Password Cracking AES-256 DMGs and Epic Self-Pwnage

jeremiahTwo weeks ago I was in the midst of a nightmare. I’d forgotten a password. Not just any password. THE password. Without this one password I was cryptographically locked out of thousands and gigabytes worth of files I care about. Highly sensitive and valuable files that include work documents, personal projects, photos, code snippets, notes, family stuff, etc. The password in question unlocks these files from the protection of locally stored AES-256 encrypted disk image. A location where an “email me a password reset link” is not an option. File backups? Of course! Encrypted the same way with the same password. Password paper backup? Nope. I’ll get to that. I somehow needed to “crack” this password. If not, the amount of epic self-pwnage would be too horrible to imagine.

Before sharing how I got myself into this predicament, it’s necessary to reveal some details about my personal computer security habits. More specifics than I’m normally comfortable sharing.

badgewall2As my badge wall shows, I travel a lot, all around the world, and often with the same laptop. A MacBook Pro. My computer becoming lost, stolen, or imaged by border guards and other law enforcement officers is a constant concern. To protect against these potential physical attacks, OS X dutifully offers FileVault.

FileVault is a full disk encryption feature utilizing XTS-AES 128 crypto. Enabling FileVault means that even if someone has physical possession of my computer, or obtains a full copy of the hard drive, they’d be the proud new owner of a cutting-edge machine, but unable to get any useful data off of it. That is unless my admin password, which unlocks FileVault, is ridiculously simple, and it isn’t. By all practical means, “cracking” this password is impossible.

What is possible is law enforcement, or a robber, forcibly stopping me and “asking” for my admin password, a method capable of defeating FileVault’s full disk encryption. Realistically, while my brazilian jiu-jitsu black belt certainly helps in many situations, it can be utterly useless in other real-world encounters. I’ll of course resist giving up my admin password to the extent I’m able, but must assume I may have to “comply” at some point. If this should happen, ideally my data, other than email, should remain safe even after the adversary lands on my desktop.

Setting up this type of layered security fall-back plan is where we return to the conversation of encrypted disk images. On OS X, Disk Utility can be used to create encrypted disk images called DMGs. DMGs are self-contained portable files, of customizable size, that when mounted (i.e. double-clicked) display on the desktop like any other disk drive where files can be stored.

Upon creation of DMGs the level of encryption strength can be set, the highest being AES-256. If FileVault’s AES-128 crypto is already “impossible” to crack, AES-256 DMGs are exponentially more impossible. To ensure this, all you have to do is set a reasonable password. We’re talking even 6 characters or longer, some upper and lower case, and maybe toss in a digit and special character. DON’T SAVE THE PASSWORD IN YOUR KEYCHAIN. Doing so defeats the entire purpose of what we’re trying to accomplish, because the admin password unlocks the keychain.

A great thing about DMGs is that they can be stored anywhere. Hidden in some obscure directory on the local machine, a network storage device, a USB drive, whatever. All my confidential files are typically stored this way, in a series of encrypted DMGs with separate passwords. Also very important, DMGs containing sensitives files are only mounted on an as-needed basis. This is for two reasons:

  1. If I must hand over my admin password, the person now on the desktop should still have a difficult time learning these disk images exist and a password is required to open them. As they begin to snoop around, image the drive, run forensics, etc., they should feel they have the keys to the kingdom. If they do manage to find the DMGs, hopefully by then I’m on my way and seeking legal help.
  2. Should my computer get “hacked,” a remote attacker will find it extremely difficult to transfer out many many gigabytes worth of data as a single DMG file before being noticed, the computer loses its connection to the Internet, or the image is unmounted.

security

Credit: http://xkcd.com/

What’s also cool is a DMG can be used to store additional account passwords, flat file style. Passwords, which can be made super strong and don’t have to be committed to memory. Simply copy-paste as necessary. This FileValue / DMG setup makes it very convenient to only have to remember a small hand full of passwords, including the admin password, to access everything important and without sacrificing security. Well, convenient up until the point where you forget a DMG password. In my case, caused by my scheduled ritual of “change all my passwords.” Ugh!

I wake up once upon a recent morning and begin my daily routine. Check calendar. Check email. Checks RSS. Check Twitter. Start working, start reading. As is common, I mount a DMG and am greeted by the familiar password dialog.  First password attempt, fail. Second attempt, fail. Third attempt, fail. Warning dialog appears. That’s weird, I thought. Normally I’m a proficient touch typist. Am I’m fat-fingering the password? Three strikes and I’m out again.

Annoyed, but not concerned. Check the caps lock key. Nope. Try the password again. Fail, fail, fail. Fail, fail, fail. Rinse, repeat several more times. WTF! Am I at least trying to type the correct password for the DMG? I believe so. Let me try a few “shouldn’t work passwords” just in case Morning Brain is causing problems. A few dozen password fails later, annoyance begins constricting into panic. It’s OK, consoling myself, I’ll come back to this in a little while. It’ll be fine. I have some non-DMG-required work to complete anyway.

An hour later, I repeated the same password attempt cycle. No dice. The password fails mounting up are now in the hundreds. I start to mouth some obscenities and my keyboard is really not liking the pounding. My wife is beginning to eyeball me with concern. I’m running out of ideas of what that problem could be. That’s about when I recalled recently changing all my passwords. A few moment laters, that’s when it hit me, like really hit me. For whatever reason, I’d forgotten what I changed the password to. *Gulp*. Oh, no!

password_strength

Credit: http://xkcd.com/

Think positive, think optimistic. Keep calm. Carry on. It’ll come to me. I’ve never forgotten these passwords before. I even remember most of it. At least, I think I do.

I’m periodically trying different passwords throughout the day, throughout out the evening. One day turns into two, two into three. All like the first. Only now I’m losing sleep. I’m waking up in the middle of the night and have to try a few more passwords just so I can get back to sleep. For those who don’t know, dreaming of password combinations sucks. What also sucks is without access to this DMG, more specifically the work documents within it, my daily productivity plummets.

Finally, after nearly a week I have to admit to myself, I forgot it. That I’m in trouble. Time for Plan B. Google.

I begin searching around for DMG password cracking tools. My thought is since I have a partial password, I should be fine. Most of the results pages are littered with people responding by cracking jokes when asked about cracking DMG AES crypto. That’s not very encouraging. Then I come across something called crowbarDMG, which is basically a GUI for command:

>$ hdiutil attach -passphrase <passphrase> DiskImage.dmg 

hdiutil locks a DMG file when attempting to mount it, so crowbarDMG runs single threaded, which essentially means a cracking speed of 1 password c/s. Yeah, slow. For my particular circumstance, this was fine. I figured I was only missing between 1 – 3 characters of the password anyway. A day of cracking, maybe two, and I’d be back in business. It was not to be. Then my fuzzy memory suggested I might be missing as much as 6 characters. If that be the case, by sheer math, at least multiple  decades worth of cracking would be necessary at current speed. Time for Plan C. Twitter.

Having ~15,000 followers interested in computer security has its perks. Through the years I’ve come to expect a good percentage of them have a stinging sense of humor. Similar to the Google search, 99% of the responses received were sarcastic. This included one such retort from a friend who works in law enforcement computer forensics. I’m sure some tweets were funny, but I was in no laughing mood. I was freaked. A sense of futility and finality was setting in.

That was until Solar Designer, gat3way, Dhiru Kholia, and Magnum, the guys behind the infamous John the Ripper (JtR) password cracker answered my plea. Then Jeremi Gosney of Stricture Consulting Group graciously offered up the use of his mega hash cracking computing resources as well. You remember Stricture from their Ars article, they have an insane “25-GPU cluster cracks every standard Windows password in < 6 hours.” Collectively, these guys are the amongst the world’s foremost experts in password cracking. If they can’t help, no one can. No joking around, they immediately dove right in.

Now, I couldn’t just share out my DMG for others to attempt to crack. Its enormous size basically precluded that. But even if I could, I wouldn’t. Given the sensitive nature of the data, I actually preferred the data lost than suffer any risk of a leak. Fortunately, JtR has something called dmg2john. dmg2john scrapes the DMG and provides output which can be cracked with JtR by others without putting the data at risk. Nice! Unfortunately, when I got there, dmg2john and JtR were broken when it came to DMGs. I provided the bug details to john-dev and john-users mailing list to replicate. The JtR developers had the issues fixed in a couple days. These guys are awesome.

Next step, send the dmg2john output of my DMG over to Jeremi at Stricture along with everything I think I remember about what my password might have been. Jeremi informs me of the next challenge, he’s only able to crack my DMG at a speed of ~100 c/s! At that rate it’s going to take a little over a decade worth of cracking to exhaust the password key space. I’m thinking this is very odd, it’s only maybe 6 extra characters tops. Jeremi explains why…

The reason it’s so slow is because your AES256-encrypted DMG uses 250,000 rounds of PBKDF2-HMAC-SHA-1 to generate the encryption key. The ludicrous round count makes it extremely computationally expensive, slowing down the HMAC-SHA1 process by a factor of 250,000.

My Xeon X7350 can crack a single round of HMAC-SHA1 at a rate of 9.3 million hashes per second. But since we are using 250,000 rounds, it means I was reduced to doing ~ 37 hashes per second. Using all four processors I was only able to pull about 104 hashes per second total (doesn’t scale perfectly.)

Once understanding this, Jeremi begins asking for more information about what the extra six or so characters in my password might have been. We’re they all upper and lower case characters? What about digits? Any special characters? Which characters were most likely used, or not used? Ever bit of intel helped a lot. We managed to whittle down an in initial 41106759720 possible password combinations to 22472. This meant the total amount of time required to crack the DMG was reduced to 3.5 minutes on his rig.

Subsequently, Jeremi sent me what had to be one the most relieving and frightening emails I’ve ever received in my life. Relieving because I recognized the password immediately upon sight. I knew it was right, but my anxiety level remained at 10 until typing it in and seeing it work. I hadn’t touched my precious data in weeks! It was a tender moment, but also frightening because, well, no security professional is ever comfortable seeing such a prized password emailed to them from someone else. When/if that happens, it typically means you are hacked and another pain awaits.

Interestingly, in living out this nightmare, I learned A LOT I didn’t know about password cracking, storage, and complexity.  I’ve come to appreciate why password storage is ever so much more important than password complexity. If you don’t know how your password is stored, then all you really can depend upon is complexity. This might be common knowledge to password and crypto pros, but for the average InfoSec or Web Security expert, I highly doubt it.

Now, after telling everyone a few of my best tricks and enduring an awful deficiency in one of them, I’ll obviously have to change things up a bit. Clearly I need paper backup, and thinking maybe about giving it to my attorney for safekeeping where it’ll enjoy legal privilege protection. We’ll see.

In the meantime, I can’t thank the John the Ripper guys and Jeremi from Stricture Consulting enough. If you need a password cracked, for personal and professional reasons, this is where you look to.

 

 

This entry was posted in Technical Insight, Web Application Security on by .

About Jeremiah Grossman

Jeremiah Grossman is the Founder and interim CEO of WhiteHat Security, where he is responsible for Web security R&D and industry outreach. Over the last decade, Mr. Grossman has written dozens of articles, white papers, and is a published author. His work has been featured in the Wall Street Journal, Forbes, NY Times and hundreds of other media outlets around the world. As a well-known security expert and industry veteran, Mr. Grossman has been a guest speaker on six continents at hundreds of events including TED, BlackHat Briefings, RSA, SANS, and others. He has been invited to guest lecture at top universities such as UC Berkeley, Stanford, Harvard, UoW Madison, and UCLA. Mr. Grossman is also a co-founder of the Web Application Security Consortium (WASC) and previously named one of InfoWorld's Top 25 CTOs. He serves on the advisory board of two hot start-ups, Risk I/O and SD Elements, and is a Brazilian Jiu-Jitsu Black Belt. Before founding WhiteHat, Mr. Grossman was an information security officer at Yahoo!