nOOb help
#1
I'm a complete novice, just learning about this world of hashes in the last few weeks, but I managed to extract (what I believe to be) the following hash info from a target device (mac os x 10.11 El Capitan) and I'm trying to crack it on a PC Windows 7 using Hashcat GUI v1.00rc3, but I'm not sure what it all means or exactly how to use the GUI:

undeath edit: hash removed


I've been reading through the wiki stuff and a bunch of other sites about how to extract, copy, convert, decrypt stuff, but a lot of it is going over my head because (mostly I'm not a hacker) I can't seem to find a step by step walkthrough of how to extract a hash from Mac OS X 10.11 El Capitan that seemed to work (unless the above info is what I was looking for). Most of the info out there points to older versions of MAC OS whose commands don't seem to work with El Capitan.

However, if the above info is what I'm looking for, then I don't know exactly what to do with it. From what I've read the above info is the binary (base64?) format for each element (entropy, salt, integer, verifier?[I have no idea what these mean]), and they all need to be converted to hex (which I tried on this site: https://cryptii.com/pipes/base64-to-hex), then all of the converted hex values copied and smashed together into a .txt file with no other characters, spaces, or line breaks and saved. Then this file is used as the hash file that Hashcat works with? All of which I tried, but it didn't seem to work as when I clicked the "I'm a HashKiller" button in the bottom right corner of the GUI a new command prompt window popped open and stayed blank followed by a new window with Hashcat GUI popped open (so now there are 2 Hashcat GUI windows open on my screen...weird).

So in summary, if anybody has the time or wherewithal to walk me through things, or if you don't and can link me to a useful step by step tutorial that takes me from Extraction (specifically how to find AND copy the necessary .plist file or data to a flash/thumb drive from the target device while in Single User Mode or Recovery Mode), to Conversion (which type of hash I'm dealing with because I saw 5 or 6 different SHA512 hash-types) and exactly how to make a proper .txt file that Hashcat can digest.

Also if anybody has any better wordlists (I also saw "charset" uploads under the "brute-force" tabs in Hashcat GUI
and it wouldn't let me upload any wordlist including realuniq.lst. So I assume this is a different set of files

If doing any or all of this via the command line interface on window command prompt is easier/simpler I'd probably prefer to do it that way.

Sorry in advance about the long nOOb post, just wanted to try to provide as much info as possible to waste as little of anybody's time possible with back and forth.

Thx for your thoughts/suggestions.

-m
Reply
#2
First of all, you are not allowed to post hashes here. It's against the forum rules: https://hashcat.net/forum/announcement-2.html
It's even worse that you didn't mask them and not even mentioned what the password is.

The example hashes can be found here: https://hashcat.net/wiki/doku.php?id=example_hashes or with the command hashcat -m 7100 --example-hashes

something like this should work:
Code:
$ml$32894$f75ad5635a1bad19b0ae22efd80f1765a5d132254aeeadfb0b01f6367ba4fa07$4bdfe8db60c785ff662f28f9f07a53db5bb58939e930a345d51329d0bcaae97d0dc72a141f5f9f96ca1d08aac6a7923d50b84668db789ffbb3952dad8f696144

i.e. $ml$ is the signature, after that you need to specify the number of iterations ("rounds") used and this is followed by the full salt in hexadecimal and the 64 bytes (truncated) of the digest/hash.
The format is quite easy, I'm not sure if a converter exists for this hash format (I guess it does somewhere on github etc because you can find kind of everything there, but I didn't investigate for this type of conversion, because it's quite straight forward)

Don't forget, never post hashes except if admins/moderators ask for it. Follow the forum rules. and always mention the password, because otherwise nobody can troubleshoot without wasting time trying to crack the hashes just to see if the format is correct. Thx
Reply
#3
Thx for the reply Phil, and apologies for the bad etiquette. I've never posted on a forum like this before. I'll give your suggestion a try and I'll brush up on the rules before my next post. Thx again.
Reply
#4
The hash you want to crack is stored in the [USER].plist file. You can find it in this path: /var/db/dslocal/nodes/Default/users/

Run this script to extract the hash from that file in the correct format.

Once you have it, you can play with hashcat.
Learn to work with the command line, instead of the GUI.
Reply
#5
Thx Karamba, appreciate the help.

do I just copy and paste the entire script into command prompt and run it?
Reply
#6
No.
You need to execute the script which is written in python. (you can simply download it from the link that I posted)
You can run the script in Windows, Win Subsystem for Linux or any other Linux distribution.

Do some Google. It won't be that hard. Wink
Reply