Hash Mode 7100 Hashes
#1
Music 
My son died recently and I have been trying to get some information off his password-protected Macbook running OS X 13.  I want to also be able to access data in the keychain and so I need to know his password.

I have extracted the {username}.plist file and can view it in xml1 format but my problem is the next step.  I have followed several online guides to extracting the hash data from that file but none of them will work with Hashcat in Hash Mode 7100.  The hash is not loaded and I get a 'Token Length Exceeded' error message.

Could anyone point me to a guide to creating a hash from the .plist data that will be accepted by Hashcat.  Any help will be much appreciated.
Reply
#2
sorry to hear about your loss.

I think something like this explains the format pretty well: https://apple.stackexchange.com/question...863#220863

if you have the .xml format, it's easy to see the different "items" that you need to extract to build the hash:
$ml$<iterations>$<salt>$<entropy>

sometimes hashes (the entropy) are longer than the example hash from https://hashcat.net/wiki/example_hashes , if hashcat doesn't accept it, you could just "truncate" it to the same entropy length that the example hash uses (this is basically the pbkdf2 hash output length and doesn't really matter if it's longer, hashcat will only check the first 16 bytes = 128 bits of the digest anyways)
I would highly suggest to try the same thing with a different account or notebook for which you know the password, just to make sure that you are doing everything correctly (before wasting the time on uncrackable data etc, if you do something wrong).

I also suggest using dictionary attack (-a 0) with rules (-r) for a start. Yeah, brute-force (or mask attack, -a 3) is not always the most clever idea for starting with a new target hash (even if it is often faster, but speed isn't everything... often more clever and more target-specific password candidates get your passwords/data back sooner, just saying).

btw: looking at that example from stackexchange, if your xml file says something like this:
Code:
<key>entropy</key>
<data>
xfGYY5kVoQHJmvMm3/4T6PFEVr6P0jEqOad3uSF4gE4gTKT+4SqGZ4cUQO/0
KI6BHYbXRsbZamDJGcNBjf67pC8yn11zwDctY21h1d/aGt1hrzbHDkrNdxJ2
EHIJ5kOukqD0PpWkUnROUPtFQNm99OC3AXJdfbSI++GMGrdzfGs=
</data>

... it's clear that the data *after* the "entropy" xml element, is the data we need for the <entropy> in the hash. The only problem is that it's base64 encoded and you need to base64 decode it and hex encode it.
In linux you would do something like this:
Code:
echo xfGYY5kVoQHJmvMm3/4T6PFEVr6P0jEqOad3uSF4gE4gTKT+4SqGZ4cUQO/0KI6BHYbXRsbZamDJGcNBjf67pC8yn11zwDctY21h1d/aGt1hrzbHDkrNdxJ2EHIJ5kOukqD0PpWkUnROUPtFQNm99OC3AXJdfbSI++GMGrdzfGs= | base64 -d | xxd -p | tr -d '\n'; echo

the output therefore is:
Code:
c5f198639915a101c99af326dffe13e8f14456be8fd2312a39a777b92178804e204ca4fee12a8667871440eff4288e811d86d746c6d96a60c919c3418dfebba42f329f5d73c0372d636d61d5dfda1add61af36c70e4acd771276107209e643ae92a0f43e95a452744e50fb4540d9bdf4e0b701725d7db488fbe18c1ab7737c6b

(this of course matches with the <entropy> part of the stackexchange $ml$... hash)

I think also on macOS you can use base64 decoding with "base64", xxd for hex conversion and tr for removing the new lines (brew is your friend on macOS !), but I also suggest not cracking with hashcat on a notebook (throttling and cooling issues)
Reply
#3
Brilliant. Thanks so much for you prompt reply Phil. I will work through this tomorrow and let you know how it goes. Mike.
Reply
#4
Hi Phil. A quick update. I created the hash as described on an account with the password 'admin'. It was a lot longer than the sample hash so I truncated it to the same length. Hashcat accepted it in mode 7100 (the good news) so I made up a short dictionary file which included 'admin' and ran the hash in dictionary mode against that file. Hashcat did not report a successful result (the bad news) and instead said that it had exhausted all possibilities. So I guess that there was a problem with the hash.

I was able to create another administrator account on the target machine and so got to the file that I needed in that way but I would like to continue with my cracking adventures as an academic exercise. I will create another account next weekend and repeat the process and see if I can get a successful result. If so, I may buy some time on someone else's machine to run the crack attempt on the main password.

I will keep you posted. Mike.
Reply
#5
yeah, it's very likely that you messed something up in converting (base64 to hex) or truncating the entropy part.

I would suggest that you also try with the example hash from https://hashcat.net/wiki/example_hashes (password is hashcat)
Reply
#6
Thanks again Phil. I will keep you posted.
Reply
#7
OK. Maybe getting somewhere. when I first run hashcat I get the "OpenCL kernel self-test failed". This can be overridden with the --self-test-disable switch - but then it doesn't find the password! Apple iMac. Doing some more research to find out how to fix.
Reply
#8
yeah, never ignore self-test errors. They are warning you that there is something wrong.

You could also test beta from https://hashcat.net/beta/ or release versions (even try with older ones) from https://hashcat.net/hashcat/

Some OpenCL runtimes (and especially also on macOS) are known to be buggy, that's why the self-test feature was added to prevent users from wasting resources (time and energy etc).

I would also suggest not cracking on laptops and/or iMacs etc (because of throttling and cooling issues, risking to damage your hardware etc), but some guys seem to disagree here and crack with notebooks too Sad
Reply