Hash Format for IOS 12.x and 13.x
#1
I am trying to recover the password for an encrypted Iphone Xs backup.
I ran backup2hashcat.pl on a backup made with IOS 12.x installed on the phone and got the following hash.

$itunes_backup$*10*90683dfb6......


Recently, I made another backup of the same phone on the same computer, but with IOS 13.x installed on the phone and got the following hash after running backup2hashcat.pl

$itunes_backup$*10*f3511bf3b009......

The encrypted password was never changed on the phone.
I want to run Hashcat on a wordlist I created with Mentalist  (I remember certain parts of the password).

What hash do I use?
Why are the hashes different?
Does backup2hashcat.pl even work on IOS 12.x or 13.x?
Does IOS 12.x or 13.x use a different hash format that needs other modifications in hashcat before I run through my wordlist?

Thanks
Reply
#2
(02-17-2020, 07:59 PM)mikered1 Wrote: I am trying to recover the password for an encrypted Iphone Xs backup.
I ran backup2hashcat.pl on a backup made with IOS 12.x installed on the phone and got the following hash.

$itunes_backup$*10*90683dfb6.....

Recently, I made another backup of the same phone on the same computer, but with IOS 13.x installed on the phone and got the following hash after running backup2hashcat.pl

$itunes_backup$*10*f3511bf3b009.....

The encrypted password was never changed on the phone.
I want to run Hashcat on a wordlist I created with Mentalist  (I remember certain parts of the password).

What hash do I use?
Why are the hashes different?
Does backup2hashcat.pl even work on IOS 12.x or 13.x?
Does IOS 12.x or 13.x use a different hash format that needs other modifications in hashcat before I run through my wordlist?

Thanks

As a followup to my question above, I did an encrypted backup of another Iphone X running version 13.x  (where I made sure to remember the password Smile).
backup2hashcat.pl works fine on 13.x.
Hashcat works on 13.x
Still not sure why I get different hashes for different backups
Reply
#3
it's most probably just the "salt"/key. every time you make a backup a different encryption key and salt is used.

BTW: you are not allowed to post hashes in this forum (see https://hashcat.net/forum/announcement-2.html), it doesn't matter if it's "just your own" hash or if it is a fabricated/generated hash.
Reply