crowbar Apps maintenance update 1.0.2

I dropped v1.0.2 of both crowbarDMG and crowbarKC into the automatic update feed.  Please just run the applications and choose Check for Updates or allow automatic updates to run.

This update fixes where I was not stripping the carriage return characters from windows CRLF formatted text files used as dictionaries.  It would cause the program to appear it was properly checking passwords but never find the correct password due to the extra CR character.


Cracking Filevault – vfcrack compiling on OSX

This morning I woke up a bit early in the mood to see if I could improve crowbarDMG.  I had always intended to look at the OpenCiphers project code as a replacement to my own internal password test code.  Their vfcrack code is MUCH faster than my current code.  It would just be nice to have the gui and the progress saving ability of my crowbarDMG application.

I downloaded the vfcrack and went to compile it.  Of course it had to be a pain. I would run make and get the following error.

ld: symbol(s) not found
collect2: ld returned 1 exit status
make: *** [vfcrack] Error 1

After poking around I found a fix.  Just edit the Makefile and add -lcrypto after -lssl on the LDFLAGS line.  Then just run make again.

Now the program successfully compiles.  The next hurdle is I can’t seem to get it to actually succeed in cracking a DMG test file.  So it isn’t worth changing my program till I see this code actually crack something.  I should also add I am on 10.5.7 in case that has an effect on their code.  I am testing their provided dict against their provided dmg file using my crowbarDMG as a sanity check.


Found that my crowbar app was looking like it was testing the passwords properly from their dictionary file.  Turns out their file was in windows format with end of line CR+LF.  I was just stripping off the LF.  So now I have fixed my code and should publish updates to the auto update feeds soon for both crowbarDMG and crowbarKC.

I still can’t get a successful crack from their routine.


Malware – Finding the source site

A little interesting problem popped up on the CCE (Certified Computer Examiner) mail list today.  One of the members asked for scripting help on trying to test which of a list of urls was the source of malware that infected a machine he was examining.  The examiner had setup a clean Windows XP install in vmware and would test there.  He knew what he was looking for in what it does to Windows files, registries etc.  He just needed to test a hundred or so likely urls.  In the  process of writing up my reply email another member replied with a linear batch file to do it.  So I took my looping script and added his taskkill command to produce a quick simple result.

The script reads a text file that has one URL per line, it tells IE to open using the URL and pause.  That gives the examiner time to check for the infection.  If nothing found he just brings focus back to the command line window where he executed the script and presses a key. It closes the previous IE instance and opens the next from the file.

The file of urls is referenced in the script as sites.txt and you can make the following script in a bat file.  Call it visitsites.bat for instance.

for /F “eol=- tokens=1” %%i in (sites.txt) do (
start iexplore %%i
taskkill /f /im iexplore.exe


Wireshark + OSX Leopard

Normally I just run a sudo tcpdump at a command line.  But I wanted to play around in the wireshark gui of the latest build 1.0.8 for OSX Leopard.

So I downloaded the latest DMG for Wireshark 1.0.8 for Intel Leopard.  Dragged the Wireshark app to my Applications folder and ran it.  Wireshark would not see any network interfaces.

What I found is that I need to do the following then wireshark can see the interfaces.  BTW no: sudo open “Applications/” would not work either.  I suspect because its an x11 app.

sudo -S chown username /dev/bpf*

Note you substitute your short username for the “username” field above.  But who wants to do that every time you reboot?  Even if you script it.  So I of course made an automator.

  1. Drag over the “Ask for Text” object.  Use a prompt like “Enter Password:”
  2. Drag over Run Shell Script.  put in the sudo chown from above.  Also change the pass input to: to stdin
  3. Lastly drag over Launch Application.  Choose the 

Save it as an automator application.  Maybe on your desktop.  And now you have a simple double click method to perform the chown of the network interfaces so can see them.  It will prompt you for your user password (assuming you are an admin user or added your account to sudoers using the visudo command) and pass it to the sudo statement for you then launch wireshark.

One last thing.  Seems Leopard and where wireshark thinks some mibs are disagree.  I found a great blog post by Josh Fuller on fixing it with a couple of symbolic links.  You may have to put sudo in front of his commands. It worked for me.


crowbar and PGP Virtual Disk

I actually took a vacation to the beach a couple weeks ago.   Relaxing as I watched the ocean waves I decided to throw together a crowbar version to attack pgp virtual disk files.  So where is it?

It did not take me long to adapt my script attack to a crowbar version.  I did run into a big problem though and this is why I have not released crowbarPGP.  After running for about 10-15 minutes it will stop trying to mount the pgp virtual disc file. And in fact restarting the program won’t resume the attack. You cannot get it to start over till you reboot your mac.  My conclusion is that there must be some sort of memory leak in the pgpdisk command.  Hit that with a thousand attempts in rapid succession and it goes to hell.

I just don’t want to release a program version when I know its not going to be able to run to completion regardless of the dictionary file size.  I’ll catch the heat for what I feel is clearly a flaw in pgpdisk.

*Update June 5, 2009*  PGP contacted me, I sent them the materials and a video demo.  They actually said something about a thread not being released and it will be fixed.  Soon as that works I’ll release crowbarPGP.