AccessData – DNA Password Cracking & Amazon EC2

I had a whim to see what I could do with my license of AccessData’s DNA password cracking tool.  It is the Distributed version of their PRTK for the FTK Forensics package.

They have an agent for Windows, Mac, Sony PS3 and Redhat/Fedora Linux.  But could it run under Ubuntu? Perhaps under the WINE windows emulator?  I found the answer to be yes.  I built a local VMWare instance in Fusion on my Mac using Ubuntu 10.10 Desktop.  I added Wine, then copied over the DNA Worker.msi installer and ran it.  Sure enough it reported into my DNA Manager which I had also running in a VMware instance, though that one is Windows XP to ensure the license dongle can be attached.

So my next question is how hard would it be to get a DNA worker, or a batch of them whipped up on the Amazon EC2 cloud and have them report back to my DNA Manager in vmware where my license dongle was attached.  The answer was not too bad.  And yes it works.  I cracked a zip file with the password “Scooby44” in 19 minutes with a combination of my local vmware Ubuntu instance and a Medium dual CPU instance on Amazon EC2.    I also ran the job briefly against a small base level instance on EC2 to see the average passwords per second.

Read more to see the basic stats.  I will soon decide if I make some screen cast tutorials or a written PDF of the whole setup process.  I will put together a tutorial regardless of which medium I choose.

Continue reading “AccessData – DNA Password Cracking & Amazon EC2”

Share

Rough Draft OSX Automator – Password Extraction

I have had various discussions with other forensics folks about password dictionaries and their use with my crowbar tools.  So I am doing some experimentation using Automator plus shell script and perl script.  I really think a lot of forensics folks who use Mac OSX forget or underestimate Automator.  In my case I am using it to draft some password extraction tests.

You can download the automator app with a sample text file to run it on.  You can get it from here:PasswordExtractor Automator

Of course it is easy for you to edit the automator app in Automator and see/edit my scripts.  Here is a summary of what it does.  And it becomes more clear if you run it on the included text file.

It has you select a file and runs it through strings.  It sorts it and drops out duplicate strings.  Then it runs that base dictionary file through a perl script several times each time is a slightly different variant.  It is looking for certain flag strings then grabs all the remaining text on the line after that flag text and makes it into a stack of passwords.

It looks for all case insensitive occurrences of pw, pwd, pass and password and they can be followed by any of the three symbols. = – or :

It then takes the text following those text strings and starts at the first letter and dumps that to a line as a password and increments one letter at a time till it hits the full length.

So in essence if the password you really need is embedded in say a URL with pass=supersecretpassword then you will actually get a file where ONLY supersecretpassword occurs on a line in a dictionary.  Perfect for your dictionary attack tools.

Share

Mac Forensics – Automator Love – Make a Dictionary

I really really love Automator on the mac.  It just makes it so easy to setup scripts you can run again later.  More importantly it lets you write a script solution that is point and click for someone else when they need help.

I had an email from a Detective that does forensics work on child exploitation cases.  He wanted a simple way to build a dictionary from a selection of folders and files.  He wanted to use that dictionary with my crowbar tools to go after a filevault from a mac.

Here is what I did.

Continue reading “Mac Forensics – Automator Love – Make a Dictionary”

Share

Mac Shell Script – Crack PGP WDE

While I am working on a crowbar version for PGP whole disk encryption.  I took a few minutes to modify the previous script for PGP virtual disk files to hit wde drives in case you need something right away.  Keep in mind you need to determine the drive number with something like df, diskutil etc.

When running the script you will see output like

Operation failed! (errno = -12000)
cannot recognize user record at index 1536:
reached end of user record list
ERROR, wrong passphrase.
Operation failed! (errno = -12000)
Password found!

Operation failed! (errno = -12000)
cannot recognize user record at index 1536:
reached end of user record list
ERROR, wrong passphrase.
Operation failed! (errno = -12000)
Password found!

Here is the script.  Obviously you will need to change the path to your dictionary and the number after the –disk to match the drive you are attacking.  If  you are clever the command for pgpwde is the same under windows with pgp installed.  You could build a similar script there.

#!/bin/bash

for word in $(cat /Volumes/ExternalDrive/Dictionaries/test.txt | grep -v “#”)

do

echo -n $word | pgpwde –auth-disk –passphrase $word –disk 0

if [[ $? = 0 ]]

then

echo “Password found!”

echo $word

exit 0

fi

done

echo “password not found :(“

exit 1

Share

Mac – Keychain files

Here is a great article on why 1Password uses their own keychain like file to store files now.  They started out using the OSX keychain file format but have expanded into their own.   The application still supports the OSX native format but they give great reasons why they changed.  Read the current blog post explaining the difference HERE.

The main item of interest to a forensic investigator who has not fully read up on the keychain file format?  ONLY the password field is encrypted.  Nothing else in the file is.  So before you use something like my crowbarKC to run for hours or days to attack the keychain just run it through strings to decide if there is anything worth the time to recover. Use a command like the below and flip through the output to decide if there are any entries relevant to your case.

strings login.keychain | less

Share

Mac Shell Script – Crack PGP Virtual Disk (PGD)

Today I was not up for doing any full program code.  On top of that I recorded an upcoming Typical Mac User show with Victor answering some listener questions about file encryption.  One of the things we talked about was PGP for Mac.  I got to wondering.  What are the odds that they provide a command line option for mounting PGP encrypted discs?  Can I do yet another dictionary attack script?

Here is what I have initially found.  Note we are talking about a PGP virtual disk file setup for passphase NOT key authentication.  You must have the commercial Mac PGP Whole Disk Encryption application installed.

There is a pgpdisk –mount command.  So can we toss it in a loop like we did for DMG files?  Why of course we can!  Note that you need to change to the desired dictionary path and file.   Same for the target .PGD file you want.  Note on the PGD file my example is PGPTest with the full path minus the extension in the below example.

You will notice when you run your attack that you see some text about “Error -11998 – buffer too small”  This is because normally if the passphrase you enter is wrong it will prompt you three more times.  The way we are piping in at the front of the line with the echo we cause it to error and ignore those multiple entry attempts and keep going through our dictionary file.

#!/bin/bash

for word in $(cat /Volumes/ExternalDrive/Dictionaries/test.txt | grep -v “#”)

do

echo -n $word | pgpdisk –mount /Volumes/MyBook/PGPDisks/PGPTest –passphrase $word

if [[ $? = 0 ]]

then

echo “Password found!”

echo $word

exit 0

fi

done

echo “password not found :(”

exit 1

Share

Mac Shell Script – Crack Keychain

While I work out an updated copy of crowbarDMG to go after keychains I wanted to give you a quick shell script to achieve the same thing.  Long time ago I posted a script for going after DMG files.  It takes only a slight edit to make it work for keychain files.  You will want to change the test.txt file for your dictionary file and keytest.keychain for your desired file.

#!/bin/bash

for word in $(cat ~/test.txt | grep -v “#”)

do

security unlock-keychain -p $word ~/keytest.keychain

if [[ $? = 0 ]]

then
echo “Password found”
echo $word
exit 0

fi

done
echo “Password not found”
exit 1

Share

Strings on a dd image

It is a common forensics technique to run strings against a disc image.  One issue I ran into in testing my crowbarDMG tool was that often this leaves a lot of control characters in the file.  So here is a way to remove the non-printable characters out of your dictionary file.  I also added the “%@” string to the scrape since I found that would crash my program.  In a future update I will provide an automatic filtering of those problem character.  It uses the tr command instead of sed or awk.

tr -d ‘\001’-‘\011”\013”\014”\016’-‘\037”\200’-‘\377’’%@’ < dictionary.txt > dictionary-cleaned.txt

Update:

For those who do not want to mess with the command line to clean up their dictionary you can download this in an automator app wrapper HERE

Share