Itunes Backup
#21
Agreed thank you so much for all looking into this. I know that it's been a headache for a lot of people having a decent piece of software to do this task. If anyone needs any example manifest .plist files I have uploaded 2 test files available from my Mirosoft OneDrive account

IOS 10.2.0 password is test123
https://1drv.ms/u/s!AkX1d9Ep8_QTlAGD-JILI09Mdxpj

IOS 9.3.0 password is test123
https://1drv.ms/f/s!AkX1d9Ep8_QTk31jXMN0DILcgAK6

There are some changes between IOS 9 and 10 to the structure. I hope this helps.
#22
Are you sure that the password of the first one (IOS 10.2.0) is "test123" (without quotes)?
It doesn't seem to crack and also the stackoverflow code (our reference for the algorithm) isn't able to open it with password "test123".

I'm not sure if the changes in structure are of any importance to us. We only might need some lower/upper bounds for all the inputs (salt, wpky, iter) we have.

... and yeah, I didn't see any new hashcat github issue (feature request) related to this algorithm. If nobody requests it, the chance might be very low that this gets implemented.
#23
The request on GITHUB I just created. I hope you can understand my English
#24
@Tuxel don't worry the language is not the problem... but there might be other things that need to be double-checked first (we need to gather more information such that we are almost perfectly sure about the algorithm details). For instance, it seems that there are at least 2 version of the algorithm, one using DPIC and DPSL and the older one doesn't use this.

Thanks to @atom for the suggestion about this alternative algorithm, I have now released an improved version of the perl script. This should be of interest to both of you (Tuxel and IncognitoEntity) because:
1. the improved version now also cracks the "test123" example that IncognitoEntity posted (for IOS 10.2.0)
2. your example file Tuxel also uses this alternative and therefore the old version does not work in this particular case.

The bad news is that the new algorithm used by the ios backups is even slower (of course), so GPU acceleration might be "necessary"/profitable here.

New version:
https://gist.github.com/philsmd/6288a3c6...2be2d58328

Thanks
#25
Sorry I didn't see the message soon enough above about being the right password, but you found it to be quick enough. It's fantastic that you're able to work this out so quickly! I would love to learn that knowledge. I too have added a comment to the feature request on github requesting this to be implemented.

Please appologise to @Atom for me too, his private email regarding this that he sent to my email address a while back went to my junk mail and i've just found it!

I look forward to potentially seeing GPU implementation in Hashcat. It will also be the first software to my knowledge that will be able to do IOS 10.2.0!
#26
I thank you...
I just test the new script
#27
I managed to recover my lost password. Thank you philsmd!
#28
@keen, good to hear that it helped.

There is also an update to hashcat! It now supports both -m 14700 = iTunes Backup < 10 and -m 14800 = iTunes Backup >= 10 (use beta 3.30+50 or newer: https://hashcat.net/beta/)
Thanks

update: you can use this tool to extract the hashes: https://github.com/philsmd/itunes_backup2hashcat/
#29
(01-26-2017, 10:25 PM)philsmd Wrote: @keen, good to hear that it helped.

There is also an update to hashcat! It now supports both -m 14700 = iTunes Backup < 10 and -m 14800 = iTunes Backup >= 10 (use beta 3.30+50 or newer: https://hashcat.net/beta/)
Thanks

update: you can use this tool to extract the hashes: https://github.com/philsmd/itunes_backup2hashcat/

great!!
ur the best
#30
This beta update sort of works, but has some problems. I'm using Mac OS X 10.11.6 (El Capitan) with Hashcat and the OpenCL submodule from GitHub this morning. With the Manifest.plist file IncognitoEntity posted with the password test123, I'm able to recover the password after 4.5 minutes with a very short password list, but most of the time I get Abort trap: 6  errors:

Code:
$ ~/bin/itunes_backup2hashcat.pl Manifest.plist  >itunes.txt
$ printf "password1\npassword2\ntest123\npassword3" >mylist
$ ~/Hack/hashcat/hashcat -m 14800 -a 0 --weak-hash-threshold 0 itunes2.txt mylist
hashcat (v3.30-55-g32e285f) starting...

OpenCL Platform #1: Apple
=========================
* Device #1: Intel(R) Core(TM) i7-4980HQ CPU @ 2.80GHz, skipped
* Device #2: Iris Pro, 384/1536 MB allocatable, 40MCU
* Device #3: GeForce GT 750M, 512/2048 MB allocatable, 2MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Generated dictionary stats for mylist: 38 bytes, 4 words, 4 keyspace

INFO: approaching final keyspace, workload adjusted

[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit => Abort trap: 6

Longer lists produce CL_INVALID_VALUE/CL_DEVICE_NOT_FOUND errors:

Code:
$ ~/Hack/hashcat/hashcat -m 14800 -a 0 --weak-hash-threshold 0 itunes2.txt mylist
hashcat (v3.30-55-g32e285f) starting...

OpenCL Platform #1: Apple
=========================
* Device #1: Intel(R) Core(TM) i7-4980HQ CPU @ 2.80GHz, skipped
* Device #2: Iris Pro, 384/1536 MB allocatable, 40MCU
* Device #3: GeForce GT 750M, 512/2048 MB allocatable, 2MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Cache-hit dictionary stats mylist: 1863 bytes, 204 words, 204 keyspace

[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit => clEnqueueReadBuffer(): CL_INVALID_VALUE

clEnqueueReadBuffer(): CL_DEVICE_NOT_FOUND

Basic stuff like benchmark results shows 0 H/s, which seems wrong:

Code:
$ ~/Hack/hashcat/hashcat -m 14800 -b
hashcat (v3.30-55-g32e285f) starting in benchmark mode...

OpenCL Platform #1: Apple
=========================
* Device #1: Intel(R) Core(TM) i7-4980HQ CPU @ 2.80GHz, skipped
* Device #2: Iris Pro, 384/1536 MB allocatable, 40MCU
* Device #3: GeForce GT 750M, 512/2048 MB allocatable, 2MCU

Hashtype: iTunes Backup >= 10.0

Speed.Dev.#2.....:        0 H/s (1844673858308.33ms)
Speed.Dev.#3.....:        0 H/s (61.95ms)
Speed.Dev.#*.....:        0 H/s

Started: Fri Jan 27 10:03:57 2017
Stopped: Fri Jan 27 10:04:04 2017

Should I open some bugs to track these issues? Maybe I'm doing something wrong, or there's something wrong with my Mac?

Thanks,

-Josh