Tag Archives: encryption

Sample Code – Dictionary Zip Password Tool

After reading Violent Python, I decided to try making a basic dictionary zip password recovery tool for fun. Some of the other free open source tools out there are great but this tool is fully functional if not ideal. I’m primarily posting it to serve as an example of how Python can be used to perform such an attack. I do not condone the use of password crackers for illicit purposes.

The tool can generate a biographical dictionary from a specified file’s ASCII strings as well as populate the dictionary with a recursive directory listing from the location of your choice. Got the idea while studying for my AccessData cert. Their Password Recovery Toolkit does this in hopes of increasing the likelihood that the dictionary will contain a relevant password. The idea is that a user either used the word in the past or that it can be found elsewhere on his or her computer. A very cool idea that’s helped me on forensics challenges in the past.

I’ve designed the code below for Python 2.7.5 on Windows 7. It uses the Strings binary from Picnix Utils. You can also click here to download a copy. Obviously the best defense against it is to use a strong password outside the scope of the dictionary (which most people do when protecting zip files anyway).

import argparse
import zipfile
import subprocess
import os

print ''' SYNTAX:
    Dictionary: zipdict.py -f (zip) -d (dict)
    Bio Dictionary Generator: zipdict.py -f (zip) -s (file with desired strings)
'''

parser = argparse.ArgumentParser(description='Zip file dictionary attack tool.')
parser.add_argument('-f', help='Specifies input file (ZIP)', required=True)
parser.add_argument('-d', help='Specifies the dictionary.', required=False)
parser.add_argument('-s', help='Build ASCII strings dictionary.', required=False)
args = parser.parse_args()
zipfile = zipfile.ZipFile(args.f)

print '{*} Cracking: %s' % args.f
print '{*} Dictionary: %s' % args.d

def biodictattack():
  print '{*} Generating biographical dictionary...'
  stringsdict = open('stringsdict', 'w')
  stringsout = subprocess.Popen(['strings', args.f], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
  for string in stringsout.stdout:
    stringsdict.write(string)
    stringsout.wait()
  walkpath = raw_input("Directory listing starting where? [ex. C:\] ")
  for root, dirs, files in os.walk(walkpath):
    for name in files:
      filenames = os.path.join(name)
      stringsdict.write(filenames + '\n')
  for root, dirs, files in os.walk(walkpath):
    for name in dirs:
      dirlisting = os.path.join(name)
      stringsdict.write(dirlisting + '\n')
  print '{*} Done. Re-run tool with zipdict.py -f (zip) -d stringsdict'

def dictattack():
  dict = open(args.d, 'r')
  with open(args.d, 'r') as dict:
    for x in dict.readlines():
      dictword = x.strip('\n')
      try:
        zipfile.extractall(pwd=dictword)
        print '{*} Password found = ' + dictword + '\n'
        print '{*} File contents extracted to zipdict path.'
        exit(0)
      except Exception, e:
        pass

if args.s:
  biodictattack()
else:
  dictattack()

My next post will be on analyzing Volume Shadow Copies on Linux and some cool methods that I used on the 2013 DC3 Forensic Challenge.

Link/Article – Memory Forensics & Encrypted Data Extraction

I’d like to post a link to a very neat paper I found which discusses the ability analyze RAM in hopes of targeting encrypted drives, volumes, files or folders (cited below). A forensic investigator can recover encryption keys and even acquire passphrases with no hash cracking needed. Once a key and/or passphrase is obtained, any encrypted medium on the hard drive using the same credentials may be compromised.

Brian Kaplan’s RAM is Key – Extracting Disk Encryption Keys From Volatile Memory, Carnegie Mellon University (May 2007).

The paper is somewhat dated as it was released in 2007. But what’s cool about it is that such analysis wasn’t as common then as it is now (live acquisition was frowned upon). While it doesn’t highlight anything new (and, indeed, shows its age at times), the paper does make for some interesting reading.

While I’m still relatively new to forensics and currently studying DFIR, I figured that this paper may be of interest to some (I found it interesting from a historical aspect). Plus this article is a good way of introducing more forensic posts to the blog.

Feel free to share similar (or more timely) articles using the comments field below!

Related Tools

Volatility by Volatile Systems

Memoryze/AuditViewer & Redline by Mandiant

Finding Encrypted Drives/Volumes on Hard Drive

EDD and, I hear, TCHunt are both excellent tools. I’ve only played around with EDD but I plan on exploring other forms of encrypted drive/volume discovery and decryption in the future.

Links – PGP Security

If you use PGP, as I do, you’ll want to read an old but useful article on pgp.net: “Security Questions” @ pgp.net as it covers a whole slew of topics ranging from how secure asymmetric cryptography can be to possible security threats arising from using PGP. Essentially if you have a good passphrase you’re better off than folks without one.

Similarly, this article explains passphrase safety tips: http://www.wowarea.com/english/help/pwd.htm — similar to the previous article mentioned which mentions TEMPEST*, this discusses things like a hidden microphone, camera, stolen swap files, access to your hard disk or other medium where private keys are stored, not using drive wiping technologies, key loggers, recovery software and EM microscopes on junked hard drives, viruses, Trojans and more.

* Some useful sites dealing with information on the old TEMPEST attack can be found using these sites:

http://en.wikipedia.org/wiki/Tempest_(codename)
http://www.surasoft.com/articles/tempest.php

With modern technologies and, being a regular citizen as opposed to an enemy of the state, your probably safe!

While it wasn’t designed specifically for asymmetric key passphrases, the GRC’s Haystack Password checker can be used as a starting point for developing safe habits: https://www.grc.com/haystack.htm

Also, in GPG anyway, if you ever find yourself needing to explain what a particular encrypted message is you can always perform a session key override:

--show-session-key (file)

Followed by:

--override-session-key (session key hash) (file)

The former will reveal a unique encrypted session key string, which is derived from your public key but is different than your secret key. The latter will enable you to decrypt a single text/file without you having to give any sensitive information. This is very useful if you have a naggy wife (or husband)!

Lastly Schneier’s article regarding the flaws of public key infrastructure is a must read.

The sites above make for some good reading and could help you safeguard your data appropriately.

EDIT: If you are subscribed to the blog, sorry for the multiple emails for the same post. Seems to have been some sort of problem with the CSS but it seems to be fixed now.