Is there a way to extract a password hash from AESCrypt archive?

[Complexoctopus]

I used this to make the archive https://www.aescrypt.com/

[DanielG]

on the official forum there is a topic about bruteforce a forgotten password on https://forums.packetizer.com/viewtopic.php?f=72&t=1333 there is a slow python version using the tool itself but a user claims to have a c version not requiring the tool. So if you can get your hands on that it would help analyse the problem.

[DanielG]

okay, googling a bit more it seems the format is pretty open. The fileformat is described on https://www.aescrypt.com/aes_file_format.html and there is source on https://github.com/kenkendk/sharpaescrypt/ to encrypt/decrypt files.

In the code on https://github.com/kenkendk/sharpaescryp...pt.cs#L523 it seems it uses the password to decrypt a part and hmac a part and compare, if that is equal the password is correct. So this should be doable. However I don't think hashcat can do this right now.

[Complexoctopus]

Thanks! I sent him an email, let's see if he responds.

[philsmd]

it seems that the algorithm is quite simple and there are a lot of alternative implementations.

as a test I tried to find out if I'm able to recover/find the password of the example file from here: https://www.aescrypt.com/hello_world.txt, I've just developed a simple perl POC and I found the password within seconds (it's "hello", without quotes).

Code:

#!/usr/bin/env perl

# Author:  philsmd
# Date:    January 2020
# License: public domain (credits go to philsmd and hashcat)

# the main algo can also be seen here:
# (or alternative implementations from https://www.aescrypt.com/download/)
# https://github.com/marcobellaccini/pyAesCrypt/blob/4b09ddc3737c539ee9fac179cab460abbb2b053e/pyAesCrypt/crypto.py#L59-L68

use strict;
use warnings;

use Digest::SHA  qw (sha256);
use Digest::HMAC qw (hmac);

use Encode;

#
# Example file from https://www.aescrypt.com/hello_world.txt
#

# 41 45 53 02 00 00 18 43 52 45 41 54 45 44 5f 42
# 59 00 61 65 73 63 72 79 70 74 20 33 2e 30 35 00
# 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
# 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
# 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
# 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
# 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
# 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
# 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
# 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
# 00 00 00 db 66 a1 f9 73 4f 97 b5 6c 0d 1d ca 0c
# aa 13 c9 4f 01 8c 9e 33 15 e3 04 87 1f d2 59 da
# 97 14 a4 6e 66 d5 8f f7 af 05 44 92 d8 21 d8 82
# 6b c2 7e bc 13 d6 f7 60 7a 3b 3b 0b de 60 a3 a4
# 39 66 34 21 65 70 97 3b a6 49 60 fd 70 e0 5d fa
# 71 b6 61 78 49 de 7d 38 69 b4 6d 1d 9c 84 a2 57
# 77 80 61 66 43 87 15 98 af 07 a6 ab ea a6 ff 82
# 89 2f 6f 0e 24 0c 7e 6f 35 f3 46 73 6a 9e 5a ca
# 35 f7 97 93 cf 5a 79 74 77 5a 3d 50 0a dd 29 4e
# 17 f4 f6 8c

# File format is explained here: https://www.aescrypt.com/aes_file_format.html

# 41 45 53 signature
# 02       version
# 00       reserved
# 00 18    extension size
# 43 52 45 41 54 45 44 5f 42 59 00 61 65 73 63 72 79 70 74 20 33 2e 30 35 extension
# 00 80    extension size
# 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  extension
# 00 00    extension size
# db 66 a1 f9 73 4f 97 b5 6c 0d 1d ca 0c aa 13 c9 IV
# 4f 01 8c 9e 33 15 e3 04 87 1f d2 59 da 97 14 a4 enc IV
# 6e 66 d5 8f f7 af 05 44 92 d8 21 d8 82 6b c2 7e bc 13 d6 f7 60 7a 3b 3b 0b de 60 a3 a4 39 66 34 enc key
# 21 65 70 97 3b a6 49 60 fd 70 e0 5d fa 71 b6 61 78 49 de 7d 38 69 b4 6d 1d 9c 84 a2 57 77 80 61 HMAC
# 66 43 87 15 98 af 07 a6 ab ea a6 ff 82 89 2f 6f content
# 08 file size % 16
# 24 0c 7e 6f 35 f3 46 73 6a 9e 5a ca 35 f7 97 93 cf 5a 79 74 77 5a 3d 50 0a dd 29 4e 17 f4 f6 8c HMAC

# the password of the file that I've discovered by this script is: "hello" (without quotes)

my $iv      = pack ("H*", "db66a1f9734f97b56c0d1dca0caa13c9");
my $enc_iv  = pack ("H*", "4f018c9e3315e304871fd259da9714a4");
my $enc_key = pack ("H*", "6e66d58ff7af054492d821d8826bc27ebc13d6f7607a3b3b0bde60a3a4396634");
my $hmac    = pack ("H*", "216570973ba64960fd70e05dfa71b6617849de7d3869b46d1d9c84a257778061");

#
# Start:
#

my $iiv = $iv . "\x00" x 16;

while (my $word = <>)
{
  chomp ($word);

  my $word_utf16le = encode ('UTF-16LE', $word);

  my $key = $iiv;

  for (my $i = 0; $i < 8192; $i++)
  {
    $key = sha256 ($key . $word_utf16le);
  }

  if (hmac ($enc_iv . $enc_key, $key, \&sha256, 64) eq $hmac)
  {
    print "password found: $word\n";

    exit (0);
  }
}

exit (1);

as already explained in the code, the main algo is explained also in pyAesCrypt (https://github.com/marcobellaccini/pyAes...py#L59-L68)

It is "just" 8192 iterations of "salted" sha256 of the utf16 encoded password and a final hmac of that hash as a key and the encrypted IV and encrypted Key as the HMAC "message". pretty straight forward algo and wouldn't be impossible to support this in hashcat, I guess

You can always try to request it on https://github.com/hashcat/hashcat/issues/

---

just forgot: if you want to run this POC you could just use a command like this

Code:

perl aescrypt_hello_world.pl rockyou.txt

of course if you want to use different data (IV, enc_iv, enc_key, HMAC etc), you need to change the script accordingly... you can easily see which bytes I took from the hello_world.txt file and how the file format works (https://www.aescrypt.com/aes_file_format.html)

[philsmd]

update: we've now implemented this new algorithm: see https://github.com/hashcat/hashcat/issues/2267 and https://github.com/hashcat/hashcat/pull/2285

The hash format is also explained in the github pull request. The "hash" can be extracted with the aescrypt2hashcat.pl tool (currently supports version 2 of the aescrypt file format): https://raw.githubusercontent.com/hashca...hashcat.pl (this of course needs to be downloaded and run with perl, perl must be installed: perl aescrypt2hashcat.pl encrypted_file.txt.aes)

Could you please test @Complexoctopus with the latest beta version from https://hashcat.net/beta/ (only the beta version supports this new -m 22400 format at the time of this writing, of course) ? Thanks

[zub]

Hi

I am also intressted in this duplicati seems to use same algo.

[philsmd]

just run it and see if it works for you (betas of hashcat are over https://hashcat.net/beta/).

The extraction script can be found here: https://raw.githubusercontent.com/hashca...hashcat.pl ( you need to run it with perl - install perl first - and give it the encrypted file as parameter)

[zub]

just run it and see if it works for you (betas of hashcat are over https://hashcat.net/beta/).

The extraction script can be found here: https://raw.githubusercontent.com/hashca...hashcat.pl ( you need to run it with perl - install perl first - and give it the encrypted file as parameter)

got the hash  now from
perl ../aescrypt2hashcat.pl ../duplicati-20200401T124445Z.dlist.zip.aes > ../hash.txt
: $aescrypt$1*ea8a4... but I run windows10 / cygwin the bin file do not start should I install ubuntu in wsl?

[philsmd]

There is a file called hashcat.exe in the beta version, as well. You do not need to use ubuntu.

Just use the exe files for windows. this should be a quite obvious thing to do and was also already mentioned a hundreds of time in the forum.