From 977b560bb45bf6bf3e8124b364a45429cd6d9dd4 Mon Sep 17 00:00:00 2001 From: unix-ninja Date: Tue, 2 Oct 2018 11:01:54 -0400 Subject: [PATCH] Add support for TOTP (RFC 6238) --- OpenCL/m17300_a3-pure.cl | 225 +++++++++++++++++++++++++++++++++++++++ include/interface.h | 1 + src/hashes.c | 15 +++ src/interface.c | 98 +++++++++++++++++ src/usage.c | 1 + 5 files changed, 340 insertions(+) create mode 100644 OpenCL/m17300_a3-pure.cl diff --git a/OpenCL/m17300_a3-pure.cl b/OpenCL/m17300_a3-pure.cl new file mode 100644 index 000000000..eba26ad84 --- /dev/null +++ b/OpenCL/m17300_a3-pure.cl @@ -0,0 +1,225 @@ +/** + * Author......: See docs/credits.txt + * License.....: MIT + */ + +#define NEW_SIMD_CODE + +#include "inc_vendor.cl" +#include "inc_hash_constants.h" +#include "inc_hash_functions.cl" +#include "inc_types.cl" +#include "inc_common.cl" +#include "inc_simd.cl" +#include "inc_hash_sha1.cl" + +__kernel void m17300_mxx (__global pw_t *pws, __global const kernel_rule_t *rules_buf, __global const pw_t *combs_buf, __constant const u32x *words_buf_r, __global void *tmps, __global void *hooks, __global const u32 *bitmaps_buf_s1_a, __global const u32 *bitmaps_buf_s1_b, __global const u32 *bitmaps_buf_s1_c, __global const u32 *bitmaps_buf_s1_d, __global const u32 *bitmaps_buf_s2_a, __global const u32 *bitmaps_buf_s2_b, __global const u32 *bitmaps_buf_s2_c, __global const u32 *bitmaps_buf_s2_d, __global plain_t *plains_buf, __global const digest_t *digests_buf, __global u32 *hashes_shown, __global const salt_t *salt_bufs, __global const void *esalt_bufs, __global u32 *d_return_buf, __global u32 *d_scryptV0_buf, __global u32 *d_scryptV1_buf, __global u32 *d_scryptV2_buf, __global u32 *d_scryptV3_buf, const u32 bitmap_mask, const u32 bitmap_shift1, const u32 bitmap_shift2, const u32 salt_pos, const u32 loop_pos, const u32 loop_cnt, const u32 il_cnt, const u32 digests_cnt, const u32 digests_offset, const u32 combs_mode, const u64 gid_max) +{ + /** + * modifier + */ + + const u64 lid = get_local_id (0); + const u64 gid = get_global_id (0); + + if (gid >= gid_max) return; + + /** + * base + */ + + const u32 pw_len = pws[gid].pw_len; + + u32x w[64] = { 0 }; + + for (int i = 0, idx = 0; i < pw_len; i += 4, idx += 1) + { + w[idx] = pws[gid].i[idx]; + } + + const u32 salt_len = salt_bufs[salt_pos].salt_len; + + u32x s[64] = { 0 }; + + for (int i = 0, idx = 0; i < salt_len; i += 4, idx += 1) + { + s[idx] = swap32_S (salt_bufs[salt_pos].salt_buf[idx]); + } + + /** + * loop + */ + + u32x w0l = w[0]; + + for (u32 il_pos = 0; il_pos < il_cnt; il_pos += VECT_SIZE) + { + const u32x w0r = words_buf_r[il_pos / VECT_SIZE]; + + const u32x w0 = w0l | w0r; + + w[0] = w0; + + sha1_hmac_ctx_vector_t ctx; + + sha1_hmac_init_vector (&ctx, w, pw_len); + + sha1_hmac_update_vector (&ctx, s, salt_len); + + sha1_hmac_final_vector (&ctx); + + // ------- PUT TOTP HERE ------- // + // calculate the offset using the least 4 bits of the last byte of our hash + const int otp_offset = ctx.opad.h[4] & 0xf; + + // initialize a buffer for the otp code + unsigned int otp_code = 0; + + // grab 4 consecutive bytes of the hash, starting at offset + switch(otp_offset%4) + { + case 1: + otp_code = ((ctx.opad.h[otp_offset/4] & 0xffffff) << 8) | ((ctx.opad.h[otp_offset/4+1] % 0xffffff00) >> 24); + break; + case 2: + otp_code = ((ctx.opad.h[otp_offset/4] & 0xffff) << 16) | ((ctx.opad.h[otp_offset/4+1] % 0xffff0000) >> 16); + break; + case 3: + otp_code = ((ctx.opad.h[otp_offset/4] & 0xff) << 24) | ((ctx.opad.h[otp_offset/4+1] % 0xffffff00) >> 8); + break; + default: + otp_code = ctx.opad.h[otp_offset/4]; + break; + } + // take only the lower 31 bits + otp_code &= 0x7fffffff; + // we want to generate only 6 digits of code + otp_code %= 1000000; + + const u32x r0 = ctx.opad.h[DGST_R0]; + const u32x r1 = ctx.opad.h[DGST_R1]; + const u32x r2 = ctx.opad.h[DGST_R2]; + const u32x r3 = ctx.opad.h[DGST_R3]; + + COMPARE_M_SIMD (otp_code, 0, 0, 0); + //COMPARE_M_SIMD (r0, r1, r2, r3); + } +} + +__kernel void m17300_sxx (__global pw_t *pws, __global const kernel_rule_t *rules_buf, __global const pw_t *combs_buf, __constant const u32x *words_buf_r, __global void *tmps, __global void *hooks, __global const u32 *bitmaps_buf_s1_a, __global const u32 *bitmaps_buf_s1_b, __global const u32 *bitmaps_buf_s1_c, __global const u32 *bitmaps_buf_s1_d, __global const u32 *bitmaps_buf_s2_a, __global const u32 *bitmaps_buf_s2_b, __global const u32 *bitmaps_buf_s2_c, __global const u32 *bitmaps_buf_s2_d, __global plain_t *plains_buf, __global const digest_t *digests_buf, __global u32 *hashes_shown, __global const salt_t *salt_bufs, __global const void *esalt_bufs, __global u32 *d_return_buf, __global u32 *d_scryptV0_buf, __global u32 *d_scryptV1_buf, __global u32 *d_scryptV2_buf, __global u32 *d_scryptV3_buf, const u32 bitmap_mask, const u32 bitmap_shift1, const u32 bitmap_shift2, const u32 salt_pos, const u32 loop_pos, const u32 loop_cnt, const u32 il_cnt, const u32 digests_cnt, const u32 digests_offset, const u32 combs_mode, const u64 gid_max) +{ + /** + * modifier + */ + + const u64 lid = get_local_id (0); + const u64 gid = get_global_id (0); + + if (gid >= gid_max) return; + + /** + * digest + */ + + const u32 search[4] = + { + digests_buf[digests_offset].digest_buf[DGST_R0], + digests_buf[digests_offset].digest_buf[DGST_R1], + digests_buf[digests_offset].digest_buf[DGST_R2], + digests_buf[digests_offset].digest_buf[DGST_R3] + }; + + /** + * base + */ + + const u32 pw_len = pws[gid].pw_len; + + u32x w[64] = { 0 }; + + for (int i = 0, idx = 0; i < pw_len; i += 4, idx += 1) + { + w[idx] = pws[gid].i[idx]; + } + + const u32 salt_len = salt_bufs[salt_pos].salt_len; + + u32x s[64] = { 0 }; + + for (int i = 0, idx = 0; i < salt_len; i += 4, idx += 1) + { + s[idx] = swap32_S (salt_bufs[salt_pos].salt_buf[idx]); + } + + /** + * loop + */ + + u32x w0l = w[0]; + + for (u32 il_pos = 0; il_pos < il_cnt; il_pos += VECT_SIZE) + { + const u32x w0r = words_buf_r[il_pos / VECT_SIZE]; + + const u32x w0 = w0l | w0r; + + w[0] = w0; + + sha1_hmac_ctx_vector_t ctx; + + sha1_hmac_init_vector (&ctx, w, pw_len); + + sha1_hmac_update_vector (&ctx, s, salt_len); + + sha1_hmac_final_vector (&ctx); + //printf("%d ", sizeof(ctx.opad.h)); + + // ------- PUT TOTP HERE ------- // + // calculate the offset using the least 4 bits of the last byte of our hash + const int otp_offset = ctx.opad.h[4] & 0xf; + + // initialize a buffer for the otp code + unsigned int otp_code = 0; + + // grab 4 consecutive bytes of the hash, starting at offset + switch(otp_offset%4) + { + case 1: + otp_code = ((ctx.opad.h[otp_offset/4] & 0xffffff) << 8) | ((ctx.opad.h[otp_offset/4+1] % 0xffffff00) >> 24); + break; + case 2: + otp_code = ((ctx.opad.h[otp_offset/4] & 0xffff) << 16) | ((ctx.opad.h[otp_offset/4+1] % 0xffff0000) >> 16); + break; + case 3: + otp_code = ((ctx.opad.h[otp_offset/4] & 0xff) << 24) | ((ctx.opad.h[otp_offset/4+1] % 0xffffff00) >> 8); + break; + default: + otp_code = ctx.opad.h[otp_offset/4]; + break; + } + // take only the lower 31 bits + otp_code &= 0x7fffffff; + // we want to generate only 6 digits of code + otp_code %= 1000000; + + const u32x r0 = ctx.opad.h[DGST_R0]; + const u32x r1 = ctx.opad.h[DGST_R1]; + const u32x r2 = ctx.opad.h[DGST_R2]; + const u32x r3 = ctx.opad.h[DGST_R3]; + + if( ctx.opad.h[0] == 0xc085d274) + //if( ctx.opad.h[0] == 0x50184678) + //if( ctx.opad.h[0] == 0x8e664b2e) + { + //printf(" [[ %d %d %d %d ]]\n ", ctx.opad.h[otp_offset], ctx.opad.h[otp_offset +1], ctx.opad.h[otp_offset +2], ctx.opad.h[otp_offset +3]); + //printf(" MAXX:: %d %d\n", pw_len, salt_len); + //printf(" SRCH:: %x\n", search[0]); + //printf(" SRCH:: %x\n", search[1]); + //printf(" SRCH:: %x\n", search[2]); + //printf(" SRCH:: %x\n", search[3]); + //printf(" CODE:: %x\n", otp_code); + } + COMPARE_S_SIMD (otp_code, 0, 0, 0); + //COMPARE_S_SIMD (r0, r1, r2, r3); + } +} diff --git a/include/interface.h b/include/interface.h index aac00b010..7d11a37e1 100644 --- a/include/interface.h +++ b/include/interface.h @@ -1325,6 +1325,7 @@ typedef enum kern_type KERN_TYPE_WPA_PMKID_PBKDF2 = 16800, KERN_TYPE_WPA_PMKID_PMK = 16801, KERN_TYPE_ANSIBLE_VAULT = 16900, + KERN_TYPE_TOTP_HMACSHA1 = 17300, KERN_TYPE_PLAINTEXT = 99999, } kern_type_t; diff --git a/src/hashes.c b/src/hashes.c index 6ec376dea..7ade9faac 100644 --- a/src/hashes.c +++ b/src/hashes.c @@ -275,6 +275,21 @@ void check_hash (hashcat_ctx_t *hashcat_ctx, hc_device_param_t *device_param, pl build_plain (hashcat_ctx, device_param, plain, plain_buf, &plain_len); + // TOTP should be base32 encoded + if (hashcat_ctx->hashconfig->hash_mode == KERN_TYPE_TOTP_HMACSHA1) + { + // we need a temp buffer for the base32 encoding + u32 temp_buf[64] = { 0 }; + u8 *temp_ptr = (u8 *) temp_buf; + + // encode our plain + base32_encode (int_to_base32, (const u8 *) plain_ptr, plain_len, (u8 *) temp_buf); + plain_len = strlen((const char *) temp_buf); + + // copy the base32 content into our plain buffer + plain_ptr = (u8 *) strdup((const char *) temp_ptr); + } + // crackpos u64 crackpos = 0; diff --git a/src/interface.c b/src/interface.c index f00829970..1ad8cbeb2 100644 --- a/src/interface.c +++ b/src/interface.c @@ -281,6 +281,7 @@ static const char *ST_HASH_16700 = "$fvde$1$16$84286044060108438487434858307513$ static const char *ST_HASH_16800 = "2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a"; static const char *ST_HASH_16801 = "2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4"; static const char *ST_HASH_16900 = "$ansible$0*0*6b761adc6faeb0cc0bf197d3d4a4a7d3f1682e4b169cae8fa6b459b3214ed41e*426d313c5809d4a80a4b9bc7d4823070*d8bad190c7fbc7c3cb1c60a27abfb0ff59d6fb73178681c7454d94a0f56a4360"; +static const char *ST_HASH_17300 = "597056:3600"; static const char *ST_HASH_99999 = "hashcat"; static const char *OPTI_STR_OPTIMIZED_KERNEL = "Optimized-Kernel"; @@ -529,6 +530,7 @@ static const char *HT_16700 = "FileVault 2"; static const char *HT_16800 = "WPA-PMKID-PBKDF2"; static const char *HT_16801 = "WPA-PMKID-PMK"; static const char *HT_16900 = "Ansible Vault"; +static const char *HT_17300 = "TOTP (HMAC-SHA1)"; static const char *HT_99999 = "Plaintext"; static const char *HT_00011 = "Joomla < 2.5.18"; @@ -5142,6 +5144,74 @@ int sha1s_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUS return (PARSER_OK); } +int totp_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig) +{ + // this is going to start off like HMAC-SHA1 + u32 *digest = (u32 *) hash_buf->digest; + + salt_t *salt = hash_buf->salt; + + token_t token; + + token.token_cnt = 2; + + token.sep[0] = hashconfig->separator; + token.len_min[0] = 6; + token.len_max[0] = 6; + token.attr[0] = TOKEN_ATTR_VERIFY_LENGTH + | TOKEN_ATTR_VERIFY_HEX; + + token.len_min[1] = SALT_MIN; + token.len_max[1] = SALT_MAX; + token.attr[1] = TOKEN_ATTR_VERIFY_LENGTH; + + if (hashconfig->opts_type & OPTS_TYPE_ST_HEX) + { + token.len_min[1] *= 2; + token.len_max[1] *= 2; + + token.attr[1] |= TOKEN_ATTR_VERIFY_HEX; + } + + const int rc_tokenizer = input_tokenizer (input_buf, input_len, &token); + + // now we need to reduce our hash into a token + int otp_code = 0; + for (int i = 0; i < 6; i++) + { + otp_code = otp_code * 10 + itoa32_to_int(input_buf[i]); + } + if (rc_tokenizer != PARSER_OK) return (rc_tokenizer); + + u8 *hash_pos = token.buf[0]; + + digest[1] = otp_code; + + u8 *salt_pos = token.buf[1]; + int salt_len = token.len[1]; + + // convert ascii timestamp to ulong timestamp + unsigned long timestamp = 0; + for(int i = 0; i>= 32) + { + salt->salt_buf[i] = byte_swap_32(timestamp); + } + + // our salt will always be 8 bytes + salt->salt_len = 8; + + return (PARSER_OK); +} + int pstoken_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig) { u32 *digest = (u32 *) hash_buf->digest; @@ -18387,6 +18457,7 @@ const char *strhashtype (const u32 hash_mode) case 16800: return HT_16800; case 16801: return HT_16801; case 16900: return HT_16900; + case 17300: return HT_17300; case 99999: return HT_99999; } @@ -22102,6 +22173,14 @@ int ascii_digest (hashcat_ctx_t *hashcat_ctx, char *out_buf, const size_t out_le byte_swap_32 (digest_buf[6]), byte_swap_32 (digest_buf[7])); } + else if (hash_mode == 17300) + { + // salt_buf[1] holds our 32 bit value. salt_buf[0] and salt_buf[1] would be 64 bits. + // for now, we only need to worry about 32 bit counters. + // we also need to multiply salt by our step to see the floor of our original timestamp range. + // again, we will use the default RFC 6238 step of 30. + snprintf (out_buf, out_len - 1, "%d:%d", digest_buf[1], byte_swap_32(salt.salt_buf[1]) * 30); + } else if (hash_mode == 99999) { char *ptr = (char *) digest_buf; @@ -27299,6 +27378,25 @@ int hashconfig_init (hashcat_ctx_t *hashcat_ctx) hashconfig->st_pass = ST_PASS_HASHCAT_PLAIN; break; + case 17300: hashconfig->hash_type = HASH_TYPE_SHA1; + hashconfig->salt_type = SALT_TYPE_EMBEDDED; + hashconfig->attack_exec = ATTACK_EXEC_INSIDE_KERNEL; + hashconfig->opts_type = OPTS_TYPE_PT_GENERATE_BE + | OPTS_TYPE_PT_ADD80 + | OPTS_TYPE_PT_ADDBITS15; + hashconfig->kern_type = KERN_TYPE_TOTP_HMACSHA1; + hashconfig->dgst_size = DGST_SIZE_4_5; + hashconfig->parse_func = totp_parse_hash; + hashconfig->opti_type = OPTI_TYPE_ZERO_BYTE + | OPTI_TYPE_NOT_ITERATED; + hashconfig->dgst_pos0 = 1; + hashconfig->dgst_pos1 = 2; + hashconfig->dgst_pos2 = 3; + hashconfig->dgst_pos3 = 4; + hashconfig->st_hash = ST_HASH_17300; + hashconfig->st_pass = ST_PASS_HASHCAT_PLAIN; + break; + case 99999: hashconfig->hash_type = HASH_TYPE_PLAINTEXT; hashconfig->salt_type = SALT_TYPE_NONE; hashconfig->attack_exec = ATTACK_EXEC_INSIDE_KERNEL; diff --git a/src/usage.c b/src/usage.c index e272e903d..8f8eb0a12 100644 --- a/src/usage.c +++ b/src/usage.c @@ -170,6 +170,7 @@ static const char *const USAGE_BIG[] = " 60 | HMAC-MD5 (key = $salt) | Raw Hash, Authenticated", " 150 | HMAC-SHA1 (key = $pass) | Raw Hash, Authenticated", " 160 | HMAC-SHA1 (key = $salt) | Raw Hash, Authenticated", + " 17300 | TOTP (HMAC-SHA1) | Raw Hash, Authenticated", " 1450 | HMAC-SHA256 (key = $pass) | Raw Hash, Authenticated", " 1460 | HMAC-SHA256 (key = $salt) | Raw Hash, Authenticated", " 1750 | HMAC-SHA512 (key = $pass) | Raw Hash, Authenticated",