标题: Android图案密码破解
Android Pattern Lock Cracker (crack.pattern.py) https://github.com/sch3m4/androidpatternlock
+---+---+---+ | 0 | 1 | 2 | +---+---+---+ | 3 | 4 | 5 | +---+---+---+ | 6 | 7 | 8 | +---+---+---+
import hashlib hashlib.sha1("\x00\x01\x02\x04\x06\x07\x08").hexdigest() '6a062b9b3452e366407181a1bf92ea73e9ed4c48'
hexout "\x00\x01\x02\x04\x06\x07\x08" | openssl sha1 6a062b9b3452e366407181a1bf92ea73e9ed4c48
gesture.key中就是这个SHA1值,用"xxd -g 1 gesture.key"确认:
0000000: 6a 06 2b 9b 34 52 e3 66 40 71 81 a1 bf 92 ea 73 [email protected] 0000010: e9 ed 4c 48 ..LH
明文取值范围是[\x00-\x08],Android 2.3.3之前最短3个字节,之后最短4个字节, 最多9个字节。图案密码不允许各个点重复出现,计算SHA1时也没有salt参与,因此 很容易暴力穷举。由于明文落在不可打印字符区间,不能用常规在线SHA1破解网站:
2017-07-18 17:44 scz
Android 7.0上用
/data/system/gatekeeper.pattern.key /data/system/gatekeeper.password.key
Question cracking Android M pattern,pin code,password - [2016-11-01] https://hashcat.net/forum/thread-6000.html
Password storage in Android M - [2015-06-25] https://nelenkov.blogspot.tw/2015/06/password-storage-in-android-m.html
m-pass-hash.py https://pastebin.com/G3Fq68H4
Gatekeeper https://source.android.com/security/authentication/gatekeeper
Trusty TEE https://source.android.com/security/trusty/
文件级加密(FBE) https://source.android.com/security/encryption/file-based
全盘加密(FDE) https://source.android.com/security/encryption/full-disk
The salt is in the .key file. The hash (or signature) is the 32 bytes after the salt. Most production versions of Android 6.0+ use TEE (TrustZone) to calculate the HMAC of your password, using a device-specific key. The key is not accessible form Android (neither kernel nor userspace), so cracking is not trivial. Additionally, the exact algorithm varies by devices, so Samsung is likely doing something slightly different than Google (on Nexus devices), etc.
In Marshmallow, PIN and pattern locks are still breakable, but no longer use simple hashes. Gatekeeper password storage manages and verifies passwords via Hash-based Message Authentication Code (HMAC) with a hardware-backed secret key. It authenticates pattern or password locks in a Trusted Execution Environment (TEE), which calculates the HMAC using a device-specific key. The HMAC key is kept solely in Gatekeeper.