We released a major update to Elcomsoft Wireless Security Auditor, a tool for corporate customers to probe wireless network security. Major addition in this release is the new Wi-Fi sniffer, which now supports the majority of general-use Wi-Fi adapters (as opposed to only allowing the use of a dedicated AirPCap adapter). The built-in Wi-Fi sniffer is a component allowing the tool to automatically intercept wireless traffic, save Wi-Fi handshake packet and perform an accelerated attack on the original WPA/WPA2-PSK password.
Archive for the ‘Hardware’ Category
Not all passwords provide equal protection. Some formats are more resistant to brute-force attacks than others. As an example, Microsoft Office 2013 and 2016 employ a smart encryption scheme that is very slow to decrypt. Even the fastest available GPU units found in NVIDIA’s latest GeForce GTX 1080 will only allow trying some 7100 passwords per second.
One solution is employing a custom dictionary, possibly containing the user’s passwords that were easier to break. Observing the common pattern in those other passwords may allow creating a custom mask that could greatly reduce the number of possible combinations.
How often do you think forensic specialists have to deal with encrypted containers? Compared with office documents and archives that are relatively infrequent, every second case involves an encrypted container. It may vary, but these evaluations are based on a real survey conducted by our company.
It is hard to overestimate the importance of the topic. In the first part of our story we discussed the way of getting access to encrypted volumes using an encryption key. Now, let’s see which other ways can be used.
Unlike Elcomsoft Forensic Disk Decryptor, Elcomsoft Distributed Password Recovery does not search for existing decryption keys. Instead, it tries to unlock password-protected disks by attacking the password. The tool applies an impressive variety of techniques for attacking the password. In this case, the whole disk encryption scheme is only as strong as its password. Fortunately, the tool can execute a wide range of attacks including wordlist attack, combination attacks, mask attacks, smart attacks and so on and so forth, with advanced GPU acceleration and distributed processing on top of that. The whole sophisticated arsenal comes in particularly handy if we speak about more or less secure passwords.
During the last several years, progress on the CPU performance front has seemingly stopped. Granted, last-generation CPUs are cool, silent and power-efficient. Anecdotal evidence: my new laptop (a brand new Macbook) is about as fast as the Dell ultrabook it replaced. The problem? I bought the Dell laptop some five years ago. Granted, the Dell was thicker and noisier. It’s battery never lasted longer than a few hours. But it was about as fast as the new Macbook.
Computer games have evolved a lot during the last years. Demanding faster and faster video cards, today’s games are relatively lax on CPU requirements. Manufacturers followed the trend, continuing the performance race. GPUs have picked up where CPUs have left.
NVIDIA has recently released a reference design for GTX 1080 boards based on the new Pascal architecture. Elcomsoft Distributed Password Recovery 3.20 adds support for the new architecture. What does it mean for us?
Biometric approach to unlocking portable electronics has been on the rise since late 2013 when Apple released iPhone 5S. Ever since, manufacturers started adding fingerprint scanners to their devices. In the world of Android, this was frequently done without paying much (if any) attention to actual security. So how do these systems compare?
Apple iOS: Individually Matched Touch ID, Secure Enclave at Work
Apple invented Touch ID to increase the average user security. The idea behind fingerprint unlock is for users who had no passcode at all to use Touch ID. Fingerprint data is stored on the Secure Enclave, and is never transferred to Apple servers or iCloud.
Quite often our new customers ask us for advice about what they should start with in order to use the program effectively. In fact, there are various situations when the tool can come in handy by decrypting data securely protected with TrueCrypt, BitLocker (To-Go), or PGP and we’d need a super long video to describe all the cases. But we’d love to demonstrate one typical situation when disk is protected with TrueCrypt when entire system drive encryption option is on.
In this video, kindly provided by Sethioz, we suggest you to decrypt TrueCrypt whole system drive encryption using our Elcomsoft Forensic Disk Decryptor thoroughly going through all the stages starting from the very first one when you just got the encrypted hard drive on hands.
With encrypted hard drive in one hand and its memory dump in the other one (taken when encrypted disk was still mounted) we plug HDD into our “invesgitator’s” computer, start Elcomsoft Forensic Disk Decryptor and easily, in one slow motion, extract the encryption keys from the memory dump file and decrypt the protected HDD, either by mounting it into the “investigator’s” system (to be able to work with it on-the-fly) or by decoding the contents into a specified folder.
We hope you’ll enjoy this video and next time you have the necessity to decrypt something encrypted you’ll feel more confident about it. We also invite you to take a moment and share your experience here in comments or leave your question if you still have any after this pretty detailed video. 🙂
If you care about password cracking, hardware acceleration or Wi-Fi protection this interview with our friend Sethioz is certainly for you. Being currently a freelance security tester Sethioz kindly shared his experience in cracking passwords using video cards, which in its turn derived from his gaming interest in cards. His personal experience may be very helpful to those whose concern about password cracking is not trivial.
How did it all start or what was the reason to try to find a Wi-Fi password?
There is no short answer to this, if there would be, I guess it would be “curiosity”. I think I got my first computer somewhere in 2002-2003 (my own PC) and ever since I’ve been interested in everything that is not “normal”, such as reverse engineering, debugging, hacking games, cracking password etc. (more…)
We have just released a long-awaited update to one of our flagship products, Elcomsoft Distributed Password Recovery. While you can learn more about what’s been added and changed from our official announcement, in this post we’d like to share some insight about the path we took to design this update. (more…)
We have just updated Advanced Office Password Recovery and Distributed Password Recovery with NVIDIA Tesla K20 support, enabling world’s fastest password recovery with NVIDIA’s latest supercomputing platform. Elcomsoft Advanced Office Password Recovery removes document restrictions and recovers passwords protecting Microsoft Office documents, while Elcomsoft Distributed Password Recovery can quickly break a wide range of passwords on multiple workstations with near zero scalability overhead.
GPU-accelerated password recovery dramatically reduces the time required to break long and complex passwords, offering more than 20-fold performance gain over CPU-only operations (compared to a quad-core Intel i7 CPU). NVIDIA’s latest Tesla K20 platform further increases the performance, delivering a nearly 1.5x performance increase compared to the use of a dual-core NVIDIA GeForce GTX 690 board.
A workstation equipped with an NVIDIA Tesla K20 unit can crunch as many as 27500 Office 2007 passwords per second, or 13500 passwords per second in the case of Microsoft Office 2010. In comparison, the next-best solution, a dual-core GeForce GTX 690 board, can try some 19000 Office 2007 or 9000 Office 2010 passwords per second.
The updated Elcomsoft Advanced Office Password Recovery and Elcomsoft Distributed Password Recovery now fully support the latest NVIDIA supercomputing hardware, enabling users to gain unrestricted access to many types of documents in far less time.
BitLocker, PGP and TrueCrypt set industry standard in the area of whole-disk and partition encryption. All three tools provide strong, reliable protection, and offer a perfect implementation of strong crypto.
Normally, information stored in any of these containers is impossible to retrieve without knowing the original plain-text password protecting the encrypted volume. The very nature of these crypto containers suggests that their target audience is likely to select long, complex passwords that won’t be easy to guess or brute-force. And this is exactly the weakness we’ve targeted in our new product: Elcomsoft Forensic Disk Decryptor.
The Weakness of Crypto Containers
The main and only weakness of crypto containers is human factor. Weak passwords aside, encrypted volumes must be mounted for the user to have on-the-fly access to encrypted data. No one likes typing their long, complex passwords every time they need to read or write a file. As a result, keys used to encrypt and decrypt data that’s being written or read from protected volumes are kept readily accessible in the computer’s operating memory. Obviously, what’s kept readily accessible can be retrieved near instantly by a third-party tool. Such as Elcomsoft Forensic Disk Decryptor.
Retrieving Decryption Keys
In order to access the content of encrypted containers, we must retrieve the appropriate decryption keys. Elcomsoft Forensic Disk Decryptor can obtain these keys from memory dumps captured with one of the many forensic tools or acquired during a FireWire attack. If the computer is off, Elcomsoft Forensic Disk Decryptor can retrieve decryption keys from a hibernation file. It’s important that encrypted volumes are mounted at the time a memory dump is obtained or the PC goes to sleep; otherwise, the decryption keys are destroyed and the content of encrypted volumes cannot be decrypted without knowing the original plain-text password.
“The new product includes algorithms allowing us to analyze dumps of computers’ volatile memory, locating areas that contain the decryption keys. Sometimes the keys are discovered by analyzing byte sequences, and sometimes by examining crypto containers’ internal structures. When searching for PGP keys, the user can significantly speed up the process if the exact encryption algorithm is known.”
It is essential to note that Elcomsoft Forensic Disk Decryptor extracts all the keys from a memory dump at once, so if there is more than one crypto container in the system, there is no need to re-process the memory dump.
Using forensic software for taking snapshots of computers’ memory is nothing new. The FireWire attack method existed for many years, but for some reason it’s not widely known. This method is described in detail in many sources such as http://www.securityresearch.at/publications/windows7_firewire_physical_attacks.pdf or http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation
The FireWire attack method is based on a known security issue that impacts FireWire / i.LINK / IEEE 1394 links. One can take direct control of a PC or laptop operating memory (RAM) by connecting through a FireWire. After that, grabbing a full memory dump takes only a few minutes. What made it possible is a feature of the original FireWide/IEEE 1394 specification allowing unrestricted access to PC’s physical memory for external FireWire devices. Direct Memory Access (DMA) is used to provide that access. As this is DMA, the exploit is going to work regardless of whether the target PC is locked or even logged on. There’s no way to protect a PC against this threat except explicitly disabling FireWire drivers. The vulnerability exists for as long as the system is running. There are many free tools available to carry on this attack, so Elcomsoft Forensic Disk Decryptor does not include a module to perform one.
If the computer is turned off, there are still chances that the decryption keys can be retrieved from the computer’s hibernation file. Elcomsoft Forensic Disk Decryptor comes with a module analyzing hibernation files and retrieving decryption keys to protected volumes.
Complete Decryption and On-the-Fly Access
With decryption keys handy, Elcomsoft Forensic Disk Decryptor can go ahead and unlock the protected disks. There are two different modes available. In complete decryption mode, the product will decrypt everything stored in the container, including any hidden volumes. This mode is useful for collecting the most evidence, time permitting.
In real-time access mode, Elcomsoft Forensic Disk Decryptor mounts encrypted containers as drive letters, enabling quick random access to encrypted data. In this mode files are decrypted on-the-fly at the time they are read from the disk. Real-time access comes handy when investigators are short on time (which is almost always the case).
We are also adding True Crypt and Bitlocker To Go plugins to Elcomsoft Distributed Password Recovery, enabling the product to attack plain-text passwords protecting the encrypted containers with a range of advanced attacks including dictionary, mask and permutation attacks in addition to brute-force.
The unique feature of Elcomsoft Forensic Disk Decryptor is the ability to mount encrypted disks as a drive letter, using any and all forensic tools to quickly access the data. This may not seem secure, and may not be allowed by some policies, but sometimes the speed and convenience is everything. When you don’t have the time to spend hours decrypting the entire crypto container, simply mount the disk and run your analysis tools for quick results!
More information about Elcomsoft Forensic Disk Decryptor is available on the official product page at http://www.elcomsoft.com/efdd.html