HMAC-SHA1

[Paolo]

Hi all,
I'm doing an ethical hacking activity and I want to test if developers used a good or bad "secret" for cookie signing.
The software is made with mojolicious that signs his cookie using HMAC-SHA1.

The problem is that the smaller signed cookie I can get from the application is 72 char long!
Using HMAC-SHA1 (150) and giving HASH:cookie (I need to "crack" the key) results in a "Line-length exception".

Am I doing something wrong? The hashcat limitation is something related to the gpu implementation or just a sanity check with passwords in mind?
HMAC is message authentication algo, it sound strange for me that it's impossible to brute a 72 char long text!

Anyone have a good advice for me?
Thank you in advance
Paolo

[philsmd]

The beta version (https://hashcat.net/beta/) supports much larger password and salt lengths at the cost of performance (if you do not use -O command line argument with newest beta version, you should be able to use much larger salts/passwords).

it sound strange for me that it's impossible to brute a 72 char long text

it's infeasible to bruteforce a text that is truly random and 72 characters long (e.g. the mask ?b?b?b?b?b?b?b?b?b?b?b?b?b?b?b?b?b?b?b....?b?b?b, i.e. 72 times ?b).
on the other hand, if most of the 72 characters are known, you might be able to recover the text

[Paolo]

Hi philsmd,
thank you for the info, I'll try shortly!

I agree with you that it's infeasible to brute 72 char long text, but in this case what I want to brute is not the text part but the key!
HMAC-SHA1("text (long long long long text)","key")=HASH.
I've got the text and the hash. I need to brute the key, that may be it's only few char!

I'll report here any news
Thank you

[Paolo]

I don't know why but if I can only use the beta with on of two GPUs:

Code:

hashcat (v3.6.0-496-g2517292a) starting...

OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: Graphics Device, 2793/11172 MB allocatable, 28MCU
* Device #2: Graphics Device, 2793/11172 MB allocatable, 28MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force

Password length minimum: 0
Password length maximum: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastical reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger disabled.

Initialized device kernels and memory...Killed

If i use -d 1 it works..

The speed is not bad [1426.7 MH/s (81.98ms)] so I'll try with this configuration!

Thank you
Paolo

[philsmd]

Never saw this before... but it seems that the "Killed" error comes from you operating system (it's defintely not from hashcat itself) and means that you do not have enough RAM.
How much RAM do you have?
Did you try to look at the RAM consumption while starting hashcat?

What is the command you are using? Maybe your command line is not correct and you are therefore using too much memory.

[Paolo]

Hi philsmd, I went to the same result also with my pool knowledge of hashcat

Trying to use both the GPU I divided the workload, used two sessions and -d1 and -d2 and... got "Insufficient Memory" error on the second instance.

So I've increased RAM memory to 4GB and now it works as expected

I'm in a really "strange" (uncommon) configurarion..
The two GPU are in my datacenter colocation, the server I'm using is doing a lot of "experimental" things, so I'm using virtualization! (vmware ESXi 6.0)
I know that GPU passthrough is not supported and I wasn't that easy to make it work, but it works!
In this way the RAM upgrade from 2 to 4GB was really easy

Thank you for your assistence, If it could make you smile I've recovered the secret used to sign cookies on the target application
rockyou.txt + best64.rule = LOL ! (12 chars lenght)

Have a nice day, thank you so much
Paolo