-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create fvde2john.py #5623
base: bleeding-jumbo
Are you sure you want to change the base?
Create fvde2john.py #5623
Conversation
Thank you @holly-o! Please also add a For the username and password hints, perhaps the script should produce an /etc/passwd-format line, putting the username into the first field, hash into the second, and password hints into the GECOS field (but first replace any potential embedded I see there's a little bit of try/except, but perhaps it's not exhaustive for potential file read errors - in particular, the seeks look unchecked, so if a seek offset is ever beyond file size that will go unnoticed? Perhaps room for improved robustness there. But I did not review this carefully, only skimmed. @exploide Any review from you as well? |
Are these "hashes" also supported by hashcat, though? If so, I guess hashcat would insist on a bare hash? And we could need to support both output formats to be friendly to hashcat. |
Yes, this should also be added to |
Will do a review tomorrow. |
FWIW hashcat does have a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left a few review comments and suggestions. :)
Looks fine overall. I just generally recommend running a code linter and formatter but no big deal here.
I haven't put much thought into the parsing logic since I'm not familiar with the FileVault data structures. And of course I did not test it in the absence of test data.
Yes it seems so. $ hashcat -m 16700 --hash-info
hashcat (v6.2.6) starting in hash-info mode
Hash Info:
==========
Hash mode #16700
Name................: FileVault 2
Category............: Full-Disk Encryption (FDE)
Slow.Hash...........: Yes
Password.Len.Min....: 0
Password.Len.Max....: 256
Salt.Type...........: Embedded
Salt.Len.Min........: 0
Salt.Len.Max........: 256
Kernel.Type(s)......: pure
Example.Hash.Format.: plain
Example.Hash........: $fvde$1$16$84286044060108438487434858307513$20000$f1620ab93192112f0a23eea89b5d4df065661f974b704191
Example.Pass........: hashcat
Benchmark.Mask......: ?b?b?b?b?b?b?b
Autodetect.Enabled..: Yes
Self.Test.Enabled...: Yes
Potfile.Enabled.....: Yes
Custom.Plugin.......: No
Plaintext.Encoding..: ASCII, HEX |
run/fvde2john.py
Outdated
kek = PassphraseWrappedKEKStruct[32:56] | ||
iterations = uint_to_int(PassphraseWrappedKEKStruct[168:172]) | ||
|
||
print(f"[+] Successfully extracted hash: $fvde$1${len(salt)}${salt.hex()}${iterations}${kek.hex()}") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm a python n00b but to me this looks like it's literally printing something like
[+] Successfully extracted hash: $fvde$1$(...)
If so, maybe the "[+] Successfully extracted hash" should go to stderr, if kept at all?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, all messages in the script currently go to stdout. This is in contrast to most other scripts, where only the hash is printed to stdout and everything else to stderr.
I would have recommended to adapt to this behavior. Though the difference to other scripts is that this prints additional information like username and password hint.
But yes, at the moment it is untypically verbose.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think one of the script's output lines (on stdout) should be an /etc/passwd-format line without any sort of [+] Successfully extracted hash:
prefix or such. So that if output is redirected to a file, that file is directly and optimally usable with john
, without any need to manually select a portion of output and copy-paste.
Well, that should probably be fixed in hashcat. Maybe we should check if it still chokes on such input and send a PR fixing that. |
For the cases where there is any potential embedded |
Spaces should be no problem, so keep those. And I suggest replace Also any embedded newline characters (LF or CR) would be problematic. I suggest replace them with spaces too. I think our other |
It varies wildly. Some are careful, most are not. I think they've been fixed on a case by case basis. |
I've just checked, we already have precedent - commit 4ef1ef2 implements just that kind of replacement in some As to CR/LF, I only found one example where we take care of them:
This is now
sys.stdout.write("%s:$odf$*%s*%s*%s*%s*%s*%d*%s*%d*%s*%d*%s:::%s::%s\n" % \
(os.path.basename(filename), algorithm_type, checksum_type,
iteration_count, key_size, checksum, len(iv) / 2, iv,
len(salt) / 2, salt, 0, binascii.hexlify(content).decode("ascii"),
gecos, filename)) Oh, I now see it also puts the full filename into the shell field. I think we only parse that field for the shells filter option:
I doubt anyone would know to use that. So we could want to instead include the full filename into the GECOS field (perhaps after an added space separator) prior to the bad characters replacements. I didn't mean to review that other script in here - it's just an example that is in some ways right and in others not. |
97719c3
to
bbb7f8d
Compare
Removed trailing whitespace
bbb7f8d
to
084df53
Compare
remove trailing whitespace in readme
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good :) Thanks for incorporating the changes!
Add option to take offset input as hex Implement function try_read_fp() to avoid reading out of bounds Check that the volume GUID is in the BitLocker GUIDs before continuing.
Added new line when hash is written to stdout, in the case that there are multiple users then each hash is on a new line.
Added fvde2john.py for extracting FileVault hashes. Easier and more reliable hash extraction. Also will give user info such as username/password hint