This question is about how efficient it is to bruteforce SASL authentication in the XMPP protocol.
I read the XMPP SASL authentication steps (stackoverflow link in case the first one breaks), and reimplemented a script that parses a network capture and extracts the parameters, and recalculates what the client and the server should respond for a given password, and initial negociated parameters (salt, nonces etc.), from what I understand:
Two messages are interesting for an attacker (contain hashes that can be bruteforced), these are: The client reply that includes the clientProof, and the server reply, that includes the serverSignature.
this is the relevant cryptographic part (I'm taking SHA1 as an example hash function):
// s, i are parameters communicated in earlier messages
// password is the authentication password
// authMessage is a message of the form "n=#{n},r=#{r1},r=#{r2},s=#{s},i=#{i},c=biws,r=#{r2}", #{} being used for string interpolation, n the username used for authentication, r1 the clientNonce and r2 the serverNonce
saltedPassword = PBKDF2-HMAC-SHA1(password: password, salt: s, iterations: i, length: 20, hash: 'sha1')
clientKey = HMAC-SHA1(key: saltedPassword, data: "Client Key")
clientProof = clientKey ^ HMAC-SHA1(key: SHA-1( clientKey ), data: authMessage)
clientProof is the p parameter that gets sent by the client.
If authentication succeeds, the server responds with a v parameter, which is:
saltedPassword = PBKDF2-HMAC-SHA1(password: password, salt: s, iterations: i, length: 20, hash: 'sha1')
serverKey = HMAC-SHA1(key: saltedPassword, data: 'Server Key')
serverSignature = HMAC-SHA1(key: serverKey, data: authMessage)
serverSignature is v.
As an attacker, it seems to me that I can bruteforce either p or v using a wordlist, the latter seems to have less operations involved, but it seems that the salt, and the full authMessage are needed for this operation.
Hashcat supports the XMPP SCRAM PBKDF2-SHA1 (23200) hash format, but I can't find a way to include authMessage (which should be needed for computing hashes), looking at an example hash (taken from https://hashcat.net/wiki/doku.php?id=example_hashes):
$xmpp-scram$0$4096$32$bbc1467455fd9886f6c5d15200601735e159e807d53a1c80853b570321aaeceb$8301c6e0245e4a986ed64a9b1803afb1854d9712
It looks like they included only a salt, and a hash. Also, no indications on which of the two hashes bruteforce is implemented.
How can hashcat be used to crack hashes obtained from network captures of XMPP traffic?
