Permalink
Browse files

Add ios7tojohn.pl and docs for it.

  • Loading branch information...
magnumripper committed Jan 6, 2014
1 parent 7524c1b commit 3e080d833b419cb7748e92e4ded11352b692abb1
Showing with 83 additions and 0 deletions.
  1. +20 −0 doc/README.ios7
  2. +63 −0 run/ios7tojohn.pl
View
@@ -0,0 +1,20 @@
+Cracking IOS 7 restrictions PIN code
+====================================
+
+1. Fetch the file com.apple.restrictionspassword.plist from your phone. How
+ you do this is out of scope for this document, just google it.
+
+
+2. Run ios7tojohn on that file, redirecting output to a new file. Eg:
+
+ $ ./ios7tojohn com.apple.restrictionspassword.plist > ioshash
+
+
+3. Run john on the new file, only using four digits (it's a PIN code):
+
+ $ ./john ioshash -inc:digits -min-len=4 -max-len=4
+
+
+4. The password will get cracked in a split second. This is not because Apple
+ used a very poor hash mechanism but because the keyspace of a PIN code is
+ so very tiny.
View
@@ -0,0 +1,63 @@
+#!/usr/bin/env perl -w
+#
+# This software is Copyright (c) 2014 magnum
+# and it is hereby released to the general public under the following terms:
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted.
+
+use strict;
+use MIME::Base64;
+use File::Basename;
+
+# Example input (from com.apple.restrictionspassword.plist):
+# <key>RestrictionsPasswordKey</key>
+# <data>
+# J94ZcXHm1J/F9Vye8GwNh1HNclA=
+# </data>
+# <key>RestrictionsPasswordSalt</key>
+# <data>
+# /RHN4A==
+# </data>
+#
+# Example output:
+# $pbkdf2-hmac-sha1$1000.fd11cde0.27de197171e6d49fc5f55c9ef06c0d8751cd7250
+
+die "Usage: $0 [file [file...]]\n" if ($#ARGV < 0);
+
+my ($type, $key, $salt) = ();
+
+while(<>) {
+ s/\r//g; # Drop Redmond Garbage[tm]
+ if (m#^\s*<key>(.*)Key</key>\s*$#) {
+ $type = $1;
+ next;
+ }
+ # Single line
+ if ($type && m#^\s*<data>([0-9a-zA-Z/.=]+)</data>\s*$#) {
+ my $data = $1;
+ if (!$key) {
+ $key = $data;
+ } elsif (!$salt) {
+ $salt = $data;
+ print "$type:\$pbkdf2-hmac-sha1\$1000.${salt}.${key}:::", basename($ARGV, ".plist"), "::${ARGV}\n";
+ $type = $key = $salt = undef;
+ next;
+ } else {
+ die "Error parsing file ${ARGV} line $.\n";
+ }
+ }
+ # Multi line (but all data on one line)
+ elsif ($type && m#^\s*<data>\s*$#) {
+ my $data = unpack("H*", decode_base64(<ARGV>));
+ if (!$key) {
+ $key = $data;
+ } elsif (!$salt) {
+ $salt = $data;
+ print "$type:\$pbkdf2-hmac-sha1\$1000.${salt}.${key}:::", basename($ARGV, ".plist"), "::${ARGV}\n";
+ $type = $key = $salt = undef;
+ next;
+ } else {
+ die "Error parsing file ${ARGV} line $.\n";
+ }
+ }
+}

4 comments on commit 3e080d8

@ios7hash

This comment has been minimized.

Show comment
Hide comment
@ios7hash

ios7hash Apr 5, 2014

Using this info, I created a web page to make brute forcing this a little easier... Just a bit slower!

http://ios7hash.derson.us

It even works from the ipad itself!

Using this info, I created a web page to make brute forcing this a little easier... Just a bit slower!

http://ios7hash.derson.us

It even works from the ipad itself!

@magnumripper

This comment has been minimized.

Show comment
Hide comment
@magnumripper

magnumripper Apr 5, 2014

Owner

Cool :-)

Owner

magnumripper replied Apr 5, 2014

Cool :-)

@NineOneThree

This comment has been minimized.

Show comment
Hide comment
@NineOneThree

NineOneThree Oct 4, 2015

http://ios7hash.derson.us worked for me. I opened several windows with around 1000 per window and had it cracked in about an hour. I want to say thanks for the information here, it saved me a lot of stress and I will be writing down future passcodes somewhere 🔢

http://ios7hash.derson.us worked for me. I opened several windows with around 1000 per window and had it cracked in about an hour. I want to say thanks for the information here, it saved me a lot of stress and I will be writing down future passcodes somewhere 🔢

@otto1

This comment has been minimized.

Show comment
Hide comment
@otto1

otto1 Jun 10, 2016

Is there also the possibility to extract the 6 Digit passcode (lock screen) from an encrypted iPhone backup?

Is there also the possibility to extract the 6 Digit passcode (lock screen) from an encrypted iPhone backup?

Please sign in to comment.