openwall
AxCrypt v2.x not working?
Hi there, today I was testing the axcrypt2-opencl format and notice that there might be some issues. The hash is not cracked even knowing that the correct password is in the wordlist.
Extracting the hash:
python3 axcrypt2john.py test.axx > /tmp/axcrypt.hash
Running it with John:
$ sudo ./john --wordlist=/tmp/axcrypt.txt --format=axcrypt2-opencl /tmp/axcrypt.hash
Device 1: GeForce GTX 1070
Using default input encoding: UTF-8
Loaded 1 password hash (axcrypt2-opencl, AxCrypt 2.x [PBKDF2-SHA512 AES OpenCL])
Cost 1 (iteration count) is 63200 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 1344 candidates left, minimum 1920 needed for performance.
0g 0:00:00:01 DONE (2020-08-11 10:02) 0g/s 834.7p/s 834.7c/s 834.7C/s Dev#1:46°C dfgvsdf
Session completed
I also tried to remove the filename before the hash, nothing changed.
I can assure that the correct password is in the file /tmp/axcrypt.txt used as a wordlist; I double checked and I am able to decrypt it using the normal AxCrypt GUI and works even in a PC with no AxCrypt installed but using AxCryptBruteforcer, so the account is not logged in.
Edit: I am able to crack the test.axx file; however that is the only one. Once I realised that, I tried to create multiple accounts with different passwords and I was not able to crack any of them.
Requested info:
$ sudo ./john --list=build-info
Version: 1.9.0-jumbo-1
Build: linux-gnu 64-bit x86_64 AVX2 AC OMP
SIMD: AVX2, interleaving: MD4:3 MD5:3 SHA1:1 SHA256:1 SHA512:1
CPU tests: AVX2
$JOHN is ./
Format interface version: 14
Max. number of reported tunable costs: 4
Rec file version: REC4
Charset file version: CHR3
CHARSET_MIN: 1 (0x01)
CHARSET_MAX: 255 (0xff)
CHARSET_LENGTH: 24
SALT_HASH_SIZE: 1048576
SINGLE_IDX_MAX: 2147483648
SINGLE_BUF_MAX: 4294967295
Effective limit: Number of salts vs. SingleMaxBufferSize
Max. Markov mode level: 400
Max. Markov mode password length: 30
gcc version: 7.5.0
GNU libc version: 2.27 (loaded: 2.27)
OpenCL headers version: 2.2
Crypto library: OpenSSL
OpenSSL library version: 01010100f
OpenSSL 1.1.1 11 Sep 2018
GMP library version: 6.1.2
File locking: fcntl()
fseek(): fseek
ftell(): ftell
fopen(): fopen
memmem(): System's
$ sudo ./john --list=opencl-devices
Platform #0 name: NVIDIA CUDA, version: OpenCL 1.2 CUDA 10.1.152
Device #0 (1) name: GeForce GTX 1070
Device vendor: NVIDIA Corporation
Device type: GPU (LE)
Device version: OpenCL 1.2 CUDA
Driver version: 418.67 [recommended]
Native vector widths: char 1, short 1, int 1, long 1
Preferred vector width: char 1, short 1, int 1, long 1
Global Memory: 8119 MB
Global Memory Cache: 240 KB
Local Memory: 48 KB (Local)
Constant Buffer size: 64 KB
Max memory alloc. size: 2029 MB
Max clock (MHz): 1797
Profiling timer res.: 1000 ns
Max Work Group Size: 1024
Parallel compute cores: 15
CUDA cores: 1920 (15 x 128)
Speed index: 3450240
Warp size: 32
Max. GPRs/work-group: 65536
Compute capability: 6.1 (sm_61)
Kernel exec. timeout: no
NVML id: 0
PCI device topology: 01:00.0
PCI lanes: 1/16
Fan speed: 79%
Temperature: 34°C
Utilization: 22%
Device #1 (2) name: GeForce GTX 1070
Device vendor: NVIDIA Corporation
Device type: GPU (LE)
Device version: OpenCL 1.2 CUDA
Driver version: 418.67 [recommended]
Native vector widths: char 1, short 1, int 1, long 1
Preferred vector width: char 1, short 1, int 1, long 1
Global Memory: 8119 MB
Global Memory Cache: 240 KB
Local Memory: 48 KB (Local)
Constant Buffer size: 64 KB
Max memory alloc. size: 2029 MB
Max clock (MHz): 1784
Profiling timer res.: 1000 ns
Max Work Group Size: 1024
Parallel compute cores: 15
CUDA cores: 1920 (15 x 128)
Speed index: 3425280
Warp size: 32
Max. GPRs/work-group: 65536
Compute capability: 6.1 (sm_61)
Kernel exec. timeout: no
NVML id: 1
PCI device topology: 02:00.0
PCI lanes: 1/16
Fan speed: 65%
Temperature: 30°C
Utilization: 4%
Device #2 (3) name: GeForce GTX 1070
Device vendor: NVIDIA Corporation
Device type: GPU (LE)
Device version: OpenCL 1.2 CUDA
Driver version: 418.67 [recommended]
Native vector widths: char 1, short 1, int 1, long 1
Preferred vector width: char 1, short 1, int 1, long 1
Global Memory: 8119 MB
Global Memory Cache: 240 KB
Local Memory: 48 KB (Local)
Constant Buffer size: 64 KB
Max memory alloc. size: 2029 MB
Max clock (MHz): 1708
Profiling timer res.: 1000 ns
Max Work Group Size: 1024
Parallel compute cores: 15
CUDA cores: 1920 (15 x 128)
Speed index: 3279360
Warp size: 32
Max. GPRs/work-group: 65536
Compute capability: 6.1 (sm_61)
Kernel exec. timeout: no
NVML id: 2
PCI device topology: 04:00.0
PCI lanes: 1/16
Fan speed: 64%
Temperature: 30°C
Utilization: 0%
Device #3 (4) name: GeForce GTX 1070
Device vendor: NVIDIA Corporation
Device type: GPU (LE)
Device version: OpenCL 1.2 CUDA
Driver version: 418.67 [recommended]
Native vector widths: char 1, short 1, int 1, long 1
Preferred vector width: char 1, short 1, int 1, long 1
Global Memory: 8119 MB
Global Memory Cache: 240 KB
Local Memory: 48 KB (Local)
Constant Buffer size: 64 KB
Max memory alloc. size: 2029 MB
Max clock (MHz): 1708
Profiling timer res.: 1000 ns
Max Work Group Size: 1024
Parallel compute cores: 15
CUDA cores: 1920 (15 x 128)
Speed index: 3279360
Warp size: 32
Max. GPRs/work-group: 65536
Compute capability: 6.1 (sm_61)
Kernel exec. timeout: no
NVML id: 3
PCI device topology: 06:00.0
PCI lanes: 1/16
Fan speed: 76%
Temperature: 31°C
Utilization: 2%
Could you post a file you CANNOT crack (and a hint for the correct password)? We need this to reproduce.
Could you post a file you CANNOT crack (and a hint for the correct password)? We need this to reproduce.
Sure. The file uploaded on wetransfer or the MediaFire link.
The hash I get using axcrypt2john:
Ciaociao123-txt.axx:$axcrypt$*2*56500*9b59fe4b3b77cecf72306b01dc946f100212510cd00ff7f73c67b78d82d4918728aaf9eb4ab004f6b66f3685e556ab1dc3dee1030fcb7f130f671a5410b5dc43*78336a566efa4258afb2800021b6f055ccc609a98d0f25e2c3ec35da7967da2e7d32ce1541bf03686f8993400216de4857599bc42a0bb5197a9391f45c496fdbc07a74761813ff6debbc9c66c3010bc88214cdad28f7cc339709fdc45d7b2cd50fb008dac65c7c21e02de0bfb7ffbb08895497c8398df25a388ad1a010a2e0a613af37209bea0ff9b34bd1c6cfb75104*1000*dd451ac8ab2cbf08305d28a8538311db54d546f88a810417005aac3fafc77a22
The cleartext password:
Ciaociao123
The sanity check:
Thanks. I can reproduce.
For future reference, I realized that crackable and non-crackable have different costs.
For future reference, I realized that crackable and non-crackable have different costs.
I apologise for the (probably) stupid question but what do you mean with that last sentence?
It is not. Look at this line and compare it to the test.axx output.
Cost 1 (iteration count) is 56500 for all loaded hashes
In fact, could you try to create hashes using different iteration and test, please?
Ok I see. Earlier, during previous tests I got different costs for all the non crackable .axx files.
Loaded hashes with cost 1 (iteration count) varying from 56500 to 63200
And this is the test.axx crackable file.
Cost 1 (iteration count) is 5000 for all loaded hashes
Now I can see what you mean.
Edit: I have tried various password length with different accounts, different files to encrypt and also tried to decrypt and re encrypt with different password the file test.axx and I never got a cost lower than 56500.
For future reference, I realized that crackable and non-crackable have different costs.
Looks like the difference is the ciphers used: AES-128 vs AES-256 .
philsmd has highlighted some interesting findings in a post at the hashcat forum.
yeah, the only problem is that JTR doesn't support AES-128 for AxCrypt files (which is actually the default one for the free version as far as I can tell).
In the forum post I also mentioned that it might or might not be possible to detect if the file uses AES-128 or AES-256 from the file metadata alone (it might be the case that you need to enter a password and the software simply tests both until one succeeds or both fail, this is just an assumption but the AxCrypt spec PDF file hints to it that the cipher is not known).
the cost factor doesn't matter at all (well, only for how slow it is, but not if something is crackable or not)... my perl scripts from the forum post above should clearly show that the algorithms are different and therefore it's currently not cracking.
If we would implement this in hashcat, we probably would add 2 separate hash types "AxCrypt 2 AES-128" and "AxCrypt 2 AES-256" and the user must select one (they should either know the algorithm itself, or at least if they used the paid version etc). Of course it would be best if the hash format would indicate which AES key size was used, but again, as said above, it might not be possible to detect this with axcrypt2john.py (but maybe there is some way, dunno, also see: https://github.com/magnumripper/JohnTheRipper/blob/a63b64d2ab57606b4c6a8a005452c531c02fe8e6/run/axcrypt2john.py#L20).
Thx (and sorry for not posting here directly yesterday, I was in a hurry and only had time to complete that hashcat forum post)
Some recent observations:
- We now have a commented-out version 2 presumably AES-128 test vector from hashcat (so does hashcat support this by now?) since @magnumripper's commit 4c356607eede817c28f7663160ca6b5b9e4f82aa.
- Trying to crack this test vector obviously fails.
- It also still fails when I hack the code to use
AES_set_decrypt_key(KEK, 128, &akey);in place ofAES_set_decrypt_key(KEK, 256, &akey);so apparently there are more differences than just this. - Similarly, cracking the test "hash" from this issue fails, with both unmodified and hacked-as-above code.
- Ditto for yet another test file I was sent privately.
- We need to add the various test files (both crackable and not) to https://github.com/openwall/john-samples
