Today I was not up for doing any full program code. On top of that I recorded an upcoming Typical Mac User show with Victor answering some listener questions about file encryption. One of the things we talked about was PGP for Mac. I got to wondering. What are the odds that they provide a command line option for mounting PGP encrypted discs? Can I do yet another dictionary attack script?
Here is what I have initially found. Note we are talking about a PGP virtual disk file setup for passphase NOT key authentication. You must have the commercial Mac PGP Whole Disk Encryption application installed.
There is a pgpdisk –mount command. So can we toss it in a loop like we did for DMG files? Why of course we can! Note that you need to change to the desired dictionary path and file. Same for the target .PGD file you want. Note on the PGD file my example is PGPTest with the full path minus the extension in the below example.
You will notice when you run your attack that you see some text about “Error -11998 – buffer too small” This is because normally if the passphrase you enter is wrong it will prompt you three more times. The way we are piping in at the front of the line with the echo we cause it to error and ignore those multiple entry attempts and keep going through our dictionary file.
for word in $(cat /Volumes/ExternalDrive/Dictionaries/test.txt | grep -v “#”)
I decided to make a quick version of crowbarDMG that works on OSX Keychain files. So here you go. Right now in v1.0 it only works exactly as crowbarDMG does and finds the main unlock password. It is a good deal faster testing keychain files than disc images. Like crowbarDMG it is Leopard only. I am looking out a way to dump the contents of a keychain once it unlocks. If I can come up with a good solution I will release an update via the auto update mechanism.
While I work out an updated copy of crowbarDMG to go after keychains I wanted to give you a quick shell script to achieve the same thing. Long time ago I posted a script for going after DMG files. It takes only a slight edit to make it work for keychain files. You will want to change the test.txt file for your dictionary file and keytest.keychain for your desired file.
It is a common forensics technique to run strings against a disc image. One issue I ran into in testing my crowbarDMG tool was that often this leaves a lot of control characters in the file. So here is a way to remove the non-printable characters out of your dictionary file. I also added the “%@” string to the scrape since I found that would crash my program. In a future update I will provide an automatic filtering of those problem character. It uses the tr command instead of sed or awk.
Well here we are. Finally, my very first full Cocoa program. One that does not come from a book.
crowbarDMG is a dictionary attack tool for DMG and Spareimage files for Macs. It does require 10.5 Leopard. It really wasn’t worth the trouble to redo things to work on Tiger. It is completely free, so enjoy. Be sure to read the included PDF readme file. I address an issue if you use strings to pull out a dictionary from a disc image. Some control characters need to be scrubbed else it will crash crowbarDMG. Give it a shot if you need to recover a password for a dmg or filevault file.
*UPDATE* – Please make sure to run Check for Updates to obtain the latest build. I have released v1.0.1 that implements garbage collection to help prevent memory leaks for long duration projects.
Thanks to Paul Figgiani for his patience in making GUI layout and improvement suggestions.
Thanks to Big Nerd Ranch for the fun bootcamp last October. I would have never had the time to get up to speed on Xcode and ObjectiveC purely on my own.
Thanks as well to the following code and frameworks:
I was working on some exercises for the Sans SEC-508 forensics class. Being the lazy person that I am. Rather than manually extract exif data from the recovered images I made an automator to do it for me. I had some issues trying to use some code that previously worked under Tiger. So here it is for Leopard. Only down side is that it breaks if the path or filename has a space in it.
I realize it has been a while since I posted on the full blog. I do minor things via twitter. Toss in the holidays, then lots of stuff to start the year = lazy on the blog.
I have been writing my first real program on OSX in Cocoa. A disc image (DMG) dictionary attack tool. It is coming along nicely and once done I will throw it out to the public intended as a free tool to Mac based forensics examiners. I have posted on here before about a shell script to do this. Making the program native in Cocoa means a lot more options etc. Not to mention fun for me to learn.
Filevault is nothing but an encrypted sparseimage disc image file. So in my testing I wanted to see if my tool could crack my own filevault. To do this I needed a reasonably targeted dictionary file. So in a pinch here is a fun way to make a simple attack dictionary.
This command shows disc usage and what discs are mounted. Lets say this ipod is actually my other laptop connected via firewire target disc mode. Notice below the root drive is shown and it is is disk0s2.
Wait a good long time if the drive is large. You are streaming the drive level blocks through the strings command to extract all readable ascii strings into a nice text file.
So I used that file for going after the filevault spareimage file from my old laptop using my dictionary attack tool. I got lucky my password was in the strings but not by itself. It was embedded in some other text. I had to find it with grep against myDictionary.txt. It was cached way back in time in the unencrypted space on my hard drive by some third party tool. So without some extra work it would not have actually cracked my filevault. But it sure came close. And from a 40GB old powerbook drive it would have only taken 3 days to run the full myDictionary.txt file against my filevault.
One of the guys from the Nashville Mac Users group asked me about recovering some audio files from an iPod. A friend of his used an iTalk to record some audio. About 200MB with of audio file. For some reason it is not sync’ing from the iPod. He also has no idea which of his many macs is the master to the iPod. He would have to let it wipe it out to associate it to a new mac he is sure of as the master. So I got to playing around. My iPod is in disk mode.
This command shows disc usage and what discs are mounted. Notice below the iPod is shown and it is is disk2s3. Keep in mind the main disk# can change every time you reboot if you have multiple external drives.
I have an external sata with way more free space than my ipod is big. (60GB)
dd bs=512 if=/dev/rdisk2 of=/Volumes/ExtSata/ipodimage.dmg
This command does a disc image of the raw disk#2 matching up to what we saw in step 2 above. You want the raw disk (rdisk) since it is faster for making an image. So we use a block size of 512 (bs) from an input file (if) of /dev/rdisk2 to an output file (of) of /Volumes/ExtSata/ipodimage.dmg
Wait a really long time (was over night) and when the dmg file shows in finder as large as the iPod close terminal, eject the real ipod and try double clicking on the new ipodimage.dmg file.
For me it opened up fine mounting as a disc image. I could then browse the contents of the iPod. Of course I could feed it to one of my forensic tools since it is a disc image and easy to parse with file recovery tools etc. Now that I know it works. The question is can I use this to get past any issues on the fellow’s ipod to drag his audio files out of the disc image. If we encountered any errors I would do the DD command again but add conf=sync,noerror at the end.
The noerror tells DD to keep going and not end if it hits an error. The sync tells DD to pad any error spots with null. That is an attempt to get around any errors on the disc.