VirtualBox Disk Image Encryption
#1
I have a VirtualBox image that is encrypted that I have forgotten the password. I created a new test.vbox and found a PHP program - vboxdie-cracker that is able to find the correct password for the test from a wordlist. But it only guesses 2 passwords per second. Here is what the vboxdie-cracker extracts from the test.vbox file with a password of password:

[+] KeyStore contents:
Header                        454e4353 (SCNE)
Version                       1
Algorithm                     AES-XTS256-PLAIN64
KDF                           PBKDF2-SHA256
Key length                    64
Final hash                    592d0544669c3cfc4701544903cd94ff7a5e067be8ff0d9c9113ffb3d773367b
PBKDF2 2 Key length           32
PBKDF2 2 Salt                 07d630d090896740baee6975d5540a7e837d3b410789924db21f7e1ebaa2120e
PBKDF2 2 Iterations           20000
PBKDF2 1 Salt                 ee9aa0d45159218cc493e1b8653ef34cdba5975bcf58c948b0565575b58b5f54
PBKDF2 1 Iterations           100000
EVP buffer length             64
PBKDF2 2 encrypted password   0520752245c51e7f5cc62e8397126f69eaa678a77727a991f4cebdf86ac52d28      2c06cc815b63ed5e38e455193ba7031725914242ae24a98577b53cce49d4ceb3

I have a usual pattern of characters I use and I wrote a C++ program to create a word list of several thousand permutations, but no luck so far. I need more speed. Any help on how to use hashcat to crack this would be much appreciated.

My confusion is how to use 2 salts with hashcat?
#2
(04-28-2017, 10:10 AM)wfcollins Wrote: I have a VirtualBox image that is encrypted that I have forgotten the password. I created a new test.vbox and found a PHP program - vboxdie-cracker that is able to find the correct password for the test from a wordlist. But it only guesses 2 passwords per second. Here is what the vboxdie-cracker extracts from the test.vbox file with a password of password:

[+] KeyStore contents:
Header                        454e4353 (SCNE)
Version                       1
Algorithm                     AES-XTS256-PLAIN64
KDF                           PBKDF2-SHA256
Key length                    64
Final hash                    592d0544669c3cfc4701544903cd94ff7a5e067be8ff0d9c9113ffb3d773367b
PBKDF2 2 Key length           32
PBKDF2 2 Salt                 07d630d090896740baee6975d5540a7e837d3b410789924db21f7e1ebaa2120e
PBKDF2 2 Iterations           20000
PBKDF2 1 Salt                 ee9aa0d45159218cc493e1b8653ef34cdba5975bcf58c948b0565575b58b5f54
PBKDF2 1 Iterations           100000
EVP buffer length             64
PBKDF2 2 encrypted password   0520752245c51e7f5cc62e8397126f69eaa678a77727a991f4cebdf86ac52d28      2c06cc815b63ed5e38e455193ba7031725914242ae24a98577b53cce49d4ceb3

I have a usual pattern of characters I use and I wrote a C++ program to create a word list of several thousand permutations, but no luck so far. I need more speed. Any help on how to use hashcat to crack this would be much appreciated.

My confusion is how to use 2 salts with hashcat?
how did u encrypt the virtual hard drive in the first place?
isnt it LUKS ?
#3
(04-29-2017, 08:13 AM)kiara Wrote:
(04-28-2017, 10:10 AM)wfcollins Wrote: I have a VirtualBox image that is encrypted that I have forgotten the password. I created a new test.vbox and found a PHP program - vboxdie-cracker that is able to find the correct password for the test from a wordlist. But it only guesses 2 passwords per second. Here is what the vboxdie-cracker extracts from the test.vbox file with a password of password:

[+] KeyStore contents:
Header                        454e4353 (SCNE)
Version                       1
Algorithm                     AES-XTS256-PLAIN64
KDF                           PBKDF2-SHA256
Key length                    64
Final hash                    592d0544669c3cfc4701544903cd94ff7a5e067be8ff0d9c9113ffb3d773367b
PBKDF2 2 Key length           32
PBKDF2 2 Salt                 07d630d090896740baee6975d5540a7e837d3b410789924db21f7e1ebaa2120e
PBKDF2 2 Iterations           20000
PBKDF2 1 Salt                 ee9aa0d45159218cc493e1b8653ef34cdba5975bcf58c948b0565575b58b5f54
PBKDF2 1 Iterations           100000
EVP buffer length             64
PBKDF2 2 encrypted password   0520752245c51e7f5cc62e8397126f69eaa678a77727a991f4cebdf86ac52d28      2c06cc815b63ed5e38e455193ba7031725914242ae24a98577b53cce49d4ceb3

I have a usual pattern of characters I use and I wrote a C++ program to create a word list of several thousand permutations, but no luck so far. I need more speed. Any help on how to use hashcat to crack this would be much appreciated.

My confusion is how to use 2 salts with hashcat?
how did u encrypt the virtual hard drive in the first place?
isnt it LUKS ?

So this is not the OS level encryption. It is the VirtualBox encryption of the actual .vbox image file. It is a feature when you create a VM before you even install an OS. I am not a crypto expert, but it is using two salts. Here is the PHP code that can correctly decrypt a test VM file. It makes two calls to hash_pbkdf2 and an intermediate call to openssl_decrypt. I have looked, but have not found a way to duplicate this in hashcat. I am willing to write C/C++ code to extend it if needed.


while (!feof($fp)) {

           // Read each line of the file, it is the user password

           $user_password = trim(fgets($fp));

           // First call to PBKDF2

           $EVP_password = hash_pbkdf2($hash, $user_password, $keystore['pbkdf2_1_salt'], $keystore['pbkdf2_1_iterations'], $keystore['generic_key_length'], true);

           // Here, the password used for the second call to PBKDF2 is decrypted

           $decrypted_password = openssl_decrypt(substr($keystore['pbkdf2_2_encrypted_password'], 0, $keystore['evp_decrypt_input_length']), $method, $EVP_password, OPENSSL_RAW_DATA, '');

           if ($decrypted_password === false) {
               continue;
           }

           // Final hash is computed

           $final_hash = hash_pbkdf2($hash, $decrypted_password, $keystore['pbkdf2_2_salt'], $keystore['pbkdf2_2_iterations'], $keystore['pbkdf2_2_key_length'], true);

           // If the computed hash is equal to the stored hash, then we have got the right user password

           if ($final_hash === $keystore['final_hash']) {
               return $user_password;
           }
       }
#4
We can probably be a lot smarter than the author of the PHP script.

We will need to look at the vbox code to verify a few things, but the second call to pbkdf2 is wholly unnecessary if $decrypted_password == $user_password. Can simply hash, decrypt, compare, done. However, if $decrypted_password is e.g. some randomly generated value, we still probably have an opportunity for an early reject here. Like if we know that $decrypted_password will always be e.g. a-zA-Z0-9 then we can reject the candidate if the trial decrypt results in values outside that range, and only do the second pbkdf2 call when we have a likely password.

What's also interesting is the "final hash." Again need to look at the source, but typically pbkdf2 is used to derive an encryption key, and the final hash is the key. If they're storing the final hash value, then are they actually storing the encryption key?? Definitely something to look into!
#5
(04-29-2017, 08:14 PM)epixoip Wrote: We can probably be a lot smarter than the author of the PHP script.

We will need to look at the vbox code to verify a few things, but the second call to pbkdf2 is wholly unnecessary if $decrypted_password == $user_password. Can simply hash, decrypt, compare, done. However, if $decrypted_password is e.g. some randomly generated value, we still probably have an opportunity for an early reject here. Like if we know that $decrypted_password will always be e.g. a-zA-Z0-9 then we can reject the candidate if the trial decrypt results in values outside that range, and only do the second pbkdf2 call when we have a likely password.

What's also interesting is the "final hash." Again need to look at the source, but typically pbkdf2 is used to derive an encryption key, and the final hash is the key. If they're storing the final hash value, then are they actually storing the encryption key?? Definitely something to look into!

Thanks, I am looking at the VirtualBox source code now...
#6
Sorry for the big necro, but the actual implementation in VirtualBox is part of their closed source extensions for some reason. But it turns out they had the code in the open source part of the software when it was first implemented. You can refer to these files for the keystore handling code:
https://github.com/mdaniel/virtualbox-or...yStore.cpp
https://github.com/mdaniel/virtualbox-or...KeyStore.h

I had stumbled upon this thread while searching for implementation details, and just thought it would be helpful to leave this info after I found that.
#7
[a necromancer appears]

Looks like a pull request for hashcat support for VirtualBox hashes has landed!

https://github.com/hashcat/hashcat/pull/2884

Added hash-modes: VirtualBox (PBKDF2-HMAC-SHA256 & AES-128-XTS) and VirtualBox (PBKDF2-HMAC-SHA256 & AES-256-XTS)
~