hashcat icon indicating copy to clipboard operation
hashcat copied to clipboard

Published 20 hours ago verified publisher icon hashcat

[Algorithm Request] Sandisk SecureAccess / ENCsecurity Datavault {AES-128-1024, HMAC-PBKDF2}

Open xSn0wstorm opened this issue 3 years ago • 7 comments
trafficstars

Is your request based on a publicly known cryptographic schema and where can we find information about? Cryptographic schema has been researched, presentation can be found here: https://pretalx.c3voc.de/media/rc3-2021-r3s/submissions/QMYGR3/resources/Practical_bruteforce_of_AES-1024_military_grad_eMKqvfW.pdf

Describe alternatives you've considered JtR supports this format (CPU Only): https://github.com/openwall/john/blob/bleeding-jumbo/run/encdatavault2john.py

Provide an example hash/database/file and a known correct password $encdv$3$1$8e8a2aef71d82c08$cc736b8c$34a5228c1e78b2a648d69c20f6baf33f4e6a32db181018322cc69141d7961f14a252d21cd6c6f81bf1a2211d03e8c956e851830b2e33a200572e8cc110547a7afefda593643b957bcec0e43431bf197ed023a60254a32723b9d28a70298c6a5ca61ce62da8c4b69f900d86e77e9b5e151c4621637519a95e6e8f571483e67859:hashcat

(This was generated using AES-128)

More examples in JtR source:

https://github.com/openwall/john/blob/bleeding-jumbo/src/encdatavault_md5_fmt_plug.c https://github.com/openwall/john/blob/bleeding-jumbo/src/encdatavault_pbkdf2_fmt_plug.c

Explain how the cryptographic schema is implemented As above, JtR implementation and research presentation.

Describe the known limitations of the algorithm No known limitations.

Where do you typically find the algorithm Can be found on any Sandisk, Sony, Western Digital and Lexar USB devices.

Additional context JtR already has implementation for CPU only cracking of this hash type. It would be nice if it could be implemented into Hashcat and if possible, with GPU acceleration. Thanks in advance!

xSn0wstorm avatar Sep 27 '22 09:09 xSn0wstorm

Hey there and thanks for the suggestion. I'm close to finalize this plugin and will commit it soon.

@sylvainpelissier There's a problem that goes back to the "only" 32 bit of comparison material used in the implementation.

if (!memcmp(result + 4, "\xd2\xc3\xb4\xa1", ENC_SIG_SIZE)) {

The chances for a false positive is very high, especially on MD5. The hashcat GPU implementation rate will be around 20 MH/s on a single GPU. That makes every 3-4 minutes another false positive. Is there a way to have additional tests, maybe some padding checks?

Here some collisions for fun:

Original:

        // Sandisk vaults
        { "$encdv$1$1$ae07a8354f6fe3ca$a6066363", "bbbb" },

Collsion:

$encdv$1$1$ae07a8354f6fe3ca$a6066363:0gSGat-hashcat
$encdv$1$1$ae07a8354f6fe3ca$a6066363:2J8VSTA-hashcat      
$encdv$1$1$ae07a8354f6fe3ca$a6066363:eL736sa-hashcat      
$encdv$1$1$ae07a8354f6fe3ca$a6066363:At5w0ca-hashcat

jsteube avatar Oct 11 '22 09:10 jsteube

The following 32-bit number after the magic word is the number of vault managed by the software, it may be reasonable to assume the following two bytes are zero since it is unlikely to have more that 65536 vaults on a machine.

sylvainpelissier avatar Oct 12 '22 12:10 sylvainpelissier

Sounds good. I'd suggest to test that second 32 bit value to be less than 100 or so. That should decrease the false positive rate even more.

Unfortunately the ./encdatavault2john.py program exports only the 32 bit value (the magic word). We'd need to update it and depending on the implementation at least change the parser section. Not sure if that would break the JtR plugin? Therefore CC @magnumripper @solardiz

We can also update the version number to maintain backward compatibility. @sylvainpelissier Could you make the change in ./encdatavault2john.py?

jsteube avatar Oct 12 '22 13:10 jsteube

Using the number of vaults to reduce false positives sounds like a great idea to me. Yes, we need to update encdatavault2john.py and the parser in JtR plugins (in encdatavault_common_plug.c). We don't strictly have to update the version number - we can infer the new version by the longer hex string in that same field - but I don't mind doing it either way, whichever works best for hashcat.

Yes @sylvainpelissier, we'll appreciate a pull request like that. Thank you!

solardiz avatar Oct 12 '22 14:10 solardiz

Sure I will do it.

sylvainpelissier avatar Oct 12 '22 14:10 sylvainpelissier

@sylvainpelissier OK, thanks for the support. I've just pushed -m 29930 in case you want to play around with the collisions locally.

jsteube avatar Oct 15 '22 10:10 jsteube

I did the PR. I think checking if that the number of vaults is less than 256 is fine. I noticed it represents the total number of faults which have been created since the installation of the software. During my experiments I surpass this number !

sylvainpelissier avatar Oct 16 '22 07:10 sylvainpelissier

@sylvainpelissier Thanks for the update. I've also updated all hashcat hash-modes to make use of the additional test material.

jsteube avatar Oct 21 '22 12:10 jsteube