mirror of https://github.com/hashcat/hashcat.git
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
335 lines
16 KiB
335 lines
16 KiB
/**
|
|
* Author......: Robert Guetzkow
|
|
* License.....: MIT
|
|
*/
|
|
|
|
#include "common.h"
|
|
#include "types.h"
|
|
#include "modules.h"
|
|
#include "bitops.h"
|
|
#include "convert.h"
|
|
#include "shared.h"
|
|
|
|
static const u32 ATTACK_EXEC = ATTACK_EXEC_OUTSIDE_KERNEL;
|
|
static const u32 DGST_POS0 = 0;
|
|
static const u32 DGST_POS1 = 1;
|
|
static const u32 DGST_POS2 = 2;
|
|
static const u32 DGST_POS3 = 3;
|
|
static const u32 DGST_SIZE = DGST_SIZE_4_4;
|
|
static const u32 HASH_CATEGORY = HASH_CATEGORY_NETWORK_SERVER;
|
|
static const char *HASH_NAME = "KNX IP Secure - Device Authentication Code";
|
|
static const u64 KERN_TYPE = 25900;
|
|
static const u32 OPTI_TYPE = OPTI_TYPE_SLOW_HASH_SIMD_LOOP;
|
|
static const u64 OPTS_TYPE = OPTS_TYPE_PT_GENERATE_LE
|
|
| OPTS_TYPE_DEEP_COMP_KERNEL;
|
|
static const u32 SALT_TYPE = SALT_TYPE_EMBEDDED;
|
|
static const char *ST_PASS = "hashcat";
|
|
static const char *ST_HASH = "$knx-ip-secure-device-authentication-code$*3033*fa7c0d787a9467c209f0a6e7cf16069ed704f3959dce19e45d7935c0a91bce41*f927640d9bbe9a4b0b74dd3289ad41ec";
|
|
|
|
u32 module_attack_exec (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return ATTACK_EXEC; }
|
|
u32 module_dgst_pos0 (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS0; }
|
|
u32 module_dgst_pos1 (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS1; }
|
|
u32 module_dgst_pos2 (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS2; }
|
|
u32 module_dgst_pos3 (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS3; }
|
|
u32 module_dgst_size (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_SIZE; }
|
|
u32 module_hash_category (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return HASH_CATEGORY; }
|
|
const char *module_hash_name (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return HASH_NAME; }
|
|
u64 module_kern_type (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return KERN_TYPE; }
|
|
u32 module_opti_type (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return OPTI_TYPE; }
|
|
u64 module_opts_type (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return OPTS_TYPE; }
|
|
u32 module_salt_type (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return SALT_TYPE; }
|
|
const char *module_st_hash (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return ST_HASH; }
|
|
const char *module_st_pass (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return ST_PASS; }
|
|
|
|
/* Details of the protocol design can be found in ISO 22510:2019 and the application notes published by the KNX Association. */
|
|
|
|
typedef struct blocks
|
|
{
|
|
u32 b1[4];
|
|
u32 b2[4];
|
|
u32 b3[4];
|
|
|
|
} blocks_t;
|
|
|
|
typedef struct pbkdf2_sha256_tmp
|
|
{
|
|
u32 ipad[8];
|
|
u32 opad[8];
|
|
|
|
u32 dgst[32];
|
|
u32 out[32];
|
|
|
|
} pbkdf2_sha256_tmp_t;
|
|
|
|
static const char *SIGNATURE_DEVICE_AUTHENTICATION_CODE = "$knx-ip-secure-device-authentication-code$";
|
|
static const char *SALT_DEVICE_AUTHENTICATION_CODE = "device-authentication-code.1.secure.ip.knx.org";
|
|
static const int ROUNDS_DEVICE_AUTHENTICATION_CODE = 65536;
|
|
|
|
char *module_jit_build_options (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra, MAYBE_UNUSED const hashes_t *hashes, MAYBE_UNUSED const hc_device_param_t *device_param)
|
|
{
|
|
char *jit_build_options = NULL;
|
|
|
|
// Extra treatment for Apple systems
|
|
if (device_param->opencl_platform_vendor_id == VENDOR_ID_APPLE)
|
|
{
|
|
return jit_build_options;
|
|
}
|
|
|
|
// NVIDIA GPU
|
|
if (device_param->opencl_device_vendor_id == VENDOR_ID_NV)
|
|
{
|
|
hc_asprintf (&jit_build_options, "-D _unroll");
|
|
}
|
|
|
|
// HIP
|
|
if (device_param->opencl_device_vendor_id == VENDOR_ID_AMD_USE_HIP)
|
|
{
|
|
hc_asprintf (&jit_build_options, "-D _unroll");
|
|
}
|
|
|
|
// ROCM
|
|
if ((device_param->opencl_device_vendor_id == VENDOR_ID_AMD) && (device_param->has_vperm == true))
|
|
{
|
|
hc_asprintf (&jit_build_options, "-D _unroll");
|
|
}
|
|
|
|
return jit_build_options;
|
|
}
|
|
|
|
u32 module_deep_comp_kernel (MAYBE_UNUSED const hashes_t *hashes, MAYBE_UNUSED const u32 salt_pos, MAYBE_UNUSED const u32 digest_pos)
|
|
{
|
|
return KERN_RUN_3;
|
|
}
|
|
|
|
u64 module_esalt_size (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra)
|
|
{
|
|
const u64 esalt_size = (const u64) sizeof (blocks_t);
|
|
|
|
return esalt_size;
|
|
}
|
|
|
|
u64 module_tmp_size (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra)
|
|
{
|
|
const u64 tmp_size = (const u64) sizeof (pbkdf2_sha256_tmp_t);
|
|
|
|
return tmp_size;
|
|
}
|
|
|
|
u32 module_pw_max (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra)
|
|
{
|
|
// The ETS 5 allows a maximum of 20 ASCII characters for the password used to derive the device authentication code.
|
|
const u32 pw_max = 20;
|
|
|
|
return pw_max;
|
|
}
|
|
|
|
int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED void *digest_buf, MAYBE_UNUSED salt_t *salt, MAYBE_UNUSED void *esalt_buf, MAYBE_UNUSED void *hook_salt_buf, MAYBE_UNUSED hashinfo_t *hash_info, const char *line_buf, MAYBE_UNUSED const int line_len)
|
|
{
|
|
u32 *digest = (u32 *) digest_buf;
|
|
|
|
blocks_t *blocks = (blocks_t *) esalt_buf;
|
|
|
|
hc_token_t token;
|
|
|
|
token.token_cnt = 4;
|
|
|
|
token.signatures_cnt = 1;
|
|
token.signatures_buf[0] = SIGNATURE_DEVICE_AUTHENTICATION_CODE;
|
|
|
|
// Signature
|
|
token.sep[0] = '*';
|
|
token.len_min[0] = 42;
|
|
token.len_max[0] = 42;
|
|
token.attr[0] = TOKEN_ATTR_VERIFY_LENGTH
|
|
| TOKEN_ATTR_VERIFY_SIGNATURE;
|
|
|
|
// Secure Session Identifier (from SESSION_RESPONSE)
|
|
token.sep[1] = '*';
|
|
token.len_min[1] = 4;
|
|
token.len_max[1] = 4;
|
|
token.attr[1] = TOKEN_ATTR_VERIFY_LENGTH
|
|
| TOKEN_ATTR_VERIFY_HEX;
|
|
|
|
// XOR of Client Public Value X (from SESSION_REQUEST)
|
|
// and Server Public Value Y (from SESSION_RESPONSE)
|
|
token.sep[2] = '*';
|
|
token.len_min[2] = 64;
|
|
token.len_max[2] = 64;
|
|
token.attr[2] = TOKEN_ATTR_VERIFY_LENGTH
|
|
| TOKEN_ATTR_VERIFY_HEX;
|
|
|
|
// Message Authentication Code (from SESSION_RESPONSE)
|
|
token.sep[3] = '*';
|
|
token.len_min[3] = 32;
|
|
token.len_max[3] = 32;
|
|
token.attr[3] = TOKEN_ATTR_VERIFY_LENGTH
|
|
| TOKEN_ATTR_VERIFY_HEX;
|
|
|
|
const int rc_tokenizer = input_tokenizer ((const u8 *) line_buf, line_len, &token);
|
|
|
|
if (rc_tokenizer != PARSER_OK) return (rc_tokenizer);
|
|
|
|
const u8 *secure_session_identifier_pos = token.buf[1];
|
|
const int secure_session_identifier_len = token.len[1];
|
|
|
|
const u8 *public_value_xor_pos = token.buf[2];
|
|
const int public_value_xor_len = token.len[2];
|
|
|
|
const u8 *mac_pos = token.buf[3];
|
|
|
|
u8 secure_session_identifier[2];
|
|
u8 public_value_xor[32];
|
|
|
|
hex_decode (secure_session_identifier_pos, secure_session_identifier_len, (u8 *) &secure_session_identifier);
|
|
hex_decode (public_value_xor_pos, public_value_xor_len, (u8 *) &public_value_xor);
|
|
|
|
digest[0] = hex_to_u32 ((const u8 *) &mac_pos[0]);
|
|
digest[1] = hex_to_u32 ((const u8 *) &mac_pos[8]);
|
|
digest[2] = hex_to_u32 ((const u8 *) &mac_pos[16]);
|
|
digest[3] = hex_to_u32 ((const u8 *) &mac_pos[24]);
|
|
|
|
u8 b1[16] = { 0x00, //-x Length of the associated data
|
|
0x28, //_|
|
|
0x06, //-x KNX IP Secure header of SESSION_RESPONSE
|
|
0x10, // |
|
|
0x09, // |
|
|
0x52, // |
|
|
0x00, // |
|
|
0x38, //_|
|
|
secure_session_identifier[0],
|
|
secure_session_identifier[1],
|
|
public_value_xor[0],
|
|
public_value_xor[1],
|
|
public_value_xor[2],
|
|
public_value_xor[3],
|
|
public_value_xor[4],
|
|
public_value_xor[5] };
|
|
memcpy (blocks->b1, b1, sizeof (b1));
|
|
|
|
memcpy (blocks->b2, &public_value_xor[6], 16);
|
|
|
|
// The bytes that don't get set are zero padding
|
|
memset (blocks->b3, 0, 16);
|
|
memcpy (blocks->b3, &public_value_xor[22], 10);
|
|
|
|
// The salt used in the derivation of the device authentication code is constant
|
|
size_t salt_len = strlen (SALT_DEVICE_AUTHENTICATION_CODE); // exclude the null byte
|
|
memcpy (salt->salt_buf, SALT_DEVICE_AUTHENTICATION_CODE, salt_len);
|
|
salt->salt_len = salt_len;
|
|
salt->salt_iter = ROUNDS_DEVICE_AUTHENTICATION_CODE - 1;
|
|
|
|
return (PARSER_OK);
|
|
}
|
|
|
|
int module_hash_encode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const void *digest_buf, MAYBE_UNUSED const salt_t *salt, MAYBE_UNUSED const void *esalt_buf, MAYBE_UNUSED const void *hook_salt_buf, MAYBE_UNUSED const hashinfo_t *hash_info, char *line_buf, MAYBE_UNUSED const int line_size)
|
|
{
|
|
const u32 *digest = (const u32 *) digest_buf;
|
|
|
|
blocks_t *blocks = (blocks_t *) esalt_buf;
|
|
|
|
u8 secure_session_identifier[2];
|
|
u8 secure_session_identifier_hex[5] = { 0 };
|
|
u8 public_value_xor[32];
|
|
u8 public_value_xor_hex[65] = { 0 };
|
|
|
|
memcpy (secure_session_identifier, &(blocks->b1[2]), 2);
|
|
|
|
memcpy (&public_value_xor[ 0], ((u8 *) &blocks->b1[2]) + 2, 6);
|
|
memcpy (&public_value_xor[ 6], &(blocks->b2[0]), 16);
|
|
memcpy (&public_value_xor[22], &(blocks->b3[0]), 10);
|
|
|
|
hex_encode (secure_session_identifier, 2, secure_session_identifier_hex);
|
|
hex_encode (public_value_xor, 32, public_value_xor_hex);
|
|
|
|
const int line_len = snprintf (line_buf, line_size, "%s*%s*%s*%08x%08x%08x%08x",
|
|
SIGNATURE_DEVICE_AUTHENTICATION_CODE,
|
|
secure_session_identifier_hex,
|
|
public_value_xor_hex,
|
|
byte_swap_32 (digest[0]),
|
|
byte_swap_32 (digest[1]),
|
|
byte_swap_32 (digest[2]),
|
|
byte_swap_32 (digest[3])
|
|
);
|
|
|
|
return line_len;
|
|
}
|
|
|
|
void module_init (module_ctx_t *module_ctx)
|
|
{
|
|
module_ctx->module_context_size = MODULE_CONTEXT_SIZE_CURRENT;
|
|
module_ctx->module_interface_version = MODULE_INTERFACE_VERSION_CURRENT;
|
|
|
|
module_ctx->module_attack_exec = module_attack_exec;
|
|
module_ctx->module_benchmark_esalt = MODULE_DEFAULT;
|
|
module_ctx->module_benchmark_hook_salt = MODULE_DEFAULT;
|
|
module_ctx->module_benchmark_mask = MODULE_DEFAULT;
|
|
module_ctx->module_benchmark_salt = MODULE_DEFAULT;
|
|
module_ctx->module_build_plain_postprocess = MODULE_DEFAULT;
|
|
module_ctx->module_deep_comp_kernel = module_deep_comp_kernel;
|
|
module_ctx->module_deprecated_notice = MODULE_DEFAULT;
|
|
module_ctx->module_dgst_pos0 = module_dgst_pos0;
|
|
module_ctx->module_dgst_pos1 = module_dgst_pos1;
|
|
module_ctx->module_dgst_pos2 = module_dgst_pos2;
|
|
module_ctx->module_dgst_pos3 = module_dgst_pos3;
|
|
module_ctx->module_dgst_size = module_dgst_size;
|
|
module_ctx->module_dictstat_disable = MODULE_DEFAULT;
|
|
module_ctx->module_esalt_size = module_esalt_size;
|
|
module_ctx->module_extra_buffer_size = MODULE_DEFAULT;
|
|
module_ctx->module_extra_tmp_size = MODULE_DEFAULT;
|
|
module_ctx->module_extra_tuningdb_block = MODULE_DEFAULT;
|
|
module_ctx->module_forced_outfile_format = MODULE_DEFAULT;
|
|
module_ctx->module_hash_binary_count = MODULE_DEFAULT;
|
|
module_ctx->module_hash_binary_parse = MODULE_DEFAULT;
|
|
module_ctx->module_hash_binary_save = MODULE_DEFAULT;
|
|
module_ctx->module_hash_decode_postprocess = MODULE_DEFAULT;
|
|
module_ctx->module_hash_decode_potfile = MODULE_DEFAULT;
|
|
module_ctx->module_hash_decode_zero_hash = MODULE_DEFAULT;
|
|
module_ctx->module_hash_decode = module_hash_decode;
|
|
module_ctx->module_hash_encode_status = MODULE_DEFAULT;
|
|
module_ctx->module_hash_encode_potfile = MODULE_DEFAULT;
|
|
module_ctx->module_hash_encode = module_hash_encode;
|
|
module_ctx->module_hash_init_selftest = MODULE_DEFAULT;
|
|
module_ctx->module_hash_mode = MODULE_DEFAULT;
|
|
module_ctx->module_hash_category = module_hash_category;
|
|
module_ctx->module_hash_name = module_hash_name;
|
|
module_ctx->module_hashes_count_min = MODULE_DEFAULT;
|
|
module_ctx->module_hashes_count_max = MODULE_DEFAULT;
|
|
module_ctx->module_hlfmt_disable = MODULE_DEFAULT;
|
|
module_ctx->module_hook_extra_param_size = MODULE_DEFAULT;
|
|
module_ctx->module_hook_extra_param_init = MODULE_DEFAULT;
|
|
module_ctx->module_hook_extra_param_term = MODULE_DEFAULT;
|
|
module_ctx->module_hook12 = MODULE_DEFAULT;
|
|
module_ctx->module_hook23 = MODULE_DEFAULT;
|
|
module_ctx->module_hook_salt_size = MODULE_DEFAULT;
|
|
module_ctx->module_hook_size = MODULE_DEFAULT;
|
|
module_ctx->module_jit_build_options = module_jit_build_options;
|
|
module_ctx->module_jit_cache_disable = MODULE_DEFAULT;
|
|
module_ctx->module_kernel_accel_max = MODULE_DEFAULT;
|
|
module_ctx->module_kernel_accel_min = MODULE_DEFAULT;
|
|
module_ctx->module_kernel_loops_max = MODULE_DEFAULT;
|
|
module_ctx->module_kernel_loops_min = MODULE_DEFAULT;
|
|
module_ctx->module_kernel_threads_max = MODULE_DEFAULT;
|
|
module_ctx->module_kernel_threads_min = MODULE_DEFAULT;
|
|
module_ctx->module_kern_type = module_kern_type;
|
|
module_ctx->module_kern_type_dynamic = MODULE_DEFAULT;
|
|
module_ctx->module_opti_type = module_opti_type;
|
|
module_ctx->module_opts_type = module_opts_type;
|
|
module_ctx->module_outfile_check_disable = MODULE_DEFAULT;
|
|
module_ctx->module_outfile_check_nocomp = MODULE_DEFAULT;
|
|
module_ctx->module_potfile_custom_check = MODULE_DEFAULT;
|
|
module_ctx->module_potfile_disable = MODULE_DEFAULT;
|
|
module_ctx->module_potfile_keep_all_hashes = MODULE_DEFAULT;
|
|
module_ctx->module_pwdump_column = MODULE_DEFAULT;
|
|
module_ctx->module_pw_max = module_pw_max;
|
|
module_ctx->module_pw_min = MODULE_DEFAULT;
|
|
module_ctx->module_salt_max = MODULE_DEFAULT;
|
|
module_ctx->module_salt_min = MODULE_DEFAULT;
|
|
module_ctx->module_salt_type = module_salt_type;
|
|
module_ctx->module_separator = MODULE_DEFAULT;
|
|
module_ctx->module_st_hash = module_st_hash;
|
|
module_ctx->module_st_pass = module_st_pass;
|
|
module_ctx->module_tmp_size = module_tmp_size;
|
|
module_ctx->module_unstable_warning = MODULE_DEFAULT;
|
|
module_ctx->module_warmup_disable = MODULE_DEFAULT;
|
|
}
|