Modifiations to hash type 18100 to support binary seeds
#1
Hi All,

The pyotp library generates a 16 character base32 seed by randomly selecting 16 characters from the base32 (a-z2-7, more info here https://github.com/pyauth/pyotp/blob/mas..._init__.py). As a result of this the base32 string will not always decode nicely into an ascii string so the existing 18100 module wont work.

I was looking to tweak it to attempt to crack the base32 seed directly. I figured to do this I would give hashcat a custom charset of a-z2-7 and a 16 character mask. I am just trying to work out what changes are required in "module_18100c" to ensure this will work. Can someone point me in the right direction to documentation on developing custom modules? I have been struggling to find much.

Thanks,
Ryan
Reply
#2
Hmm on further investigation this may not be possible since running 
"hashcat -m18100 -a3 -o totp.potfile totp.hashes -1 ABCDEFGHIJKLMNOPQRSTUVWXYZ234567 ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1 --force"

results in 
"Integer overflow detected in keyspace of mask: ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1"

Is there some other way to attack the non ascii/base32_decoded seed?
Reply
#3
yeah, that's a too large keyspace.

it's 32 ^ 16 = 1,208,925,819,614,629,174,706,176
Reply
#4
"I figured to do this I would give hashcat a custom charset of a-z2-7 and a 16 character mask."

Like philsmd said, that would be 1,208,925,819,614,629,174,706,176 possibilities. Even if you were able to crack it at a non-existing speed of 100GH/s it would still take 38335 years to search the whole space. It's too big to crack this way.
Reply