Add format and extractor script for authenticator python app master password

[marksilinio]

It would be nice to have a script that allow to bruteforce master password of
https://github.com/JeNeSuisPasDave/authenticator

it uses the AES 256-bit symmetric key:
https://github.com/JeNeSuisPasDave/authenticator/blob/3caa2edebff01be3e6fd82c72ac3a0eb415cbe66/src/authenticator/data.py#L597-L606

to encrypt the second 16-byte data and compare it with the first 16-byte block (header):
https://github.com/JeNeSuisPasDave/authenticator/blob/3caa2edebff01be3e6fd82c72ac3a0eb415cbe66/src/authenticator/data.py#L802-L807

[solardiz]

I think it'd take not only a script, but also a new format in john.

[magnumripper]

If someone whips up an authenticator2john and supplies a couple of test vectors (add original samples to https://github.com/openwall/john-samples as well please), I'm willing to write the formats.

[marksilinio]

If someone whips up an authenticator2john and supplies a couple of test vectors (add original samples to https://github.com/openwall/john-samples as well please), I'm willing to write the formats.

how to provide a test vectors? base64 encoded 16-bytes IV and 16-bytes encrypted data?
like authenticator:$<base64 IV>$<base64 enc> ?

sample:
openwall/john-samples#10

[magnumripper]

Thanks!

Since the data is so short, hex encoding is fine as well (unless original data happens to be Base64 already, or whatever reason you fancy - it's ultimately up to you).

I think this would be nice:

$authenticator$0$<hex IV>$<hex data>

The 0 is just incase a future version need a format or algo change, we'd set next to 1 then.

Many of our tools will include the basename of the input filename as a first (: separated) field, like this:

authenticator.data:$authenticator$0$<hex IV>$<hex data>

In that case, the string authenticator.data is not used at all for the cracking nor a part of what we would call the (non) hash, but useful for when outputting a successful crack.

[marksilinio]

see #4898

[magnumripper]

The AES key is produced using SHA-256 with 256K iterations, you didn't mention that. It will slow things down considerably. Maybe 11Kp/s on a 2080ti or a couple hundred p/s on a good CPU with 8 cores.

[magnumripper]

Oh and what we called the IV isn't the IV, it's the cleartext header. The IV is derived from the key.

[marksilinio]

The AES key is produced using SHA-256 with 256K iterations, you didn't mention that. It will slow things down considerably.
Maybe 11Kp/s on a 2080ti or a couple hundred p/s on a good CPU with 8 cores.

Maybe 1024 iterations?
https://github.com/JeNeSuisPasDave/authenticator/blob/3caa2edebff01be3e6fd82c72ac3a0eb415cbe66/src/authenticator/data.py#L573-L577:

        self.__key_stretches = 256 * 1024
        self.__magic_number = 0x7A6A5A4A
        self.__file_version = 1
        self.__key = self._produce_key(passphrase)
        self.__iv = self._produce_iv(self.__key)