Skip to content

标题: Android图案密码破解

https://scz.617.cn/android/201411141408.txt

Android Pattern Lock Cracker (crack.pattern.py) https://github.com/sch3m4/androidpatternlock

假设键盘如下:

+---+---+---+ | 0 | 1 | 2 | +---+---+---+ | 3 | 4 | 5 | +---+---+---+ | 6 | 7 | 8 | +---+---+---+

假设图案密码顺序如下:

0->1->2->4->6->7->8

取明文:

\x00\x01\x02\x04\x06\x07\x08

计算它的SHA1:

import hashlib hashlib.sha1("\x00\x01\x02\x04\x06\x07\x08").hexdigest() '6a062b9b3452e366407181a1bf92ea73e9ed4c48'

hexout "\x00\x01\x02\x04\x06\x07\x08" | openssl sha1 6a062b9b3452e366407181a1bf92ea73e9ed4c48

gesture.key中就是这个SHA1值,用"xxd -g 1 gesture.key"确认:

0000000: 6a 06 2b 9b 34 52 e3 66 40 71 81 a1 bf 92 ea 73 [email protected] 0000010: e9 ed 4c 48 ..LH

明文取值范围是[\x00-\x08],Android 2.3.3之前最短3个字节,之后最短4个字节, 最多9个字节。图案密码不允许各个点重复出现,计算SHA1时也没有salt参与,因此 很容易暴力穷举。由于明文落在不可打印字符区间,不能用常规在线SHA1破解网站:

http://www.hashkiller.co.uk/sha1-decrypter.aspx

可以用这个:

http://android.saz.lt/cgi-bin/pattern.py

2017-07-18 17:44 scz

Android 7.0上用

/data/system/gatekeeper.pattern.key /data/system/gatekeeper.password.key


Question cracking Android M pattern,pin code,password - [2016-11-01] https://hashcat.net/forum/thread-6000.html

Password storage in Android M - [2015-06-25] https://nelenkov.blogspot.tw/2015/06/password-storage-in-android-m.html

m-pass-hash.py https://pastebin.com/G3Fq68H4

Gatekeeper https://source.android.com/security/authentication/gatekeeper

Trusty TEE https://source.android.com/security/trusty/

文件级加密(FBE) https://source.android.com/security/encryption/file-based

全盘加密(FDE) https://source.android.com/security/encryption/full-disk


kapitanpetko:

The salt is in the .key file. The hash (or signature) is the 32 bytes after the salt. Most production versions of Android 6.0+ use TEE (TrustZone) to calculate the HMAC of your password, using a device-specific key. The key is not accessible form Android (neither kernel nor userspace), so cracking is not trivial. Additionally, the exact algorithm varies by devices, so Samsung is likely doing something slightly different than Google (on Nexus devices), etc.

In Marshmallow, PIN and pattern locks are still breakable, but no longer use simple hashes. Gatekeeper password storage manages and verifies passwords via Hash-based Message Authentication Code (HMAC) with a hardware-backed secret key. It authenticates pattern or password locks in a Trusted Execution Environment (TEE), which calculates the HMAC using a device-specific key. The HMAC key is kept solely in Gatekeeper.