New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for Telegram Passcode (android) #1534

Open
Banaanhangwagen opened this Issue Feb 28, 2018 · 6 comments

Comments

Projects
None yet
3 participants
@Banaanhangwagen

Banaanhangwagen commented Feb 28, 2018

The popular chat-app Telegram has a feature in the settings-menu to protect the app with a passcode. The source code for this protection can be found on the Telegram-github (line 411).

One finds the passcodeHash and the passcodeSalt in the user file userconfig.xml.

When reading the code, it seemed to me that it is very easy to find the passcode. I wrote the following script to retrieve the passcode. See my Github-page for the details.

So, the used algorithm is sha256($salt:key:$salt) = $pass Correct?

Can this be added to Hashcat?

@magnumripper

This comment has been minimized.

Contributor

magnumripper commented Feb 28, 2018

How long is that salt? Can you please provide a test vector with a known password?

@Banaanhangwagen

This comment has been minimized.

Banaanhangwagen commented Feb 28, 2018

The salt is 16 bytes long. The key is 4 bytes. So in total it makes 16+4+16 bytes.

Testhash: a577888ff9a47b788e7f8f843d3a3e627b06684ffc89dddc2d7647e3dcf43703
Testsalt (base64 encoded): /gGQ5AXwllHCGxpp1aB1aA==
Passcode: 3033
@magnumripper

This comment has been minimized.

Contributor

magnumripper commented Feb 28, 2018

Is it always 4 digits? A trivial CPU implementation or even a perl script exhausts that keyspace in a few seconds. Writing a GPU format for it would be a total waste of time.

If the key can be other characters, perhaps even Unicode ones, it makes a little more sense.

@Banaanhangwagen

This comment has been minimized.

Banaanhangwagen commented Feb 28, 2018

Exactly, it is always 4 digits.

I understand your argument.
My script does the job in a couple of seconds. Because the Apple restrictions password is supported (plist2hashcat), i thought it would be cool to implement this one also...

@jsteube

This comment has been minimized.

Member

jsteube commented Mar 3, 2018

I think we can simply add sha256($salt . $pass . $salt), and add a loader on top of it. What's the native parser output of the hash and salt?

@Banaanhangwagen

This comment has been minimized.

Banaanhangwagen commented Mar 4, 2018

I do not understand your question. Can you please reformulate?
I think you mean this:
The hash and salt are found in the userconfing.xml (typo intended);
passcodeHash is found in hex uppercase
passcodeSalt is found in base64
See real life examples in my first reply.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment