1
0
mirror of https://github.com/hashcat/hashcat.git synced 2024-12-23 07:08:19 +00:00

Add support for TOTP (RFC 6238)

This commit is contained in:
unix-ninja 2018-10-02 11:01:54 -04:00
parent 1b980cf010
commit 3d0f1626ed
5 changed files with 340 additions and 0 deletions

225
OpenCL/m17300_a3-pure.cl Normal file
View File

@ -0,0 +1,225 @@
/**
* Author......: See docs/credits.txt
* License.....: MIT
*/
#define NEW_SIMD_CODE
#include "inc_vendor.cl"
#include "inc_hash_constants.h"
#include "inc_hash_functions.cl"
#include "inc_types.cl"
#include "inc_common.cl"
#include "inc_simd.cl"
#include "inc_hash_sha1.cl"
__kernel void m17300_mxx (__global pw_t *pws, __global const kernel_rule_t *rules_buf, __global const pw_t *combs_buf, __constant const u32x *words_buf_r, __global void *tmps, __global void *hooks, __global const u32 *bitmaps_buf_s1_a, __global const u32 *bitmaps_buf_s1_b, __global const u32 *bitmaps_buf_s1_c, __global const u32 *bitmaps_buf_s1_d, __global const u32 *bitmaps_buf_s2_a, __global const u32 *bitmaps_buf_s2_b, __global const u32 *bitmaps_buf_s2_c, __global const u32 *bitmaps_buf_s2_d, __global plain_t *plains_buf, __global const digest_t *digests_buf, __global u32 *hashes_shown, __global const salt_t *salt_bufs, __global const void *esalt_bufs, __global u32 *d_return_buf, __global u32 *d_scryptV0_buf, __global u32 *d_scryptV1_buf, __global u32 *d_scryptV2_buf, __global u32 *d_scryptV3_buf, const u32 bitmap_mask, const u32 bitmap_shift1, const u32 bitmap_shift2, const u32 salt_pos, const u32 loop_pos, const u32 loop_cnt, const u32 il_cnt, const u32 digests_cnt, const u32 digests_offset, const u32 combs_mode, const u64 gid_max)
{
/**
* modifier
*/
const u64 lid = get_local_id (0);
const u64 gid = get_global_id (0);
if (gid >= gid_max) return;
/**
* base
*/
const u32 pw_len = pws[gid].pw_len;
u32x w[64] = { 0 };
for (int i = 0, idx = 0; i < pw_len; i += 4, idx += 1)
{
w[idx] = pws[gid].i[idx];
}
const u32 salt_len = salt_bufs[salt_pos].salt_len;
u32x s[64] = { 0 };
for (int i = 0, idx = 0; i < salt_len; i += 4, idx += 1)
{
s[idx] = swap32_S (salt_bufs[salt_pos].salt_buf[idx]);
}
/**
* loop
*/
u32x w0l = w[0];
for (u32 il_pos = 0; il_pos < il_cnt; il_pos += VECT_SIZE)
{
const u32x w0r = words_buf_r[il_pos / VECT_SIZE];
const u32x w0 = w0l | w0r;
w[0] = w0;
sha1_hmac_ctx_vector_t ctx;
sha1_hmac_init_vector (&ctx, w, pw_len);
sha1_hmac_update_vector (&ctx, s, salt_len);
sha1_hmac_final_vector (&ctx);
// ------- PUT TOTP HERE ------- //
// calculate the offset using the least 4 bits of the last byte of our hash
const int otp_offset = ctx.opad.h[4] & 0xf;
// initialize a buffer for the otp code
unsigned int otp_code = 0;
// grab 4 consecutive bytes of the hash, starting at offset
switch(otp_offset%4)
{
case 1:
otp_code = ((ctx.opad.h[otp_offset/4] & 0xffffff) << 8) | ((ctx.opad.h[otp_offset/4+1] % 0xffffff00) >> 24);
break;
case 2:
otp_code = ((ctx.opad.h[otp_offset/4] & 0xffff) << 16) | ((ctx.opad.h[otp_offset/4+1] % 0xffff0000) >> 16);
break;
case 3:
otp_code = ((ctx.opad.h[otp_offset/4] & 0xff) << 24) | ((ctx.opad.h[otp_offset/4+1] % 0xffffff00) >> 8);
break;
default:
otp_code = ctx.opad.h[otp_offset/4];
break;
}
// take only the lower 31 bits
otp_code &= 0x7fffffff;
// we want to generate only 6 digits of code
otp_code %= 1000000;
const u32x r0 = ctx.opad.h[DGST_R0];
const u32x r1 = ctx.opad.h[DGST_R1];
const u32x r2 = ctx.opad.h[DGST_R2];
const u32x r3 = ctx.opad.h[DGST_R3];
COMPARE_M_SIMD (otp_code, 0, 0, 0);
//COMPARE_M_SIMD (r0, r1, r2, r3);
}
}
__kernel void m17300_sxx (__global pw_t *pws, __global const kernel_rule_t *rules_buf, __global const pw_t *combs_buf, __constant const u32x *words_buf_r, __global void *tmps, __global void *hooks, __global const u32 *bitmaps_buf_s1_a, __global const u32 *bitmaps_buf_s1_b, __global const u32 *bitmaps_buf_s1_c, __global const u32 *bitmaps_buf_s1_d, __global const u32 *bitmaps_buf_s2_a, __global const u32 *bitmaps_buf_s2_b, __global const u32 *bitmaps_buf_s2_c, __global const u32 *bitmaps_buf_s2_d, __global plain_t *plains_buf, __global const digest_t *digests_buf, __global u32 *hashes_shown, __global const salt_t *salt_bufs, __global const void *esalt_bufs, __global u32 *d_return_buf, __global u32 *d_scryptV0_buf, __global u32 *d_scryptV1_buf, __global u32 *d_scryptV2_buf, __global u32 *d_scryptV3_buf, const u32 bitmap_mask, const u32 bitmap_shift1, const u32 bitmap_shift2, const u32 salt_pos, const u32 loop_pos, const u32 loop_cnt, const u32 il_cnt, const u32 digests_cnt, const u32 digests_offset, const u32 combs_mode, const u64 gid_max)
{
/**
* modifier
*/
const u64 lid = get_local_id (0);
const u64 gid = get_global_id (0);
if (gid >= gid_max) return;
/**
* digest
*/
const u32 search[4] =
{
digests_buf[digests_offset].digest_buf[DGST_R0],
digests_buf[digests_offset].digest_buf[DGST_R1],
digests_buf[digests_offset].digest_buf[DGST_R2],
digests_buf[digests_offset].digest_buf[DGST_R3]
};
/**
* base
*/
const u32 pw_len = pws[gid].pw_len;
u32x w[64] = { 0 };
for (int i = 0, idx = 0; i < pw_len; i += 4, idx += 1)
{
w[idx] = pws[gid].i[idx];
}
const u32 salt_len = salt_bufs[salt_pos].salt_len;
u32x s[64] = { 0 };
for (int i = 0, idx = 0; i < salt_len; i += 4, idx += 1)
{
s[idx] = swap32_S (salt_bufs[salt_pos].salt_buf[idx]);
}
/**
* loop
*/
u32x w0l = w[0];
for (u32 il_pos = 0; il_pos < il_cnt; il_pos += VECT_SIZE)
{
const u32x w0r = words_buf_r[il_pos / VECT_SIZE];
const u32x w0 = w0l | w0r;
w[0] = w0;
sha1_hmac_ctx_vector_t ctx;
sha1_hmac_init_vector (&ctx, w, pw_len);
sha1_hmac_update_vector (&ctx, s, salt_len);
sha1_hmac_final_vector (&ctx);
//printf("%d ", sizeof(ctx.opad.h));
// ------- PUT TOTP HERE ------- //
// calculate the offset using the least 4 bits of the last byte of our hash
const int otp_offset = ctx.opad.h[4] & 0xf;
// initialize a buffer for the otp code
unsigned int otp_code = 0;
// grab 4 consecutive bytes of the hash, starting at offset
switch(otp_offset%4)
{
case 1:
otp_code = ((ctx.opad.h[otp_offset/4] & 0xffffff) << 8) | ((ctx.opad.h[otp_offset/4+1] % 0xffffff00) >> 24);
break;
case 2:
otp_code = ((ctx.opad.h[otp_offset/4] & 0xffff) << 16) | ((ctx.opad.h[otp_offset/4+1] % 0xffff0000) >> 16);
break;
case 3:
otp_code = ((ctx.opad.h[otp_offset/4] & 0xff) << 24) | ((ctx.opad.h[otp_offset/4+1] % 0xffffff00) >> 8);
break;
default:
otp_code = ctx.opad.h[otp_offset/4];
break;
}
// take only the lower 31 bits
otp_code &= 0x7fffffff;
// we want to generate only 6 digits of code
otp_code %= 1000000;
const u32x r0 = ctx.opad.h[DGST_R0];
const u32x r1 = ctx.opad.h[DGST_R1];
const u32x r2 = ctx.opad.h[DGST_R2];
const u32x r3 = ctx.opad.h[DGST_R3];
if( ctx.opad.h[0] == 0xc085d274)
//if( ctx.opad.h[0] == 0x50184678)
//if( ctx.opad.h[0] == 0x8e664b2e)
{
//printf(" [[ %d %d %d %d ]]\n ", ctx.opad.h[otp_offset], ctx.opad.h[otp_offset +1], ctx.opad.h[otp_offset +2], ctx.opad.h[otp_offset +3]);
//printf(" MAXX:: %d %d\n", pw_len, salt_len);
//printf(" SRCH:: %x\n", search[0]);
//printf(" SRCH:: %x\n", search[1]);
//printf(" SRCH:: %x\n", search[2]);
//printf(" SRCH:: %x\n", search[3]);
//printf(" CODE:: %x\n", otp_code);
}
COMPARE_S_SIMD (otp_code, 0, 0, 0);
//COMPARE_S_SIMD (r0, r1, r2, r3);
}
}

View File

@ -1325,6 +1325,7 @@ typedef enum kern_type
KERN_TYPE_WPA_PMKID_PBKDF2 = 16800,
KERN_TYPE_WPA_PMKID_PMK = 16801,
KERN_TYPE_ANSIBLE_VAULT = 16900,
KERN_TYPE_TOTP_HMACSHA1 = 17300,
KERN_TYPE_PLAINTEXT = 99999,
} kern_type_t;

View File

@ -275,6 +275,21 @@ void check_hash (hashcat_ctx_t *hashcat_ctx, hc_device_param_t *device_param, pl
build_plain (hashcat_ctx, device_param, plain, plain_buf, &plain_len);
// TOTP should be base32 encoded
if (hashcat_ctx->hashconfig->hash_mode == KERN_TYPE_TOTP_HMACSHA1)
{
// we need a temp buffer for the base32 encoding
u32 temp_buf[64] = { 0 };
u8 *temp_ptr = (u8 *) temp_buf;
// encode our plain
base32_encode (int_to_base32, (const u8 *) plain_ptr, plain_len, (u8 *) temp_buf);
plain_len = strlen((const char *) temp_buf);
// copy the base32 content into our plain buffer
plain_ptr = (u8 *) strdup((const char *) temp_ptr);
}
// crackpos
u64 crackpos = 0;

View File

@ -281,6 +281,7 @@ static const char *ST_HASH_16700 = "$fvde$1$16$84286044060108438487434858307513$
static const char *ST_HASH_16800 = "2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a";
static const char *ST_HASH_16801 = "2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4";
static const char *ST_HASH_16900 = "$ansible$0*0*6b761adc6faeb0cc0bf197d3d4a4a7d3f1682e4b169cae8fa6b459b3214ed41e*426d313c5809d4a80a4b9bc7d4823070*d8bad190c7fbc7c3cb1c60a27abfb0ff59d6fb73178681c7454d94a0f56a4360";
static const char *ST_HASH_17300 = "597056:3600";
static const char *ST_HASH_99999 = "hashcat";
static const char *OPTI_STR_OPTIMIZED_KERNEL = "Optimized-Kernel";
@ -529,6 +530,7 @@ static const char *HT_16700 = "FileVault 2";
static const char *HT_16800 = "WPA-PMKID-PBKDF2";
static const char *HT_16801 = "WPA-PMKID-PMK";
static const char *HT_16900 = "Ansible Vault";
static const char *HT_17300 = "TOTP (HMAC-SHA1)";
static const char *HT_99999 = "Plaintext";
static const char *HT_00011 = "Joomla < 2.5.18";
@ -5142,6 +5144,74 @@ int sha1s_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUS
return (PARSER_OK);
}
int totp_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig)
{
// this is going to start off like HMAC-SHA1
u32 *digest = (u32 *) hash_buf->digest;
salt_t *salt = hash_buf->salt;
token_t token;
token.token_cnt = 2;
token.sep[0] = hashconfig->separator;
token.len_min[0] = 6;
token.len_max[0] = 6;
token.attr[0] = TOKEN_ATTR_VERIFY_LENGTH
| TOKEN_ATTR_VERIFY_HEX;
token.len_min[1] = SALT_MIN;
token.len_max[1] = SALT_MAX;
token.attr[1] = TOKEN_ATTR_VERIFY_LENGTH;
if (hashconfig->opts_type & OPTS_TYPE_ST_HEX)
{
token.len_min[1] *= 2;
token.len_max[1] *= 2;
token.attr[1] |= TOKEN_ATTR_VERIFY_HEX;
}
const int rc_tokenizer = input_tokenizer (input_buf, input_len, &token);
// now we need to reduce our hash into a token
int otp_code = 0;
for (int i = 0; i < 6; i++)
{
otp_code = otp_code * 10 + itoa32_to_int(input_buf[i]);
}
if (rc_tokenizer != PARSER_OK) return (rc_tokenizer);
u8 *hash_pos = token.buf[0];
digest[1] = otp_code;
u8 *salt_pos = token.buf[1];
int salt_len = token.len[1];
// convert ascii timestamp to ulong timestamp
unsigned long timestamp = 0;
for(int i = 0; i<salt_len; i++)
{
timestamp = timestamp * 10 + ( *(salt_pos + i) - '0');
}
// divide our timestamp by our step. We will use the RFC 6238 default of 30 for now
timestamp /= 30;
// convert counter to 8-byte salt
for (int i = 2; i--; timestamp >>= 32)
{
salt->salt_buf[i] = byte_swap_32(timestamp);
}
// our salt will always be 8 bytes
salt->salt_len = 8;
return (PARSER_OK);
}
int pstoken_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig)
{
u32 *digest = (u32 *) hash_buf->digest;
@ -18387,6 +18457,7 @@ const char *strhashtype (const u32 hash_mode)
case 16800: return HT_16800;
case 16801: return HT_16801;
case 16900: return HT_16900;
case 17300: return HT_17300;
case 99999: return HT_99999;
}
@ -22102,6 +22173,14 @@ int ascii_digest (hashcat_ctx_t *hashcat_ctx, char *out_buf, const size_t out_le
byte_swap_32 (digest_buf[6]),
byte_swap_32 (digest_buf[7]));
}
else if (hash_mode == 17300)
{
// salt_buf[1] holds our 32 bit value. salt_buf[0] and salt_buf[1] would be 64 bits.
// for now, we only need to worry about 32 bit counters.
// we also need to multiply salt by our step to see the floor of our original timestamp range.
// again, we will use the default RFC 6238 step of 30.
snprintf (out_buf, out_len - 1, "%d:%d", digest_buf[1], byte_swap_32(salt.salt_buf[1]) * 30);
}
else if (hash_mode == 99999)
{
char *ptr = (char *) digest_buf;
@ -27299,6 +27378,25 @@ int hashconfig_init (hashcat_ctx_t *hashcat_ctx)
hashconfig->st_pass = ST_PASS_HASHCAT_PLAIN;
break;
case 17300: hashconfig->hash_type = HASH_TYPE_SHA1;
hashconfig->salt_type = SALT_TYPE_EMBEDDED;
hashconfig->attack_exec = ATTACK_EXEC_INSIDE_KERNEL;
hashconfig->opts_type = OPTS_TYPE_PT_GENERATE_BE
| OPTS_TYPE_PT_ADD80
| OPTS_TYPE_PT_ADDBITS15;
hashconfig->kern_type = KERN_TYPE_TOTP_HMACSHA1;
hashconfig->dgst_size = DGST_SIZE_4_5;
hashconfig->parse_func = totp_parse_hash;
hashconfig->opti_type = OPTI_TYPE_ZERO_BYTE
| OPTI_TYPE_NOT_ITERATED;
hashconfig->dgst_pos0 = 1;
hashconfig->dgst_pos1 = 2;
hashconfig->dgst_pos2 = 3;
hashconfig->dgst_pos3 = 4;
hashconfig->st_hash = ST_HASH_17300;
hashconfig->st_pass = ST_PASS_HASHCAT_PLAIN;
break;
case 99999: hashconfig->hash_type = HASH_TYPE_PLAINTEXT;
hashconfig->salt_type = SALT_TYPE_NONE;
hashconfig->attack_exec = ATTACK_EXEC_INSIDE_KERNEL;

View File

@ -170,6 +170,7 @@ static const char *const USAGE_BIG[] =
" 60 | HMAC-MD5 (key = $salt) | Raw Hash, Authenticated",
" 150 | HMAC-SHA1 (key = $pass) | Raw Hash, Authenticated",
" 160 | HMAC-SHA1 (key = $salt) | Raw Hash, Authenticated",
" 17300 | TOTP (HMAC-SHA1) | Raw Hash, Authenticated",
" 1450 | HMAC-SHA256 (key = $pass) | Raw Hash, Authenticated",
" 1460 | HMAC-SHA256 (key = $salt) | Raw Hash, Authenticated",
" 1750 | HMAC-SHA512 (key = $pass) | Raw Hash, Authenticated",