New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vdi2john #1849

Closed
ukasz opened this Issue Oct 23, 2015 · 17 comments

Comments

Projects
None yet
4 participants
@ukasz
Contributor

ukasz commented Oct 23, 2015

http://www.sinfocol.org/2015/07/virtualbox-disk-image-encryption-password-cracker/
Now it does 50c/s on my notebook it would benefit from moving it to john.
I guess we have all moving parts to do it.

@ukasz ukasz added the New format label Oct 23, 2015

@kholia

This comment has been minimized.

Show comment
Hide comment
@kholia

kholia Oct 24, 2015

Collaborator

@ukasz is this ticket up for grabs? :)

Collaborator

kholia commented Oct 24, 2015

@ukasz is this ticket up for grabs? :)

@ukasz

This comment has been minimized.

Show comment
Hide comment
@ukasz

ukasz Oct 24, 2015

Contributor

yes!

Contributor

ukasz commented Oct 24, 2015

yes!

@kholia kholia self-assigned this Oct 24, 2015

@jfoug

This comment has been minimized.

Show comment
Hide comment
@jfoug

jfoug Dec 10, 2015

Collaborator

here is a sample I just built. password is jtr

<HardDisk uuid="{037c6305-4e85-4402-9a30-0c67ed5183fe}" location="encr-test.vdi" format="VDI" type="Normal">
          <Property name="CRYPT/KeyId" value="encr-test"/>
          <Property name="CRYPT/KeyStore" value="U0NORQABQUVTLVhUUzI1Ni1QTEFJTjY0AAAAAAAAAAAAAAAAAABQQktERjItU0hB&#13;&#10;MjU2AAAAAAAAAAAAAAAAAAAAAAAAAEAAAAB6xfStYoZAboSvMf02iBz1WNN1rikI&#13;&#10;Wwjm9l6/0VN2yiAAAAADQPE3E2rVT1n0sk7wvzUkDhQN/Va7wZznCu5ldfCqv9AH&#13;&#10;AABwn23xI/HMsSbqHz5WW+t405yv3Jjg2qLkLMQ87xH3htAHAABAAAAACifhePR6&#13;&#10;CwWnUtbpF7ie9CBcaudnBcNIWDkPivps8DpF2Y+rU7dtjRxoUH54EGM9tLg1AaJJ&#13;&#10;a35EPsy1PbyEcw=="/>
        </HardDisk>
Collaborator

jfoug commented Dec 10, 2015

here is a sample I just built. password is jtr

<HardDisk uuid="{037c6305-4e85-4402-9a30-0c67ed5183fe}" location="encr-test.vdi" format="VDI" type="Normal">
          <Property name="CRYPT/KeyId" value="encr-test"/>
          <Property name="CRYPT/KeyStore" value="U0NORQABQUVTLVhUUzI1Ni1QTEFJTjY0AAAAAAAAAAAAAAAAAABQQktERjItU0hB&#13;&#10;MjU2AAAAAAAAAAAAAAAAAAAAAAAAAEAAAAB6xfStYoZAboSvMf02iBz1WNN1rikI&#13;&#10;Wwjm9l6/0VN2yiAAAAADQPE3E2rVT1n0sk7wvzUkDhQN/Va7wZznCu5ldfCqv9AH&#13;&#10;AABwn23xI/HMsSbqHz5WW+t405yv3Jjg2qLkLMQ87xH3htAHAABAAAAACifhePR6&#13;&#10;CwWnUtbpF7ie9CBcaudnBcNIWDkPivps8DpF2Y+rU7dtjRxoUH54EGM9tLg1AaJJ&#13;&#10;a35EPsy1PbyEcw=="/>
        </HardDisk>

@kholia kholia removed their assignment Dec 10, 2015

@kholia

This comment has been minimized.

Show comment
Hide comment
@kholia

kholia Dec 10, 2015

Collaborator

This ticket is up for grabs. Please feel free to work on it, thanks!

Collaborator

kholia commented Dec 10, 2015

This ticket is up for grabs. Please feel free to work on it, thanks!

@jfoug

This comment has been minimized.

Show comment
Hide comment
@jfoug

jfoug Dec 10, 2015

Collaborator

above key into hex is:

53434e4500014145532d5854533235362d504c41494e3634000000000000000000000000000050424b4446322d53484132353600000000000000000000000000000000000000400000007ac5f4ad6286406e84af31fd36881cf558d375ae29085b08e6f65ebfd15376ca200000000340f137136ad54f59f4b24ef0bf35240e140dfd56bbc19ce70aee6575f0aabfd0070000709f6df123f1ccb126ea1f3e565beb78d39cafdc98e0daa2e42cc43cef11f786d0070000400000000a27e178f47a0b05a752d6e917b89ef4205c6ae76705c34858390f8afa6cf03a45d98fab53b76d8d1c68507e7810633db4b83501a2496b7e443eccb53dbc8473

Broke down is:

signature: 53434e45
version:    0001
EVP:   4145532d5854533235362d504c41494e36340000000000000000000000000000  AES-XTS256-PLAIN64
PBKDF2: 50424b4446322d53484132353600000000000000000000000000000000000000 PBKDF2-SHA256
Key Len: 40000000  (0x40, it is in Little Endian format)
Final hash: 7ac5f4ad6286406e84af31fd36881cf558d375ae29085b08e6f65ebfd15376ca
Key len in 2nd pbkdf2:  200000000 (0x20)
Salt 2nd PBKDF2: 340f137136ad54f59f4b24ef0bf35240e140dfd56bbc19ce70aee6575f0aabf
iterations (2nd pbkdf2): d0070000  (0x7d0 2000)
Salt 1st PBKDF2: 709f6df123f1ccb126ea1f3e565beb78d39cafdc98e0daa2e42cc43cef11f786
iterations (1st pbkdf2): d0070000  (0x7d0 2000)
EVP len:  400000000
Encrypted password used in the second call to PBKDF2 (to be used as input in the call to AES-XTS):
a27e178f47a0b05a752d6e917b89ef4205c6ae76705c34858390f8afa6cf03a45d98fab53b76d8d1c68507e7810633db4b83501a2496b7e443eccb53dbc8473

Now that I can create these at will (I use the heck out of virtualbox), I can create a vdi2john and a format. It really does not look 'that' hard. I guess first step is to get a format hash, then build a pass_gen.pl generator :)

Collaborator

jfoug commented Dec 10, 2015

above key into hex is:

53434e4500014145532d5854533235362d504c41494e3634000000000000000000000000000050424b4446322d53484132353600000000000000000000000000000000000000400000007ac5f4ad6286406e84af31fd36881cf558d375ae29085b08e6f65ebfd15376ca200000000340f137136ad54f59f4b24ef0bf35240e140dfd56bbc19ce70aee6575f0aabfd0070000709f6df123f1ccb126ea1f3e565beb78d39cafdc98e0daa2e42cc43cef11f786d0070000400000000a27e178f47a0b05a752d6e917b89ef4205c6ae76705c34858390f8afa6cf03a45d98fab53b76d8d1c68507e7810633db4b83501a2496b7e443eccb53dbc8473

Broke down is:

signature: 53434e45
version:    0001
EVP:   4145532d5854533235362d504c41494e36340000000000000000000000000000  AES-XTS256-PLAIN64
PBKDF2: 50424b4446322d53484132353600000000000000000000000000000000000000 PBKDF2-SHA256
Key Len: 40000000  (0x40, it is in Little Endian format)
Final hash: 7ac5f4ad6286406e84af31fd36881cf558d375ae29085b08e6f65ebfd15376ca
Key len in 2nd pbkdf2:  200000000 (0x20)
Salt 2nd PBKDF2: 340f137136ad54f59f4b24ef0bf35240e140dfd56bbc19ce70aee6575f0aabf
iterations (2nd pbkdf2): d0070000  (0x7d0 2000)
Salt 1st PBKDF2: 709f6df123f1ccb126ea1f3e565beb78d39cafdc98e0daa2e42cc43cef11f786
iterations (1st pbkdf2): d0070000  (0x7d0 2000)
EVP len:  400000000
Encrypted password used in the second call to PBKDF2 (to be used as input in the call to AES-XTS):
a27e178f47a0b05a752d6e917b89ef4205c6ae76705c34858390f8afa6cf03a45d98fab53b76d8d1c68507e7810633db4b83501a2496b7e443eccb53dbc8473

Now that I can create these at will (I use the heck out of virtualbox), I can create a vdi2john and a format. It really does not look 'that' hard. I guess first step is to get a format hash, then build a pass_gen.pl generator :)

@kholia

This comment has been minimized.

Show comment
Hide comment
@kholia

kholia Dec 10, 2015

Collaborator

Hopefully, vdi2john won't be written in C :-)

Collaborator

kholia commented Dec 10, 2015

Hopefully, vdi2john won't be written in C :-)

@jfoug

This comment has been minimized.

Show comment
Hide comment
@jfoug

jfoug Dec 10, 2015

Collaborator

Nope, I figure brainf*** would be better, lol

Collaborator

jfoug commented Dec 10, 2015

Nope, I figure brainf*** would be better, lol

@magnumripper

This comment has been minimized.

Show comment
Hide comment
@magnumripper

magnumripper Dec 10, 2015

Owner

lolcode FTW

Owner

magnumripper commented Dec 10, 2015

lolcode FTW

@jfoug

This comment has been minimized.

Show comment
Hide comment
@jfoug

jfoug Dec 10, 2015

Collaborator

I really figure it will be in perl, since the first code I will do is pass_gen.pl

Collaborator

jfoug commented Dec 10, 2015

I really figure it will be in perl, since the first code I will do is pass_gen.pl

@jfoug

This comment has been minimized.

Show comment
Hide comment
@jfoug

jfoug Dec 11, 2015

Collaborator

Ok, now at least I 'know' I can get this working:

sub vdi {
    my $p = "jtr";
    my $evp_pass = pp_pbkdf2($p, pack("H*","709f6df123f1ccb126ea1f3e565beb78d39cafdc98e0daa2e42cc43cef11f786"), 2000, \&sha256, 0x40, 64);
    print "evp_pass = " . unpack("H*",$evp_pass)."\n";
    my $enc_dat = pack("H*","0a27e178f47a0b05a752d6e917b89ef4205c6ae76705c34858390f8afa6cf03a45d98fab53b76d8d1c68507e7810633db4b83501a2496b7e443eccb53dbc8473");
    print "enc_dat  = " . unpack("H*",$enc_dat)."\n";
    my $tweak = "\x00"x16;  #first block of file
    my $dec_pass = _tc_aes_256_xts_d($evp_pass,$enc_dat,$tweak);
    print "dec_pass = " . unpack("H*",$dec_pass)."\n";
    my $final = pp_pbkdf2($dec_pass, pack("H*","0340f137136ad54f59f4b24ef0bf35240e140dfd56bbc19ce70aee6575f0aabf"), 2000, \&sha256, 0x20, 64);
    print unpack("H*",$final)."\n";
    print "7ac5f4ad6286406e84af31fd36881cf558d375ae29085b08e6f65ebfd15376ca\n";
    exit 1;
}

and when run:

$ ../run/pass_gen.pl vdi

Enter words to hash, one per line.

evp_pass = 9103f1260b5895dadeff5409e4582043463b9d03d060f317e59b37bb519c3295077434f51ceb7882adda9bda66e2c3537f203ee9ed5bc8c0c67b280044dc5489
enc_dat  = 0a27e178f47a0b05a752d6e917b89ef4205c6ae76705c34858390f8afa6cf03a45d98fab53b76d8d1c68507e7810633db4b83501a2496b7e443eccb53dbc8473
dec_pass = b28bbee6b27bf4fe683a9e277fc364c54411eb21a9e628418555d52e565efd6cafa8b5b7ce0a436b1e25c0bc8f04200f7e62dfb7c217ad8649a51dd8af96d8e0
7ac5f4ad6286406e84af31fd36881cf558d375ae29085b08e6f65ebfd15376ca
7ac5f4ad6286406e84af31fd36881cf558d375ae29085b08e6f65ebfd15376ca

So the dec pass matches. Now, this is not pass_gen.pl creation (this would be what JtR will be doing), BUT it shows that I can do this in perl, and easily do this in JtR. The true-crypt is very similar. It also uses AES-XTS so is almost identical in the algorithm manner.

I do have concerns about putting too much into this. I know the php lists sha1, sha256 and sha512 pbkdf2. I have virtualbox, and the only 'options' I see are AES(128)|(256)-XTS.

So all I plan on coding at this time is pbkdf2-sha256 with 128/256 AES code. Then later if we DO see other implementations, we can expand this.

Collaborator

jfoug commented Dec 11, 2015

Ok, now at least I 'know' I can get this working:

sub vdi {
    my $p = "jtr";
    my $evp_pass = pp_pbkdf2($p, pack("H*","709f6df123f1ccb126ea1f3e565beb78d39cafdc98e0daa2e42cc43cef11f786"), 2000, \&sha256, 0x40, 64);
    print "evp_pass = " . unpack("H*",$evp_pass)."\n";
    my $enc_dat = pack("H*","0a27e178f47a0b05a752d6e917b89ef4205c6ae76705c34858390f8afa6cf03a45d98fab53b76d8d1c68507e7810633db4b83501a2496b7e443eccb53dbc8473");
    print "enc_dat  = " . unpack("H*",$enc_dat)."\n";
    my $tweak = "\x00"x16;  #first block of file
    my $dec_pass = _tc_aes_256_xts_d($evp_pass,$enc_dat,$tweak);
    print "dec_pass = " . unpack("H*",$dec_pass)."\n";
    my $final = pp_pbkdf2($dec_pass, pack("H*","0340f137136ad54f59f4b24ef0bf35240e140dfd56bbc19ce70aee6575f0aabf"), 2000, \&sha256, 0x20, 64);
    print unpack("H*",$final)."\n";
    print "7ac5f4ad6286406e84af31fd36881cf558d375ae29085b08e6f65ebfd15376ca\n";
    exit 1;
}

and when run:

$ ../run/pass_gen.pl vdi

Enter words to hash, one per line.

evp_pass = 9103f1260b5895dadeff5409e4582043463b9d03d060f317e59b37bb519c3295077434f51ceb7882adda9bda66e2c3537f203ee9ed5bc8c0c67b280044dc5489
enc_dat  = 0a27e178f47a0b05a752d6e917b89ef4205c6ae76705c34858390f8afa6cf03a45d98fab53b76d8d1c68507e7810633db4b83501a2496b7e443eccb53dbc8473
dec_pass = b28bbee6b27bf4fe683a9e277fc364c54411eb21a9e628418555d52e565efd6cafa8b5b7ce0a436b1e25c0bc8f04200f7e62dfb7c217ad8649a51dd8af96d8e0
7ac5f4ad6286406e84af31fd36881cf558d375ae29085b08e6f65ebfd15376ca
7ac5f4ad6286406e84af31fd36881cf558d375ae29085b08e6f65ebfd15376ca

So the dec pass matches. Now, this is not pass_gen.pl creation (this would be what JtR will be doing), BUT it shows that I can do this in perl, and easily do this in JtR. The true-crypt is very similar. It also uses AES-XTS so is almost identical in the algorithm manner.

I do have concerns about putting too much into this. I know the php lists sha1, sha256 and sha512 pbkdf2. I have virtualbox, and the only 'options' I see are AES(128)|(256)-XTS.

So all I plan on coding at this time is pbkdf2-sha256 with 128/256 AES code. Then later if we DO see other implementations, we can expand this.

@kholia

This comment has been minimized.

Show comment
Hide comment
@kholia

kholia Dec 11, 2015

Collaborator

Sounds great 👍

Collaborator

kholia commented Dec 11, 2015

Sounds great 👍

@jfoug

This comment has been minimized.

Show comment
Hide comment
@jfoug

jfoug Dec 11, 2015

Collaborator
$ ../run/john -test=5 -form=vdi_aes_xts
Will run 8 OpenMP threads
Benchmarking: vdi_aes_xts, VirtualBox-VDI AES256_XTS [SHA256 128/128 AVX 4x]... (8xOMP) DONE
Raw:    3162 c/s real, 431 c/s virtual

What should we label this? what I have it here or simply 'vdi' ??

Collaborator

jfoug commented Dec 11, 2015

$ ../run/john -test=5 -form=vdi_aes_xts
Will run 8 OpenMP threads
Benchmarking: vdi_aes_xts, VirtualBox-VDI AES256_XTS [SHA256 128/128 AVX 4x]... (8xOMP) DONE
Raw:    3162 c/s real, 431 c/s virtual

What should we label this? what I have it here or simply 'vdi' ??

@kholia

This comment has been minimized.

Show comment
Hide comment
@kholia

kholia Dec 11, 2015

Collaborator

I would say vdi (will be easier for the users).

Collaborator

kholia commented Dec 11, 2015

I would say vdi (will be easier for the users).

@jfoug

This comment has been minimized.

Show comment
Hide comment
@jfoug

jfoug Dec 11, 2015

Collaborator

The format is in. I have not done AES128 (yet). Also, there is no vdi2john (yet).

b78a12c The speed is basically PBKDF2-SHA256 4000 iteration. The AES plays almost no part in the speed.

NOTE, this is slower than 'normal' pbkdf2-sha256. This is becuase there are 2 pbkdf2's. The first decodes 64 bytes (takes 2 runs of pbkdf2). The 2nd decodes 32 bytes (normal, 1 pbkdf2 limb). So really instead of 4000 iterations, we 'really' are at 6000 iterations. So, on my machine here is the speeds:

pbkdf2-sha256 (1000 iterations) 19163. VDI 3181. 19163/6=3193.8333 So we can see that in this hash, 99.6% of the time is in the PBKDF2 work.

Collaborator

jfoug commented Dec 11, 2015

The format is in. I have not done AES128 (yet). Also, there is no vdi2john (yet).

b78a12c The speed is basically PBKDF2-SHA256 4000 iteration. The AES plays almost no part in the speed.

NOTE, this is slower than 'normal' pbkdf2-sha256. This is becuase there are 2 pbkdf2's. The first decodes 64 bytes (takes 2 runs of pbkdf2). The 2nd decodes 32 bytes (normal, 1 pbkdf2 limb). So really instead of 4000 iterations, we 'really' are at 6000 iterations. So, on my machine here is the speeds:

pbkdf2-sha256 (1000 iterations) 19163. VDI 3181. 19163/6=3193.8333 So we can see that in this hash, 99.6% of the time is in the PBKDF2 work.

@jfoug

This comment has been minimized.

Show comment
Hide comment
@jfoug

jfoug Dec 11, 2015

Collaborator

Here is a AES-128 encrypted with 'jtr'

``
U0NORQABQUVTLVhUUzEyOC1QTEFJTjY0AAAAAAAAAAAAAAAAAABQQktERjItU0hBMjU2AAAAAAAAAAAAAAAAAAAAAAAAACAAAAAwL0xPWMDe6Wdt/a862p49fsS1v8fmVlyUH07HM3No1CAAAADvVghYtMBovY2ZTN8Dj1HLG59ZM11yy4dOeaE8W2qoStAHAADT/SuydzTyWRiscmcXsZIJElNEHEvHGoFNCmSD5zMl6tAHAAAgAAAAef8AD3Y405sNAq0I387eh0AIfjNOmAIkZaOAvfeP/xMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

KeyStore contents:
Header 454e4353 (SCNE)
Version 1
Algorithm AES-XTS128-PLAIN64
KDF PBKDF2-SHA256
Key length 32
Final hash 302f4c4f58c0dee9676dfdaf3ada9e3d7ec4b5bfc7e6565c941f4ec7337368d4
PBKDF2 2 Key length 32
PBKDF2 2 Salt ef560858b4c068bd8d994cdf038f51cb1b9f59335d72cb874e79a13c5b6aa84a
PBKDF2 2 Iterations 2000
PBKDF2 1 Salt d3fd2bb27734f25918ac726717b192091253441c4bc71a814d0a6483e73325ea
PBKDF2 1 Iterations 2000
EVP buffer length 32
PBKDF2 2 encrypted password 79ff000f7638d39b0d02ad08dfcede8740087e334e98022465a380bdf78fff13
0000000000000000000000000000000000000000000000000000000000000000

Collaborator

jfoug commented Dec 11, 2015

Here is a AES-128 encrypted with 'jtr'

``
U0NORQABQUVTLVhUUzEyOC1QTEFJTjY0AAAAAAAAAAAAAAAAAABQQktERjItU0hBMjU2AAAAAAAAAAAAAAAAAAAAAAAAACAAAAAwL0xPWMDe6Wdt/a862p49fsS1v8fmVlyUH07HM3No1CAAAADvVghYtMBovY2ZTN8Dj1HLG59ZM11yy4dOeaE8W2qoStAHAADT/SuydzTyWRiscmcXsZIJElNEHEvHGoFNCmSD5zMl6tAHAAAgAAAAef8AD3Y405sNAq0I387eh0AIfjNOmAIkZaOAvfeP/xMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

KeyStore contents:
Header 454e4353 (SCNE)
Version 1
Algorithm AES-XTS128-PLAIN64
KDF PBKDF2-SHA256
Key length 32
Final hash 302f4c4f58c0dee9676dfdaf3ada9e3d7ec4b5bfc7e6565c941f4ec7337368d4
PBKDF2 2 Key length 32
PBKDF2 2 Salt ef560858b4c068bd8d994cdf038f51cb1b9f59335d72cb874e79a13c5b6aa84a
PBKDF2 2 Iterations 2000
PBKDF2 1 Salt d3fd2bb27734f25918ac726717b192091253441c4bc71a814d0a6483e73325ea
PBKDF2 1 Iterations 2000
EVP buffer length 32
PBKDF2 2 encrypted password 79ff000f7638d39b0d02ad08dfcede8740087e334e98022465a380bdf78fff13
0000000000000000000000000000000000000000000000000000000000000000

@jfoug

This comment has been minimized.

Show comment
Hide comment
@jfoug

jfoug Dec 11, 2015

Collaborator

7775e14 adds AES128-XTS.

Now the only thing left is vdi2john.pl

Collaborator

jfoug commented Dec 11, 2015

7775e14 adds AES128-XTS.

Now the only thing left is vdi2john.pl

@jfoug

This comment has been minimized.

Show comment
Hide comment
@jfoug

jfoug Dec 12, 2015

Collaborator

This should close this one out. ba431d6 MUCH faster than the php script ;)

Collaborator

jfoug commented Dec 12, 2015

This should close this one out. ba431d6 MUCH faster than the php script ;)

@jfoug jfoug closed this Dec 12, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment