
Device #1: WARNING! Kernel exec timeout is not disabled, it might cause you errors of code 702
           You can disable it with a regpatch, see here: http://hashcat.net/wiki/doku.php?id=timeout_patch
Device #2: GeForce GTX 970, 4096MB, 1253Mhz, 13MCU
Device #2: WARNING! Kernel exec timeout is not disabled, it might cause you errors of code 702
           You can disable it with a regpatch, see here: http://hashcat.net/wiki/doku.php?id=timeout_patch

Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable Optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: Kernel ./kernels/4318/m05800.sm_52.64.cubin
Device #1: Kernel ./kernels/4318/markov_le_v1.sm_52.64.cubin
Device #1: Kernel ./kernels/4318/amp_a3_v1.sm_52.64.cubin
Device #2: Kernel ./kernels/4318/m05800.sm_52.64.cubin
Device #2: Kernel ./kernels/4318/markov_le_v1.sm_52.64.cubin
Device #2: Kernel ./kernels/4318/amp_a3_v1.sm_52.64.cubin


ATTENTION!
  The wordlist or mask you are using is too small.
  Therefore, oclHashcat is unable to utilize the full parallelization power of your GPU(s).
  The cracking speed will drop.
  Workaround: https://hashcat.net/wiki/doku.php?id=fre...full_speed


INFO: approaching final keyspace, workload adjusted


Session.Name...: cudaHashcat
Status.........: Exhausted
Input.Mode.....: Mask (?d?d?d?d) [4]
Hash.Target....: 5ce9dbbb56efcf2d25657ec5b407908b19f75fc0:...
Hash.Type......: Android PIN
Time.Started...: 0 secs
Time.Estimated.: 0 secs
Speed.GPU.#1...:   223.5 kH/s
Speed.GPU.#2...:   212.5 kH/s
Speed.GPU.#*...:   436.1 kH/s
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 10000/10000 (100.00%)
Rejected.......: 0/10000 (0.00%)
HWMon.GPU.#1...:  2% Util, 54c Temp,  0rpm Fan
HWMon.GPU.#2...:  2% Util, 56c Temp, 830rpm Fan

Started: Tue May 03 14:02:54 2016
Stopped: Tue May 03 14:02:55 2016
Reply
#47
Guys - I've found it
If it could be of anyones help, this is what got me the password:

cudaHashcat-2.01>cudaHashcat64.exe -a 3 -m 5800 5CE9DBBB56EFCF2D25657EC5B407908B19F75FC0:d2d4aead7a8dd4e9
Reply
#48
The optimal maskfile, according to the policy you've posted, would be:

Quote:?u?l?l?l
?l?u?l?l
?l?l?u?l
?l?l?l?u

You can generate them with PACK 0.4
Reply