Add format and extractor script for ```authenticator``` python app master password

openwall / john

John the Ripper jumbo - advanced offline password cracker, which supports hundreds of hash and cipher types, and runs on many operating systems, CPUs, GPUs, and even some FPGAs

https://www.openwall.com/john/

Other

9.98k stars 2.06k forks source link

Add format and extractor script for ```authenticator``` python app master password #4893

Open marksilinio opened 2 years ago

marksilinio commented 2 years ago

It would be nice to have a script that allow to bruteforce master password of https://github.com/JeNeSuisPasDave/authenticator

it uses the AES 256-bit symmetric key: https://github.com/JeNeSuisPasDave/authenticator/blob/3caa2edebff01be3e6fd82c72ac3a0eb415cbe66/src/authenticator/data.py#L597-L606

to encrypt the second 16-byte data and compare it with the first 16-byte block (header): https://github.com/JeNeSuisPasDave/authenticator/blob/3caa2edebff01be3e6fd82c72ac3a0eb415cbe66/src/authenticator/data.py#L802-L807

solardiz commented 2 years ago

I think it'd take not only a script, but also a new format in john.

magnumripper commented 2 years ago

If someone whips up an authenticator2john and supplies a couple of test vectors (add original samples to https://github.com/openwall/john-samples as well please), I'm willing to write the formats.

marksilinio commented 2 years ago

If someone whips up an authenticator2john and supplies a couple of test vectors (add original samples to https://github.com/openwall/john-samples as well please), I'm willing to write the formats.

how to provide a test vectors? base64 encoded 16-bytes IV and 16-bytes encrypted data? like authenticator:$<base64 IV>$<base64 enc> ?

sample: https://github.com/openwall/john-samples/pull/10

magnumripper commented 2 years ago

Thanks!

Since the data is so short, hex encoding is fine as well (unless original data happens to be Base64 already, or whatever reason you fancy - it's ultimately up to you).

I think this would be nice:

$authenticator$0$<hex IV>$<hex data>

The 0 is just incase a future version need a format or algo change, we'd set next to 1 then.

Many of our tools will include the basename of the input filename as a first (: separated) field, like this:

authenticator.data:$authenticator$0$<hex IV>$<hex data>

In that case, the string authenticator.data is not used at all for the cracking nor a part of what we would call the (non) hash, but useful for when outputting a successful crack.

marksilinio commented 2 years ago

see https://github.com/openwall/john/pull/4898

magnumripper commented 2 years ago

The AES key is produced using SHA-256 with 256K iterations, you didn't mention that. It will slow things down considerably. Maybe 11Kp/s on a 2080ti or a couple hundred p/s on a good CPU with 8 cores.

magnumripper commented 2 years ago

Oh and what we called the IV isn't the IV, it's the cleartext header. The IV is derived from the key.

marksilinio commented 2 years ago

The AES key is produced using SHA-256 with 256K iterations, you didn't mention that. It will slow things down considerably. Maybe 11Kp/s on a 2080ti or a couple hundred p/s on a good CPU with 8 cores.

Maybe 1024 iterations? https://github.com/JeNeSuisPasDave/authenticator/blob/3caa2edebff01be3e6fd82c72ac3a0eb415cbe66/src/authenticator/data.py#L573-L577:

        self.__key_stretches = 256 * 1024
        self.__magic_number = 0x7A6A5A4A
        self.__file_version = 1
        self.__key = self._produce_key(passphrase)
        self.__iv = self._produce_iv(self.__key)