OSX 10.11 Hash HELP!
#1
Question 
I have been trying to crack the hash of my OSX 10.11 mac using the established .plist extraction method, but even using all the correct options (as far as I know,) I get Token length exception no matter what I do! Specifically, I get this:
Code:
PS C:\Cracking\HashCat\hashcat-4.2.1> .\hashcat64.exe -m 7100 -a 0 C:\Cracking\Hashes\MyHash.txt C:\Cracking\Wordlists\rockyou.txt
hashcat (v4.2.1) starting...

* Device #1: WARNING! Kernel exec timeout is not disabled.
            This may cause "CL_OUT_OF_RESOURCES" or related errors.
            To disable the timeout, see: https://hashcat.net/q/timeoutpatch
nvmlDeviceGetFanSpeed(): Not Supported

OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 980, 2048/8192 MB allocatable, 16MCU

Hashfile 'C:\Cracking\Hashes\MyHash.txt' on line 1 ($ml$38...efc9a7d183523cac2bdb2e84ed75a6e6): Token length exception
No hashes loaded.

Started: Thu Sep 06 20:17:34 2018
Stopped: Thu Sep 06 20:17:34 2018
PS C:\Cracking\HashCat\hashcat-4.2.1>


I have extracted the salt, hash, and iterations from my mac's plist, and orginized them in the format
Code:
$ml$iterations$salt$entropy
and I have confirmed that my hash is extracted correctly, at least in that the iteration is a 5-digit number, the salt is a 64 character string in hex, and the entropy is a 256 character string also in hex. I have been using -m 7100, and it seems as if others cracking the same password type have had success with this, but I always recive Token length exception. The example hash for the 7100 option is a 128 character hex, but as I said, I have seen others using the 256 char hash. Do I have the wrong hash type? Or have I somehow extracted it wrong?

My hash (with a couple bits changed, but the same length) is this:

$ml$38167$4fb7de70c60407a7542932b1fe8f8bd366bad000066e9607687ef1503fe094a5$0feb2bb941c7e8b71d58e1e882270058892b92e97f80c89e1ab4e0b9405078b925ea08957f3c9741cd1723a11a049c3a3f99f8173fdeb3c8dfd5bd6717537372d66e4098c60b6f653489d8233c7c8b2239acc71a8f347b26d5262bb7bf3755baed57e564d67f976a11589002ff2a591befc9a7d183523cac2bdb2e84ed75a6e6
Reply
#2
Look at https://hashcat.net/wiki/doku.php?id=example_hashes

You'll see that your entropy is too long. You only need 64 bytes there (and not 128)
Cut it off, and it will work.
Reply
#3
(09-07-2018, 02:58 PM)Karamba Wrote: You only need 64 bytes there (and not 128)

Do you mean 128 and not 256, or am I missing something?

Thanks so much!
Also, do you have any why there is unneeded data at the end of the entropy that can just be cut off?
Reply
#4
A byte is represented by two hexadecimal digits. So, when looking at your given entropy, the first byte is 0F.
As I mentioned higher, you need to take 64 bytes (= 128 hexadecimal digits) and not the full 128 bytes (= 256 hexadecimal digits).


As a bonus, take some time to look at the plist with a hexviewer. You'll see that entropy and salt begin with a sort of 'header' (0x4F10) followed by their length (in hex, not in dec).
After the salt, you'll see the 'header' 0x11 followed by two bytes. Those two are the iterations (Big Endian).


As another bonus, use this script to avoid headache in the future.
Reply
#5
Awesome! thank you so much!
Reply