Post 002 the one about hashcat and iOS Secure Notes

by Chris Atha

Sep 4, 2025

iOS

Introduction and Environment

Apple iOS, iPadOS, and macOS allow for a user to encrypt certain notes making them "Secure notes" using the default notes application.

Let's first review where to find these notes and how they're created.

Artifact Creation

The note titled "This note may be secure!" was locked at the time of acquisition and the note "Is this note secure?" was left "unlocked" at time of acquisiton. I then jailbroke my test device using Checkra1n and had to grab a filtered photograph of the process.

Static Analysis

With our artifacts seeded, and device jail broken; we can now go hunting for where our secure notes live and how to best access them!

I leveraged Andrew Hoogs tool ftree for this task, which can be found at:

https://www.hack42labs.com/blog/2020/01/
14/discover-new-forensic-evidence-with-file-structure-analysis/

Leveraging ftree, i was able to output a list of files recursively from my iOS acquisition and then locate the full path using the following method.

./ftree --skip-hash generate -f sqlite /Volumes/iOSFS_2

I then utilized the following SQLite query to help locate our database of interest.


/*Basic SQL query for using ftree with mobile device acquisitons*/
/*Author: Chris Atha*/
SELECT
id,
file_name,
magic_full,
datetime(ctimeMs/1000,'UNIXEPOCH') AS "Created Time",
size,
full_path
FROM ftree
where full_path LIKE "%Notestore.sqlite%"

/private/var/mobile/Containers/Shared/AppGroup/
6AF37104-AE7C-40E0-B68A-A287EBF15113/NoteStore.sqlite

SQLite analysis

I loaded the Notestore.sqlite into a FOSS tool, DB browser for sqlite; which is available at:

https://sqlitebrowser.org

I located a table within the database which contains two intersting columns ZICNOTEDATA: ZCRYPTOINITIALIZATIONVECTOR and ZCRYPTOTAG columns. (fast forward,) from the ZICLOUDSYNCINGOBJECT Table we can find the ZCRYPTOTAG, ZCRYPTOSALT, and ZCRYPTOWRAPPEDKEY. These values are only present on the two secure notes. (Fast forward again!) These are the values which the later used securenotes2hashcat.pl script will use to align the hashes later on in this paper.

Aside from the juicy crypto columns, the structure of the SQLite database seems less than straight forward. Jon over at CIOFECA Forensics has done an outstanding job on dealing with notes data! Check that our for further details on parsing more information out of notes.

https://www.ciofecaforensics.com

Hashchat

For this part of the project I'm using macOS with the Homebrew Package manager installed. If you have a mac and you've not used Homebrew I highly recommend it. Homebrew can be collected at:

https://brew.sh

Follow the installation instructions from the site, they are quite easy to follow. Now with Homebrew installed we can easily install hashcat. Though take some time and check out the hashcat website at:

https://hashcat.net/hashcat/

Just as important as checking out the site be sure to check out the contributors and if their work has helped you, be sure to say thanks.

After you've had some time to check the hashcat website; let's install.

Fire up your favorite terminal emulator, in my case I"m a fan of the default macOS terminal.

brew install hashcat

My installation only took a few minutes. Now it is ready to run, lets do a quick check to make sure it installed correctly.

hashcat --help

This will invoke the help page of hashcat, your output should look like the following!

Hashcat installation is a success, perl is already baked in macOS; now it's time to grab a necessary script to help extract and properly format the hash from the iOS Notestore.sqlite database.

Head over to the hashcat github repo and locate the securenotes2hashcat.pl perl script:

https://github.com/hashcat/hashcat/blob/master/tools/securenotes2hashcat.pl

The simple use of hashcat I'l lbe demonstrating works fine using the popular rockyou.txt wordlist. Though hashcat can do much much more, this is a simple slice to help show proof of concept. If you're not familiar with the rockyou.txt wordlist you can grab a copy from:

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=
1&cad=rja&uact=8&ved=2ahUKEwju_ZiKhKnnAhXUWM0KHfKiCKMQFjAAegQIBBAB&url=
https%3A%2F%2Fgithub.com%2Fbrannondorsey%2Fnaive-hashcat%2Freleases%2Fdown
load%2Fdata%2Frockyou.txt&usg=AOvVaw3snAERl1mU6Ccr4WFEazBd

With all of our ingredients ready, we can now bake. For this proof of concept, I'll be creating a new directory on the desktop with all of my necessary files in it.

cd ~ && mkdir Desktop/notetest

The above command will change directory to base and create a directory on the current users desktop named "notetest"

Inside of this directory we will place all of our ingredients; securenotes2hashcat.pl, Notestore.sqlite, and rockyou.txt.

We can see now using the <ls> command we have all three pieces of the puzzle together.

Before we can execute our securenotes2hashcat.pl script we'll have to modify its permissions.

chmod +x securenotes2hashcat.pl

Now we can run the script and grab our hash.

./securenotes2hashcat.pl Notestore.sqlite \

Check the output of running the previous command, if secure notes are in play your output should look similar to this.

In this case I have to separate hashes (2 encrypted notes), let's now save these hashes into a text file which we can pass into our simple use of hashcat.

./securenotes2hashcat.pl Notestore.sqlite > hash.txt

we now have a file named hash.txt which contains the output of executing securenotes2hashcat.pl

 hashcat -a 0 -m 16200 hash.txt rockyou.txt

Once it's done baking if you have success you will be informed and to line up the cracked hashes with their prospective passwords from the potfile you can use the following.

hashcat -a 0 -m 16200 hash.txt rockyou.txt --show

We recovered the hash from both secured notes, (123456).

Let's try our passwords and see how this works out.

Cheers