arno/hashcat
1
0
Fork 0
mirror of https://github.com/hashcat/hashcat.git synced 2025-07-01 12:22:37 +00:00
Code Issues Releases Wiki Activity

Merge pull request #3202 from Greexter/bitwarden-fix

Browse Source 
Added parameter for second PBKDF2 iteration count for -m 23400, fixes #3033
This commit is contained in:
Jens Steube 2022-03-09 13:15:39 +01:00 committed by GitHub
commit 2b89c69cc4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 358 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

177
OpenCL/m23400-pure.cl
View File

@ -253,7 +253,7 @@ KERNEL_FQ void m23400_loop (KERN_ATTR_TMPS (bitwarden_tmp_t))
unpackv (tmps, out, gid, 7, out[7]); unpackv (tmps, out, gid, 7, out[7]);
} }
KERNEL_FQ void m23400_comp (KERN_ATTR_TMPS (bitwarden_tmp_t)) KERNEL_FQ void m23400_init2 (KERN_ATTR_TMPS (bitwarden_tmp_t))
{ {
/** /**
* base * base
@ -278,26 +278,23 @@ KERNEL_FQ void m23400_comp (KERN_ATTR_TMPS (bitwarden_tmp_t))
sha256_hmac_init (&sha256_hmac_ctx, out, 32); sha256_hmac_init (&sha256_hmac_ctx, out, 32);
u32 ipad[8]; tmps[gid].ipad[0] = sha256_hmac_ctx.ipad.h[0];
u32 opad[8]; tmps[gid].ipad[1] = sha256_hmac_ctx.ipad.h[1];
tmps[gid].ipad[2] = sha256_hmac_ctx.ipad.h[2];
tmps[gid].ipad[3] = sha256_hmac_ctx.ipad.h[3];
tmps[gid].ipad[4] = sha256_hmac_ctx.ipad.h[4];
tmps[gid].ipad[5] = sha256_hmac_ctx.ipad.h[5];
tmps[gid].ipad[6] = sha256_hmac_ctx.ipad.h[6];
tmps[gid].ipad[7] = sha256_hmac_ctx.ipad.h[7];
ipad[0] = sha256_hmac_ctx.ipad.h[0]; tmps[gid].opad[0] = sha256_hmac_ctx.opad.h[0];
ipad[1] = sha256_hmac_ctx.ipad.h[1]; tmps[gid].opad[1] = sha256_hmac_ctx.opad.h[1];
ipad[2] = sha256_hmac_ctx.ipad.h[2]; tmps[gid].opad[2] = sha256_hmac_ctx.opad.h[2];
ipad[3] = sha256_hmac_ctx.ipad.h[3]; tmps[gid].opad[3] = sha256_hmac_ctx.opad.h[3];
ipad[4] = sha256_hmac_ctx.ipad.h[4]; tmps[gid].opad[4] = sha256_hmac_ctx.opad.h[4];
ipad[5] = sha256_hmac_ctx.ipad.h[5]; tmps[gid].opad[5] = sha256_hmac_ctx.opad.h[5];
ipad[6] = sha256_hmac_ctx.ipad.h[6]; tmps[gid].opad[6] = sha256_hmac_ctx.opad.h[6];
ipad[7] = sha256_hmac_ctx.ipad.h[7]; tmps[gid].opad[7] = sha256_hmac_ctx.opad.h[7];
opad[0] = sha256_hmac_ctx.opad.h[0];
opad[1] = sha256_hmac_ctx.opad.h[1];
opad[2] = sha256_hmac_ctx.opad.h[2];
opad[3] = sha256_hmac_ctx.opad.h[3];
opad[4] = sha256_hmac_ctx.opad.h[4];
opad[5] = sha256_hmac_ctx.opad.h[5];
opad[6] = sha256_hmac_ctx.opad.h[6];
opad[7] = sha256_hmac_ctx.opad.h[7];
sha256_hmac_update_global_swap (&sha256_hmac_ctx, pws[gid].i, pws[gid].pw_len); sha256_hmac_update_global_swap (&sha256_hmac_ctx, pws[gid].i, pws[gid].pw_len);
@ -329,10 +326,142 @@ KERNEL_FQ void m23400_comp (KERN_ATTR_TMPS (bitwarden_tmp_t))
sha256_hmac_final (&sha256_hmac_ctx2); sha256_hmac_final (&sha256_hmac_ctx2);
const u32 r0 = sha256_hmac_ctx2.opad.h[0]; tmps[gid].dgst[0] = sha256_hmac_ctx2.opad.h[0];
const u32 r1 = sha256_hmac_ctx2.opad.h[1]; tmps[gid].dgst[1] = sha256_hmac_ctx2.opad.h[1];
const u32 r2 = sha256_hmac_ctx2.opad.h[2]; tmps[gid].dgst[2] = sha256_hmac_ctx2.opad.h[2];
const u32 r3 = sha256_hmac_ctx2.opad.h[3]; tmps[gid].dgst[3] = sha256_hmac_ctx2.opad.h[3];
tmps[gid].dgst[4] = sha256_hmac_ctx2.opad.h[4];
tmps[gid].dgst[5] = sha256_hmac_ctx2.opad.h[5];
tmps[gid].dgst[6] = sha256_hmac_ctx2.opad.h[6];
tmps[gid].dgst[7] = sha256_hmac_ctx2.opad.h[7];
tmps[gid].out[0] = tmps[gid].dgst[0];
tmps[gid].out[1] = tmps[gid].dgst[1];
tmps[gid].out[2] = tmps[gid].dgst[2];
tmps[gid].out[3] = tmps[gid].dgst[3];
tmps[gid].out[4] = tmps[gid].dgst[4];
tmps[gid].out[5] = tmps[gid].dgst[5];
tmps[gid].out[6] = tmps[gid].dgst[6];
tmps[gid].out[7] = tmps[gid].dgst[7];
}
KERNEL_FQ void m23400_loop2 (KERN_ATTR_TMPS (bitwarden_tmp_t))
{
const u64 gid = get_global_id (0);
if ((gid * VECT_SIZE) >= GID_CNT) return;
u32x ipad[8];
u32x opad[8];
ipad[0] = packv (tmps, ipad, gid, 0);
ipad[1] = packv (tmps, ipad, gid, 1);
ipad[2] = packv (tmps, ipad, gid, 2);
ipad[3] = packv (tmps, ipad, gid, 3);
ipad[4] = packv (tmps, ipad, gid, 4);
ipad[5] = packv (tmps, ipad, gid, 5);
ipad[6] = packv (tmps, ipad, gid, 6);
ipad[7] = packv (tmps, ipad, gid, 7);
opad[0] = packv (tmps, opad, gid, 0);
opad[1] = packv (tmps, opad, gid, 1);
opad[2] = packv (tmps, opad, gid, 2);
opad[3] = packv (tmps, opad, gid, 3);
opad[4] = packv (tmps, opad, gid, 4);
opad[5] = packv (tmps, opad, gid, 5);
opad[6] = packv (tmps, opad, gid, 6);
opad[7] = packv (tmps, opad, gid, 7);
u32x dgst[8];
u32x out[8];
dgst[0] = packv (tmps, dgst, gid, 0);
dgst[1] = packv (tmps, dgst, gid, 1);
dgst[2] = packv (tmps, dgst, gid, 2);
dgst[3] = packv (tmps, dgst, gid, 3);
dgst[4] = packv (tmps, dgst, gid, 4);
dgst[5] = packv (tmps, dgst, gid, 5);
dgst[6] = packv (tmps, dgst, gid, 6);
dgst[7] = packv (tmps, dgst, gid, 7);
out[0] = packv (tmps, out, gid, 0);
out[1] = packv (tmps, out, gid, 1);
out[2] = packv (tmps, out, gid, 2);
out[3] = packv (tmps, out, gid, 3);
out[4] = packv (tmps, out, gid, 4);
out[5] = packv (tmps, out, gid, 5);
out[6] = packv (tmps, out, gid, 6);
out[7] = packv (tmps, out, gid, 7);
for (u32 j = 0; j < LOOP_CNT; j++)
{
u32x w0[4];
u32x w1[4];
u32x w2[4];
u32x w3[4];
w0[0] = dgst[0];
w0[1] = dgst[1];
w0[2] = dgst[2];
w0[3] = dgst[3];
w1[0] = dgst[4];
w1[1] = dgst[5];
w1[2] = dgst[6];
w1[3] = dgst[7];
w2[0] = 0x80000000;
w2[1] = 0;
w2[2] = 0;
w2[3] = 0;
w3[0] = 0;
w3[1] = 0;
w3[2] = 0;
w3[3] = (64 + 32) * 8;
hmac_sha256_run_V (w0, w1, w2, w3, ipad, opad, dgst);
out[0] ^= dgst[0];
out[1] ^= dgst[1];
out[2] ^= dgst[2];
out[3] ^= dgst[3];
out[4] ^= dgst[4];
out[5] ^= dgst[5];
out[6] ^= dgst[6];
out[7] ^= dgst[7];
}
unpackv (tmps, dgst, gid, 0, dgst[0]);
unpackv (tmps, dgst, gid, 1, dgst[1]);
unpackv (tmps, dgst, gid, 2, dgst[2]);
unpackv (tmps, dgst, gid, 3, dgst[3]);
unpackv (tmps, dgst, gid, 4, dgst[4]);
unpackv (tmps, dgst, gid, 5, dgst[5]);
unpackv (tmps, dgst, gid, 6, dgst[6]);
unpackv (tmps, dgst, gid, 7, dgst[7]);
unpackv (tmps, out, gid, 0, out[0]);
unpackv (tmps, out, gid, 1, out[1]);
unpackv (tmps, out, gid, 2, out[2]);
unpackv (tmps, out, gid, 3, out[3]);
unpackv (tmps, out, gid, 4, out[4]);
unpackv (tmps, out, gid, 5, out[5]);
unpackv (tmps, out, gid, 6, out[6]);
unpackv (tmps, out, gid, 7, out[7]);
}
KERNEL_FQ void m23400_comp (KERN_ATTR_TMPS (bitwarden_tmp_t))
{
/**
* base
*/
const u64 gid = get_global_id (0);
if (gid >= GID_CNT) return;
const u32 r0 = tmps[gid].out[0];
const u32 r1 = tmps[gid].out[1];
const u32 r2 = tmps[gid].out[2];
const u32 r3 = tmps[gid].out[3];
#define il_pos 0 #define il_pos 0

1
docs/changes.txt
View File

@ -26,6 +26,7 @@
- Added support to building universal macOS binary on Apple Silicon - Added support to building universal macOS binary on Apple Silicon
- Added hex encoding format for --separator option - Added hex encoding format for --separator option
- Added password candidates range to --status-json output - Added password candidates range to --status-json output
- Added parameter to Bitwarden mode for second iteration count
## ##
## Bugs ## Bugs

58
src/modules/module_23400.c
View File

@ -21,10 +21,12 @@ static const char *HASH_NAME = "Bitwarden";
static const u64 KERN_TYPE = 23400; static const u64 KERN_TYPE = 23400;
static const u32 OPTI_TYPE = OPTI_TYPE_ZERO_BYTE static const u32 OPTI_TYPE = OPTI_TYPE_ZERO_BYTE
| OPTI_TYPE_SLOW_HASH_SIMD_LOOP; | OPTI_TYPE_SLOW_HASH_SIMD_LOOP;
static const u64 OPTS_TYPE = OPTS_TYPE_PT_GENERATE_LE; static const u64 OPTS_TYPE = OPTS_TYPE_PT_GENERATE_LE
| OPTS_TYPE_LOOP2
| OPTS_TYPE_INIT2;
static const u32 SALT_TYPE = SALT_TYPE_EMBEDDED; static const u32 SALT_TYPE = SALT_TYPE_EMBEDDED;
static const char *ST_PASS = "hashcat"; static const char *ST_PASS = "hashcat1";
static const char *ST_HASH = "$bitwarden$1*100000*bm9yZXBseUBoYXNoY2F0Lm5ldA==*zAXL7noQxkIJG82vWuqyDsnoqnKAVU7gE/8IRI6BlMs="; static const char *ST_HASH = "$bitwarden$2*100000*2*bm9yZXBseUBoYXNoY2F0Lm5ldA==*CWCy4KZEEw1W92qB7xfLRNoJpepTMSyr7WJGZ0/Xr8c=";
u32 module_attack_exec (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return ATTACK_EXEC; } u32 module_attack_exec (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return ATTACK_EXEC; }
u32 module_dgst_pos0 (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS0; } u32 module_dgst_pos0 (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS0; }
@ -107,7 +109,7 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE
hc_token_t token; hc_token_t token;
token.token_cnt = 5; token.token_cnt = 6;
token.signatures_cnt = 1; token.signatures_cnt = 1;
token.signatures_buf[0] = SIGNATURE_BITWARDEN; token.signatures_buf[0] = SIGNATURE_BITWARDEN;
@ -130,13 +132,19 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE
token.sep[3] = '*'; token.sep[3] = '*';
token.len_min[3] = 1; token.len_min[3] = 1;
token.len_max[3] = ((SALT_MAX * 8) / 6) + 3; token.len_max[3] = 7;
token.attr[3] = TOKEN_ATTR_VERIFY_LENGTH; token.attr[3] = TOKEN_ATTR_VERIFY_LENGTH
| TOKEN_ATTR_VERIFY_DIGIT;
token.sep[4] = '*'; token.sep[4] = '*';
token.len_min[4] = 44; token.len_min[4] = 1;
token.len_max[4] = 44; token.len_max[4] = ((SALT_MAX * 8) / 6) + 3;
token.attr[4] = TOKEN_ATTR_VERIFY_LENGTH token.attr[4] = TOKEN_ATTR_VERIFY_LENGTH;
token.sep[5] = '*';
token.len_min[5] = 44;
token.len_max[5] = 44;
token.attr[5] = TOKEN_ATTR_VERIFY_LENGTH
| TOKEN_ATTR_VERIFY_BASE64A; | TOKEN_ATTR_VERIFY_BASE64A;
const int rc_tokenizer = input_tokenizer ((const u8 *) line_buf, line_len, &token); const int rc_tokenizer = input_tokenizer ((const u8 *) line_buf, line_len, &token);
@ -146,24 +154,33 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE
// version // version
const u8 *version_pos = token.buf[1]; const u8 *version_pos = token.buf[1];
const u32 version = *version_pos - 0x30;
if (version_pos[0] != '1') return (PARSER_SALT_VALUE); if (version != 2) return (PARSER_SALT_VALUE);
// iter // iter
const u8 *iter_pos = token.buf[2]; const u8 *iter1_pos = token.buf[2];
const u8 *iter2_pos = token.buf[3];
const u32 iter = hc_strtoul ((const char *) iter_pos, NULL, 10); const u32 iter1 = hc_strtoul ((const char *) iter1_pos, NULL, 10);
if (iter < 1) return (PARSER_SALT_ITERATION); if (iter1 < 1) return (PARSER_SALT_ITERATION);
if (iter > 999999) return (PARSER_SALT_ITERATION); if (iter1 > 999999) return (PARSER_SALT_ITERATION);
salt->salt_iter = iter - 1; salt->salt_iter = iter1 - 1;
const u32 iter2 = hc_strtoul ((const char *) iter2_pos, NULL, 10);
if (iter2 < 1) return (PARSER_SALT_ITERATION);
if (iter2 > 999999) return (PARSER_SALT_ITERATION);
salt->salt_iter2 = iter2 - 1;
// salt // salt
const u8 *salt_pos = token.buf[3]; const u8 *salt_pos = token.buf[4];
const int salt_len = token.len[3]; const int salt_len = token.len[4];
u8 tmp_buf[SALT_MAX + 1] = { 0 }; u8 tmp_buf[SALT_MAX + 1] = { 0 };
@ -178,8 +195,8 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE
// hash // hash
const u8 *hash_pos = token.buf[4]; const u8 *hash_pos = token.buf[5];
const int hash_len = token.len[4]; const int hash_len = token.len[5];
memset (tmp_buf, 0, sizeof (tmp_buf)); memset (tmp_buf, 0, sizeof (tmp_buf));
@ -230,9 +247,10 @@ int module_hash_encode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE
base64_encode (int_to_base64, (const u8 *) tmp_buf, 32, (u8 *) hash_buf); base64_encode (int_to_base64, (const u8 *) tmp_buf, 32, (u8 *) hash_buf);
const int line_len = snprintf (line_buf, line_size, "%s1*%i*%s*%s", const int line_len = snprintf (line_buf, line_size, "%s2*%i*%i*%s*%s",
SIGNATURE_BITWARDEN, SIGNATURE_BITWARDEN,
salt->salt_iter + 1, salt->salt_iter + 1,
salt->salt_iter2 + 1,
salt_buf, salt_buf,
hash_buf); hash_buf);

161
tools/bitwarden2hashcat.py Normal file
View File

@ -0,0 +1,161 @@
"""Utility to extract Bitwarden hash for hashcat from Google Chrome / Firefox / Desktop local data"""
#
# Based on bitwarden2john.py https://github.com/willstruggle/john/blob/master/bitwarden2john.py
#
# Various data locations are documented here: https://bitwarden.com/help/data-storage/#on-your-local-machine
#
# Author: https://github.com/Greexter
# License: MIT
#
import os
import argparse
import sys
import base64
import traceback
try:
import json
assert json
except ImportError:
try:
import simplejson as json
except ImportError:
print("Please install json module which is currently not installed.\n", file=sys.stderr)
sys.exit(-1)
def process_sqlite(path):
try:
import snappy
except ImportError:
print("Please install python-snappy module.\n", file=sys.stderr)
sys.exit(-1)
try:
import sqlite3
except ImportError:
print("Please install sqlite3 module.\n", file=sys.stderr)
sys.exit(-1)
conn = sqlite3.connect(path)
cur = conn.cursor()
data = cur.execute('SELECT * FROM object_data')
fetched = data.fetchall()
# uses undocumented nonstandard data format
# probably can break in the future
dataValue = snappy.decompress(fetched[0][4])
key_hash = dataValue.split(b"keyHash")[1][9:53].decode()
email = dataValue.split(b"email")[1][11:].split(b'\x00')[0].decode()
iterations = int.from_bytes(dataValue.split(b"kdfIterations")[1][3:7], byteorder="little")
return [(email, key_hash, iterations)]
def process_leveldb(path):
try:
import leveldb
except ImportError:
print("Please install the leveldb module for full functionality!\n", file=sys.stderr)
sys.exit(-1)
db = leveldb.LevelDB(path, create_if_missing=False)
try:
out = []
accIds = db.Get(b'authenticatedAccounts')
accIds = json.loads(accIds)
for id in accIds:
authAccData = db.Get(id.strip('"').encode())
out.append(extract_json_profile(json.loads(authAccData)))
return out
except(KeyError):
# support for older Bitwarden versions (before account switch implementation)
# data is stored in different format
print("Failed to extract data, trying old format.", file=sys.stderr)
email = db.Get(b'userEmail')\
.decode('utf-8')\
.strip('"')
key_hash = db.Get(b'keyHash')\
.decode("ascii").strip('"')
iterations = int(db.Get(b'kdfIterations').decode("ascii"))
return [(email, key_hash, iterations)]
def process_json(data):
data = json.loads(data)
try:
out = []
accIds = data["authenticatedAccounts"]
for id in accIds:
authAccData = data[id.strip('"')]
out.append(extract_json_profile(authAccData))
return out
except(KeyError):
print("Failed to extract data, trying old format.", file=sys.stderr)
email = data["rememberedEmail"]
hash = data["keyHash"]
iterations = data["kdfIterations"]
return [(email, hash, iterations)]
def extract_json_profile(data):
profile = data["profile"]
email = profile["email"]
iterations = profile["kdfIterations"]
hash = profile["keyHash"]
return email, hash, iterations
def process_file(filename, legacy = False):
try:
if os.path.isdir(filename):
# Chromium based
data = process_leveldb(filename)
elif filename.endswith(".sqlite"):
# Firefox
data = process_sqlite(filename)
elif filename.endswith(".json"):
# json - Desktop
with open(filename, "rb") as f:
data = f.read()
data = process_json(data)
else:
print("Unknown storage. Don't know how to extract data.", file=sys.stderr)
sys.exit(-1)
except (ValueError, KeyError):
traceback.print_exc()
print("Missing values, user is probably logged out.", file=sys.stderr)
return
except:
traceback.print_exc()
return
iterations2 = 1 if legacy else 2
for entry in data:
if len(entry) != 3:
print("[error] %s could not be parsed properly!\nUser is probably logged out." % filename, file=sys.stderr)
continue
print("$bitwarden$2*%d*%d*%s*%s" %
(entry[2], iterations2, base64.b64encode(entry[0].encode("ascii")).decode("ascii"), entry[1]))
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("paths", type=str, nargs="+")
parser.add_argument("--legacy", action="store_true", help="Used for older versions of Bitwarden (before static iteration count had been changed).")
args = parser.parse_args()
for p in args.paths:
process_file(p, args.legacy)

7
tools/test_modules/m23400.pm
View File

@ -18,6 +18,7 @@ sub module_generate_hash
my $word = shift; my $word = shift;
my $salt = shift; my $salt = shift;
my $iter = shift // 10000; # or 100000 default but probably too high for tests my $iter = shift // 10000; # or 100000 default but probably too high for tests
my $iter2 = shift // 2;
my $kdf1 = Crypt::PBKDF2->new my $kdf1 = Crypt::PBKDF2->new
( (
@ -29,7 +30,7 @@ sub module_generate_hash
my $kdf2 = Crypt::PBKDF2->new my $kdf2 = Crypt::PBKDF2->new
( (
hasher => Crypt::PBKDF2->hasher_from_algorithm ('HMACSHA2', 256), hasher => Crypt::PBKDF2->hasher_from_algorithm ('HMACSHA2', 256),
iterations => 1, iterations => $iter2,
output_len => 32 output_len => 32
); );
@ -38,7 +39,7 @@ sub module_generate_hash
my $digest1 = $kdf1->PBKDF2 ($email, $word); my $digest1 = $kdf1->PBKDF2 ($email, $word);
my $digest2 = $kdf2->PBKDF2 ($word, $digest1); # position of $word switched ! my $digest2 = $kdf2->PBKDF2 ($word, $digest1); # position of $word switched !
my $hash = sprintf ("\$bitwarden\$1*%d*%s*%s", $iter, encode_base64 ($email, ""), encode_base64 ($digest2, "")); my $hash = sprintf ("\$bitwarden\$2*%d*%d*%s*%s", $iter, $iter2, encode_base64 ($email, ""), encode_base64 ($digest2, ""));
return $hash; return $hash;
} }
@ -54,7 +55,7 @@ sub module_verify_hash
my $hash = substr ($line, 0, $idx); my $hash = substr ($line, 0, $idx);
my $word = substr ($line, $idx + 1); my $word = substr ($line, $idx + 1);
return unless substr ($hash, 0, 12) eq '$bitwarden$1'; return unless substr ($hash, 0, 12) eq '$bitwarden$2';
my ($type, $iter, $salt_base64, $hash_base64) = split ('\*', $hash); my ($type, $iter, $salt_base64, $hash_base64) = split ('\*', $hash);