nOOb help
#1
I'm a complete novice, just learning about this world of hashes in the last few weeks, but I managed to extract (what I believe to be) the following hash info from a target device (mac os x 10.11 El Capitan) and I'm trying to crack it on a PC Windows 7 using Hashcat GUI v1.00rc3, but I'm not sure what it all means or exactly how to use the GUI:

undeath edit: hash removed


I've been reading through the wiki stuff and a bunch of other sites about how to extract, copy, convert, decrypt stuff, but a lot of it is going over my head because (mostly I'm not a hacker) I can't seem to find a step by step walkthrough of how to extract a hash from Mac OS X 10.11 El Capitan that seemed to work (unless the above info is what I was looking for). Most of the info out there points to older versions of MAC OS whose commands don't seem to work with El Capitan.

However, if the above info is what I'm looking for, then I don't know exactly what to do with it. From what I've read the above info is the binary (base64?) format for each element (entropy, salt, integer, verifier?[I have no idea what these mean]), and they all need to be converted to hex (which I tried on this site: https://cryptii.com/pipes/base64-to-hex), then all of the converted hex values copied and smashed together into a .txt file with no other characters, spaces, or line breaks and saved. Then this file is used as the hash file that Hashcat works with? All of which I tried, but it didn't seem to work as when I clicked the "I'm a HashKiller" button in the bottom right corner of the GUI a new command prompt window popped open and stayed blank followed by a new window with Hashcat GUI popped open (so now there are 2 Hashcat GUI windows open on my screen...weird).

So in summary, if anybody has the time or wherewithal to walk me through things, or if you don't and can link me to a useful step by step tutorial that takes me from Extraction (specifically how to find AND copy the necessary .plist file or data to a flash/thumb drive from the target device while in Single User Mode or Recovery Mode), to Conversion (which type of hash I'm dealing with because I saw 5 or 6 different SHA512 hash-types) and exactly how to make a proper .txt file that Hashcat can digest.

Also if anybody has any better wordlists (I also saw "charset" uploads under the "brute-force" tabs in Hashcat GUI
and it wouldn't let me upload any wordlist including realuniq.lst. So I assume this is a different set of files

If doing any or all of this via the command line interface on window command prompt is easier/simpler I'd probably prefer to do it that way.

Sorry in advance about the long nOOb post, just wanted to try to provide as much info as possible to waste as little of anybody's time possible with back and forth.

Thx for your thoughts/suggestions.

-m
Reply
#2
First of all, you are not allowed to post hashes here. It's against the forum rules: https://hashcat.net/forum/announcement-2.html
It's even worse that you didn't mask them and not even mentioned what the password is.

The example hashes can be found here: https://hashcat.net/wiki/doku.php?id=example_hashes or with the command hashcat -m 7100 --example-hashes

something like this should work:
Code:
$ml$32894$f75ad5635a1bad19b0ae22efd80f1765a5d132254aeeadfb0b01f6367ba4fa07$4bdfe8db60c785ff662f28f9f07a53db5bb58939e930a345d51329d0bcaae97d0dc72a141f5f9f96ca1d08aac6a7923d50b84668db789ffbb3952dad8f696144

i.e. $ml$ is the signature, after that you need to specify the number of iterations ("rounds") used and this is followed by the full salt in hexadecimal and the 64 bytes (truncated) of the digest/hash.
The format is quite easy, I'm not sure if a converter exists for this hash format (I guess it does somewhere on github etc because you can find kind of everything there, but I didn't investigate for this type of conversion, because it's quite straight forward)

Don't forget, never post hashes except if admins/moderators ask for it. Follow the forum rules. and always mention the password, because otherwise nobody can troubleshoot without wasting time trying to crack the hashes just to see if the format is correct. Thx
Reply
#3
Thx for the reply Phil, and apologies for the bad etiquette. I've never posted on a forum like this before. I'll give your suggestion a try and I'll brush up on the rules before my next post. Thx again.
Reply
#4
The hash you want to crack is stored in the [USER].plist file. You can find it in this path: /var/db/dslocal/nodes/Default/users/

Run this script to extract the hash from that file in the correct format.

Once you have it, you can play with hashcat.
Learn to work with the command line, instead of the GUI.
Reply
#5
Thx Karamba, appreciate the help.

do I just copy and paste the entire script into command prompt and run it?
Reply
#6
No.
You need to execute the script which is written in python. (you can simply download it from the link that I posted)
You can run the script in Windows, Win Subsystem for Linux or any other Linux distribution.

Do some Google. It won't be that hard. Wink
Reply
#7
Sorry Karamba, I'm not experienced enough to feel comfortable running that script. I really don't know enough about any of this to do it. I've never used Linux before, I'm basically a windows 7 user with a need to discreetly crack a password on a MacAir running OS X 10.11 and I don't want to do something that screws up my Windows machine or the target Mac machine, especially since I don't know code (unless you can point me in the direction of a tutorial that would help me figure out what I'm doing). Thx for your suggestion though.

That said, I feel like I've been getting closer to cracking it, but I'm still running into some frustrations, so I'll post a few of the angles I've tried with the results and see if anybody has pointers.

1: Several weeks ago, I had what seemed initially like a break through and was able to extract what looked like the hash that was removed from my first post in this thread, by using this command that I found on a website (althought I've since tried this same command on the same target machine and gotten this error msg: "the domain/default pair of (/Volumes/Macintosh\ HD/var/db/dslocal/nodes/Default/user/mxxxxxxh.plist, ShadowHashData) does not exist"

The command was:
-bash-3.2# defaults read /Volumes/Macintosh\ HD/var/db/dslocal/nodes/Default/users/matthish.plist ShadowHashData|tr -dc 0-9a-f|/Volumes/Macintosh\ HD/usr/bin/xxd -r -p|/Volumes/Macintosh\ HD/usr/bin/plutil -convert xml1 - -o -

It originally produced the ShadowHashData which had two sections, the first of which included:
key SALTED-SHA512-PBKDF2
entropy <data>
iterations <data>
and salt <data>

the second section included:
key SRP-RFC5054-4096-SHA512-PBKDF2
iterations <data>
salt <data>
verifier <data>

I'm assuming I'm supposed to use the first section with entropy, iterations, and salt as the hashes to collate and run through hashcat, NOT the second part with iterations, salt, and verifier, correct?

(At this point can someone explain to me how to post/mask a hash for people to view to help me without getting into trouble? Do I just need to manually change a few characters so they aren't visible?)

Question, what format are the data portions of this section in? And how can I tell what format they are in? Binary? Base64? Already in Hex. Then how do I get it into Hex (if not already) if I have to work on a Windows 7 machine?

Something else I tried was I ran the collated hash Philsmd recommended above "$ml$32894$f75ad5635a1bad19b0ae22efd80f1765a5d132254aeeadfb0b01f6367ba4fa07$4bdfe8db60c785ff662f28f9f07a53db5bb58939e930a345d51329d0bcaae97d0dc72a141f5f9f96ca1d08aac6a7923d50b84668db789ffbb3952dad8f696144" through hashcat on a dictionary attack with rockyou.txt wordlist and it returned two Hex results

$Hex[2321676f7468] -> $Hex[042a0337c2a156616d6f732103]
that when I ran through an online Hex converter gave me the password: "#!goth*" and "7¬°Vamos!"
which didn't work and I wouldn't even know how to type in those weird characters    anyway. Thoughts on this? Also how do I make sure hashcat spits out text results and not Hex results? or does it matter?

The last thing I tried was just to copy the .plist onto a thumb drive and it worked, I now have it on a thumb drive and I opened it in on my Windows 7 machine in Note++ to reveal the ShadowHashData data section, but now I don't know what format that ShadowHashData is in or how to convert it into something I can work with on my Windows 7 machine with hashcat.

I apologize ahead of time if I accidentally violated any forum etiquette, I read the rules Philsmd linked me to, so I think I did everything correctly. Thanks also for any feedback.
Reply
#8
all values from the output of your command you run on macOS are base64 encoded and they need to be base64-decoded and hex-encoded

on linux (and most likely also on macOS) you can do something like this:

Code:
echo [base64text] | base64 --decode | xxd -p | tr -d '\n'


where the [base64text] is the input you want to base64-decode (with base64 --decode) and hex-encode (with xxd). All new lines need to be removed of course (with tr -d '\n' for instance).

(btw: you could in theory use online converters instead of running the command line command from above, but because the intermediate steps are binary you really need a base64 to hexadecimal converter. I prefer using the command line. This also has the advantage that you are doing everything locally (on your command line) and won't need to send your maybe sensitive data to any online service)

if you have really cracked the hash you would see something like this:

Code:
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts

on your status display (when you hit 's' while hashcat is running or within the output after hashcat has quit)

My assumption is that you are confusing this line with:

Code:
Candidates.#1....: $Hex[2321676f7468] -> $Hex[042a0337c2a156616d6f732103]

this line, instead, does only display *some* candidates that hashcat is *trying*, but this doesn't mean that they were successfull in cracking the hash. You can consider these passwords as just some "random" password that hashcat is currenty testing.

If you instead really cracked a hash you will see Recovered 1/1 (100%) and see the crack (hash:password pair) directly in your hashcat output (at the beginning of the line and *not* within the status display), e.g. something like this:

Code:
$ml$32894$f75ad5635a1bad19b0ae22efd80f1765a....:[password]

where the $ml$... string will of course be the correct hash and instead of [password] there will be the successfully cracked plain text password.

If this didn't happen, you didn't crack the hash!

you can also test (or let's call it double check) if the hash was already cracked by running --show (of course you must also double check if the crack that will be outputed is really the *same* hash and not some other test hash etc).

Code:
hashcat -m 7100 --show hash.txt

btw: hashcat will actually also refrain from cracking hashes again if they were already cracked and therefore are present in your .potfile (the default .potfile is called hashcat.potfile, the session name can be changed with --session). This means that you could, alternatively, also look into the hashcat.potfile to see if the hash was already cracked (it's a normal text file and you could open it with any text editor, notepad++ etc).


Finally, I would highly recommend that you test your whole cracking process with an account/plist/hash for which you know the password. If you know the password you can test if all of your steps are correct by testing them on the hash for which you know the password.
Again, the only particular steps with this hash mode is that you need to use hexadecimal characters for the salt and entropy/digests and that the entropy shouldn't be longer than 128 hexadecimal characters and therefore you should/need to truncate it to 64 bytes (64 * 2 = 128 and therefore only use the first 128 hexadecimal characters from the start of "entropy")
Reply
#9
Thx Philsmd, you're right, after about a 2.5hr session (guess i have an slow GPU), hashcat "exhausted" and returned "candidates" not a "recoverd" password, I understand now.

So it seems I didn't crack the hash. In which case, is there a particular attack or something different that I should try next that is better for what I'm trying to do, should I be using a brute-force or mask attack instead of a dictionary attack? Or try dictionary again with a different wordlist? Is there a better wordlist I should use? I have downloaded a massive one (14GB) called "realuniq.lst" from crackstation, but I haven't tried it yet.

If I think the password could be a combination of letters and numbers (and possibly symbols) is the dictionary attack still the best to use?

If I do a mask attack, but I don't know the length of the password, is there a way to command hashcat to keep expanding the keyspace to try longer passwords?

As a side question Philsmd, where would I want to start if I wanted to start from scratch to learn more about this coding language in general (is it Python?)? Are there any good youtube tutorials/crash courses?

Thanks again for your time Philsmd.
Reply
#10
(01-21-2019, 12:49 AM)mh1 Wrote: Thx Philsmd, you're right, after about a 2.5hr session (guess i have an slow GPU), hashcat "exhausted" and returned "candidates" not a "recoverd" password, I understand now.

So it seems I didn't crack the hash. In which case, is there a particular attack or something different that I should try next that is better for what I'm trying to do, should I be using a brute-force or mask attack instead of a dictionary attack? Or try dictionary again with a different wordlist? Is there a better wordlist I should use? I have downloaded a massive one (14GB) called "realuniq.lst" from crackstation, but I haven't tried it yet.

If I think the password could be a combination of letters and numbers (and possibly symbols) is the dictionary attack still the best to use?

If I do a mask attack, but I don't know the length of the password, is there a way to command hashcat to keep expanding the keyspace to try longer passwords?

As a side question Philsmd, where would I want to start if I wanted to start from scratch to learn more about this coding language in general (is it Python?)? Are there any good youtube tutorials/crash courses?

Thanks again for your time Philsmd.

Wordlists consist of commonly/most used passwords and their main point is to crack as many hashes as possible from big database dump for instance, because believe it or not people do use common passwords.

To explain this further, imagine that you have a wordlist with the password 'scorpion' on it, and now your victim uses 4 digit year number of their birth behind of it (scorpion1996), obviously you wouldnt crack it, since it isnt on your word list. It wouldnt even make sense to put all these combinations for 1 password on the wordlist.

In your case it would make sense to use masked or rule-based attack.
With masked attack you can set the increment with -i flag or use set of masks instead(.hcmask file).

Before you start learning a whole new coding language, I would suggest you learn how to use hashcat and its features first.


Everything you need is located here https://hashcat.net/wiki/doku.php?id=hashcat or somewhere within these forums. Hope you have a nice day.
Reply