Looking to crack password on AppleSecureNote
#1
Hello, 

I'm trying to understand the process to find the password for a secure note on my Macbook pro 2017 (running sour High sierra 10.13.6).

I have an amateur level in coding/programming and I am discovering new tools thanks to this forum and GitHub.

First of all, to achieve my ends I try to extract the hash from NoteStore.SQLite. To do this I tried the following perl script: https://raw.githubusercontent.com/hashca...hashcat.pl

So I created a "cracknote.pl" file on the desktop, then I run the file through the terminal by entering successively the following commands :
Code:
cd desktop
chmod +x cracknote.pl
./cracknote.pl

The command prompt returns me:

Code:
usage: ./cracknotes.pl NoteStore.sqlite

I don't understand what does it mean and how I can obtain the hash.. 

Am I doing it right?
Is the perl script supposed to return the hash linked to the secure note that I want to crack?

Thx, 
have a good day

poutreBA
#2
It means that you need to pass the location of the file that contains the secure note data (which is probably somewhere on your system named NoteStore.sqlite) as an argument to the script.  Try running

Code:
find ~ -name NoteStore.sqlite

then if that finds something, use that as the argument and see where it gets you.
#3
you need to specify the path to the "NoteStore.sqlite" SQLITE file within the command line (that is exactly what the Usage says).

The script doesn't work without specifying the sqlite file within the same command

e.g. open a new shell (bash) and navigate to the folder where securenotes2hashcat.pl is stored:
Code:
perl securenotes2hashcat.pl /Users/philsmd/Desktop/backup_of_NoteStore.sqlite

The "/Users/philsmd/Desktop/backup_of_NoteStore.sqlite" path needs of course be adapted to the location of the "NoteStore.sqlite" that you used (or as mentioned above a copy/backup of it).
#4
(08-03-2020, 11:59 AM)womble Wrote:
It means that you need to pass the location of the file that contains the secure note data (which is probably somewhere on your system named NoteStore.sqlite) as an argument to the script.  Try running

Code:
find ~ -name NoteStore.sqlite

then if that finds something, use that as the argument and see where it gets you.


(08-03-2020, 12:01 PM)philsmd Wrote:
you need to specify the path to the "NoteStore.sqlite" SQLITE file within the command line (that is exactly what the Usage says).

The script doesn't work without specifying the sqlite file within the same command

e.g. open a new shell (bash) and navigate to the folder where securenotes2hashcat.pl is stored:

Code:
perl securenotes2hashcat.pl /Users/philsmd/Desktop/backup_of_NoteStore.sqlite


The "/Users/philsmd/Desktop/backup_of_NoteStore.sqlite" path needs of course be adapted to the location of the "NoteStore.sqlite" that you used (or as mentioned above a copy/backup of it).


Thx for your quick answers , I try it and I think I finally have hash of 4 elements : 

Code:
(base) MacBook-Pro-de-poutreBA-2:Desktop poutreBA$ perl securenotes2hashcat.pl NoteStore.sqlite
Use of uninitialized value in unpack at securenotes2hashcat.pl line 28.
$ASN$*3*20000*29d03XXXXXXXXXXXXcb7ef32*
$ASN$*114*20000*29dXXXXXXXXXXXXf8dc4cb7ef3XXXXXXXXXXXX2b548a82d7
$ASN$*119*20000*43fcbe3XXXXXXXXXXXXef680bXXXXXXXXXXXX185aac4896aXXXXXXXXXXXXd6f81220dc4d
$ASN$*120*20000*29dXXXXXXXXXXXX0ac934bea4
what is the best method to find the passwords? Bruteforce?

poutreBA
#5
don't post hashes here, see https://hashcat.net/forum/announcement-2.html

I think only the last 3 ones are valid hashes, the last three load perfectly fine for me and seem to crack (e.g. for one of them the password seem to be p*rnhub).

brute-force or mask attack doesn't seem to be a very clever attack for those 20,000 iterations (quite slow), I would instead suggest a rule-based attack (dictionary based, see: https://hashcat.net/wiki/doku.php?id=rule_based_attack).
#6
(08-04-2020, 01:09 AM)philsmd Wrote: don't post hashes here, see https://hashcat.net/forum/announcement-2.html

I think only the last 3 ones are valid hashes, the last three load perfectly fine for me and seem to crack (e.g. for one of them the password seem to be p*rnhub).

brute-force or mask attack doesn't seem to be a very clever attack for those 20,000 iterations (quite slow), I would instead suggest a rule-based attack (dictionary based, see: https://hashcat.net/wiki/doku.php?id=rule_based_attack).

Sorry for that, I masked them 

I will look for the dictionary search thanks for the indications (and lol this is the password I was looking for, but what went through my mind ???)

In any case, thank you so much, I will continue to improve my skills because it is a rather fascinating subject.

Thanks for everything, I think the topic can be considered resolved.

See you soon

poutreBA