First year of medical school notes encrypted; begging for help
Weird scenario and at the mercies of intellectual and technological beings surpassing myself in this arena:

I am a first year medical student. I decided to buck the system and make a 12” iPad Pro my main note taking device for school instead of a laptop (love me some Apple Pencil). I collected documents, lectures, and all my notes on the device most of which are irreplaceable and represent 1000+ of hours of work.

When I pre-ordered this 500gb model from Apple I felt like my destiny wasn’t to include the particular type of despair I am encountering. I got the device and immediately noticed alot of input problems with it. Still, and once the semester had begun, the thought of sending my only means of studying aside from paper and pencil off for several weeks for Apple to check it out, didn’t seem feasible. So I waited until the first year was over to pursue getting the device repaired or replaced under warranty. I obviously was advised to back the device up in iTunes and factory reset it prior to shipping, which I did. I did not choose to encrypt it by assigning a password on it. I performed the steps and sent it in. I received a total device replacement within the same week, to my surprise, and approached the backup to restore my new device and my data.

This is where my recently onset depression began. I click to restore it, and iTunes asks for the password for the backup. I scratch my head, and once I realized this situation was for real, I start punching in every password I can recall using for anything in my digital life. Not a single one works. Not my Mac login password, my Apple ID, my unlock code for the first defective iPad.. etc. So I call Apple, and to my dismay, the rep tells me there is literally nothing they can do. They were kind enough to suggest a few software titles that she felt might help my new quest, but concluded in telling me good luck. From what I gathered, and which was part of my initial argument as to why Apple should consider helping me, is the fact that password/encryption interfacing with iTunes, is actually not in iTunes but in the device to be backed up’s kernel. Where this device was so defunct the warrant a new replacement, it doesn’t surprise me that it glitched an encryption password in making the back up, but scares the hell out of me as it could be a string of all character’s/digits/caps; similar to the “safari suggested password” format for all I know (potentially replete with dashes and all other curious wonders that make this adventure so great to be facing). As I have spent a week learning the world of hacking (which I knew nothing about prior) I have seen the dire circumstances of being in a realm of “hashcatting” with no confidences or information to select a decent mask that could shave off the millions of years I have garnered from my most recent purchase, passware, which reported such upon buying a second GTX 970, seeing ~131,500 p/s and feeling boss clicking “GO” on a straight 1-18 brute force of UC/LC/SC/ + space. Jaw drops when I see millions of years ETA. I do have a hash generated using the hash script for IOS >=10 found hereabouts on the site, and do report my iPad had IOS version 11.3.1 at the time f backup. My backup is 270gb. Other random hardware notes = MSI x99-A Raider mobo, 5820K 6 core processor, 16gb ddr4, 2 GTX 970 GPUS. (I know it’s weak; I just thought maybe buying a second might render my solution a handful of weeks away, now millions of years). I know my current hardware is unfeasible, but if there was a hypothetical hardware configuration that could be purchased for even 10 grand, I would love to have the context on what would be needed. I am trying to deduce if there be a solution SOMEWHERE; whether it be an OP entity who might show pity on me, a 3rd party service that wouldn’t make me sell them my soul, or if building a system of 4 TITANp GPUs might make this possible. I have no clue here pros.

I am seeing that my important and irreplaceable information may be stolen and destroyed forever, but seek the hashcat community to chime in with anything you all might suggest; in terms of what you might do in my situation, what hardware configuration might be able to handle such a horrible request, or services by anyone with methods and technologies that could help me for a price I could somehow afford.

Please help my dear gentlemen of the mask. Alms; alms for the poor.
TL, Dr. Wink

To summarize: you are cracking an iTunes backup (probably the newer -m 14800, >= 10.0 version) on a single GTX 970, and you're looking for better options.

On the spectrum of dictionary attacks through brute force, there are a variety of other techniques to try in the middle ... but they will do you no good if the password is strong, and you remember nothing about what it might be.

There are other ways to use hashcat and its sibling programs to assemble some other kinds of attack. But there's a relatively steep learning curve ... and this hash is a very slow one. Unless it's a relatively simple password, you're pretty unlikely to recover it - even with expert help. Such expert help exists, but helping you to find such expert help is outside the scope of this forum.

And even if you spend $5K on hardware, or rent a GPU cluster in the Amazon cloud, you're only going to achieve something on the order of 1000 passwords per second.
That was an insanely ingenious play on words there sir! LOL

I have two 970’s, although it doesn’t matter. Yes, it’s 14800. My main goal of using the forum was to see if anyone could bring experience and reason to this challenge or help me see if this is even possible as well as an inclusive plea for comment from power users of hashcat who might comment on feasibility, or offer recommendations that if, say, I spent enough on hardware that a potentially 1-15 or 1-18 brute force with no masks could be even possible in a a human life-time... most gaps to bridge in my question are to understand scope and ability to distinguish the possible from the impossible. For my personal health, I seek wisdom to guide me to either start therapy or start a charity for new hardware. I am that naive at this point, although feeling like I am starting to see reality, beginning with your reply. Thanks for caring and offering some input here.
You might first try a dictionary like rockyou.txt, which has a number of common passwords, in case it was something simple.

After that, there are some decent howtos out there for growing your hashcat clue - like, for example - that demonstrate some of the attacks that are more advanced than a simple wordlist, but more efficient than brute force.

But most such howtos and techniques assume that you're working with a faster hash than this. This is literally one of the slowest commonly available hashes out there.

If you're passionate about it, you can start to study some of these howtos.
Thanks a lot royce. I appreciate the patience with a complete noob and your time spent to nonetheless offer me some useful tips to help me budge forward. I will spend some time with what you mentioned here. Best to you sir.
Hey, can you explain a bit more about what you meant by "input problems" with the device? Is it possible that the password might be something like one of your suspected passwords, but with letters missing or anything like that?
So my main issue with the iPad was basically a really sluggish touch screen performance with lots of lag and inaccuracies while typing. Your observation is a wise one; but, the back-up creation process on the PC didn’t have any iPad user input during the back up setup and config. Since, on my computer where I was configuring and completing the backup process through iTunes I did not select to use encryption and a password, the fact there is one, tells me it was somehow assigned, free of my input, from the demonstrably defective ipad’s device kernel. (Therefore making me somewhat lose confidence in the practicality of using dictionary-based attacks).

Basically how it works is you plug your Apple device into a computer, open the iTunes application on the computer, tell it you want to back up your connected device, and (internally) the DEVICE somehow dictates to iTunes rules regarding the backup... as the backup is being recorded and saved in iTunes and on the adjoined PC/MAC. The take home on that is, essentially, if someone were to level charges under circumstances the same as mine, at iTunes, it would be incorrect as iTunes is a sort of “dummy” just writing down what it’s told to write (the backup data). But it’s not the user accessible side of an Apple device that dictates rules of the backup (like typing in a password or even an “encrypt my backup please” checkbox).. Only the user input saying “Hey I want to encrypt and set a password on this here backup I now want made” on the PC/MAC, in iTunes, is possible. This information is then forwarded to the Apple device kernel to embed it in the rules of the backup it is therefore commanded to send back to iTunes for storage on the computer HD. I hope I wrote that out ok... but from all I can tell is that if the hardware of an iPad is malfunctioning, and this same kernel is master and commander of writing the backup properties immediately preceeding the creation of a backup, it is also likely to be malfunctioning and could assign through a glitch literally anything it wants. Since there is no rhyme or reason for having an encryption password I didn’t order, I now feel my only hope is waiting until I am an old man and can run a suffiencielty long mask free brute force to solve this mystery.
(05-30-2018, 05:00 AM)royce Wrote:
Hey, can you explain a bit more about what you meant by "input problems" with the device? Is it possible that the password might be something like one of your suspected passwords, but with letters missing or anything like that?

[SOLVED] You absolutely killed it with your advice! Thank you so much..


Only to contribute to information here for others should there be a soul interested, I leave a long explanation of how your help and my tireless studies into this topic lead to the retrieval of the password and how this problem came to be. My thanks to you and your valuable advice taking stabs at this issue that actually has plagued quite a few people! You sent me off in useful directions that allowed me to get my priceless information back.

I ran rock you without permutations (didn't know how at the time).. no dice. Further inspired by your advice, I learned how to do this to make the dictionary more useful, as well as combing keychain data compiled from various apple devices I own (root stored password collections from everything [POP3/Websites]).. including some old phones and iPads I haven't used in a long time, and compiled a custom prior password dictionary. Ran the dictionary with permutations and variants and hashcat nailed it clean in about 9 minutes. After some investigation here is what had happened. On my windows computer, I had fallen into the advertising of a program touted to be superior to iTunes for device and backup management and freedom, and used it to make a backup and mess with files on my device. I apparently entered in a random variation of a past password because it forced me to set one at that time. Four months go by and I finish the semester and used my Mac (iTunes) to create (on my Mac) what I believed was a clean and initial backup. I have subsequently learned that if you EVER made an encrypted backup at any point in the lifetime of the apple device, the password and encryption will be automatically applied to any and all future back ups created in either iTunes or any other back-up software used on any platform. So essentially (until recent IOS updates) you were literally screwed if you forgot the password or it wasn’t something you have used before, and all past and future backups will be locked in this way as the password follows the kernel. Their solution as it stands is the advice I was given to “seek 3rd party services”, or reset the device settings which removes the forced encryption, but does not fix nor allow you to access prior backups as a result of doing this, only allows you to make new backups without encryption if desired; from that point forward. Where I received a replacement, the kernel did not have a stored password, and thus I was confused when iTunes didn’t have any problem creating unencrypted backups of it, nor prompt me to set a password. So I was correct in that the backup made a few weeks ago before wiping the device was not chosen by me to be encrypted at that time, and thus I believed the defective device left me a glitch of a parting gift. But it was sins of the past that persisted (the earlier backup). 
Self-interest is the sauce of self-motivated learning. Wink

Glad there was a happy ending to this one - congratulations!