Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
7524c1b
commit 3e080d8
Showing
2 changed files
with
83 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
Cracking IOS 7 restrictions PIN code | ||
==================================== | ||
|
||
1. Fetch the file com.apple.restrictionspassword.plist from your phone. How | ||
you do this is out of scope for this document, just google it. | ||
|
||
|
||
2. Run ios7tojohn on that file, redirecting output to a new file. Eg: | ||
|
||
$ ./ios7tojohn com.apple.restrictionspassword.plist > ioshash | ||
|
||
|
||
3. Run john on the new file, only using four digits (it's a PIN code): | ||
|
||
$ ./john ioshash -inc:digits -min-len=4 -max-len=4 | ||
|
||
|
||
4. The password will get cracked in a split second. This is not because Apple | ||
used a very poor hash mechanism but because the keyspace of a PIN code is | ||
so very tiny. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
#!/usr/bin/env perl -w | ||
# | ||
# This software is Copyright (c) 2014 magnum | ||
# and it is hereby released to the general public under the following terms: | ||
# Redistribution and use in source and binary forms, with or without | ||
# modification, are permitted. | ||
|
||
use strict; | ||
use MIME::Base64; | ||
use File::Basename; | ||
|
||
# Example input (from com.apple.restrictionspassword.plist): | ||
# <key>RestrictionsPasswordKey</key> | ||
# <data> | ||
# J94ZcXHm1J/F9Vye8GwNh1HNclA= | ||
# </data> | ||
# <key>RestrictionsPasswordSalt</key> | ||
# <data> | ||
# /RHN4A== | ||
# </data> | ||
# | ||
# Example output: | ||
# $pbkdf2-hmac-sha1$1000.fd11cde0.27de197171e6d49fc5f55c9ef06c0d8751cd7250 | ||
|
||
die "Usage: $0 [file [file...]]\n" if ($#ARGV < 0); | ||
|
||
my ($type, $key, $salt) = (); | ||
|
||
while(<>) { | ||
s/\r//g; # Drop Redmond Garbage[tm] | ||
if (m#^\s*<key>(.*)Key</key>\s*$#) { | ||
$type = $1; | ||
next; | ||
} | ||
# Single line | ||
if ($type && m#^\s*<data>([0-9a-zA-Z/.=]+)</data>\s*$#) { | ||
my $data = $1; | ||
if (!$key) { | ||
$key = $data; | ||
} elsif (!$salt) { | ||
$salt = $data; | ||
print "$type:\$pbkdf2-hmac-sha1\$1000.${salt}.${key}:::", basename($ARGV, ".plist"), "::${ARGV}\n"; | ||
$type = $key = $salt = undef; | ||
next; | ||
} else { | ||
die "Error parsing file ${ARGV} line $.\n"; | ||
} | ||
} | ||
# Multi line (but all data on one line) | ||
elsif ($type && m#^\s*<data>\s*$#) { | ||
my $data = unpack("H*", decode_base64(<ARGV>)); | ||
if (!$key) { | ||
$key = $data; | ||
} elsif (!$salt) { | ||
$salt = $data; | ||
print "$type:\$pbkdf2-hmac-sha1\$1000.${salt}.${key}:::", basename($ARGV, ".plist"), "::${ARGV}\n"; | ||
$type = $key = $salt = undef; | ||
next; | ||
} else { | ||
die "Error parsing file ${ARGV} line $.\n"; | ||
} | ||
} | ||
} |
3e080d8
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using this info, I created a web page to make brute forcing this a little easier... Just a bit slower!
http://ios7hash.derson.us
It even works from the ipad itself!
3e080d8
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cool :-)
3e080d8
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
http://ios7hash.derson.us worked for me. I opened several windows with around 1000 per window and had it cracked in about an hour. I want to say thanks for the information here, it saved me a lot of stress and I will be writing down future passcodes somewhere 🔢
3e080d8
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there also the possibility to extract the 6 Digit passcode (lock screen) from an encrypted iPhone backup?