vdi2john #1849

Closed
ukasz opened this Issue Oct 23, 2015 · 17 comments

Projects

None yet

4 participants

@ukasz
Collaborator
ukasz commented Oct 23, 2015

http://www.sinfocol.org/2015/07/virtualbox-disk-image-encryption-password-cracker/
Now it does 50c/s on my notebook it would benefit from moving it to john.
I guess we have all moving parts to do it.

@ukasz ukasz added the New format label Oct 23, 2015
@kholia
Collaborator
kholia commented Oct 24, 2015

@ukasz is this ticket up for grabs? :)

@ukasz
Collaborator
ukasz commented Oct 24, 2015

yes!

@kholia kholia self-assigned this Oct 24, 2015
@jfoug
Collaborator
jfoug commented Dec 10, 2015

here is a sample I just built. password is jtr

<HardDisk uuid="{037c6305-4e85-4402-9a30-0c67ed5183fe}" location="encr-test.vdi" format="VDI" type="Normal">
          <Property name="CRYPT/KeyId" value="encr-test"/>
          <Property name="CRYPT/KeyStore" value="U0NORQABQUVTLVhUUzI1Ni1QTEFJTjY0AAAAAAAAAAAAAAAAAABQQktERjItU0hB&#13;&#10;MjU2AAAAAAAAAAAAAAAAAAAAAAAAAEAAAAB6xfStYoZAboSvMf02iBz1WNN1rikI&#13;&#10;Wwjm9l6/0VN2yiAAAAADQPE3E2rVT1n0sk7wvzUkDhQN/Va7wZznCu5ldfCqv9AH&#13;&#10;AABwn23xI/HMsSbqHz5WW+t405yv3Jjg2qLkLMQ87xH3htAHAABAAAAACifhePR6&#13;&#10;CwWnUtbpF7ie9CBcaudnBcNIWDkPivps8DpF2Y+rU7dtjRxoUH54EGM9tLg1AaJJ&#13;&#10;a35EPsy1PbyEcw=="/>
        </HardDisk>
@kholia kholia removed their assignment Dec 10, 2015
@kholia
Collaborator
kholia commented Dec 10, 2015

This ticket is up for grabs. Please feel free to work on it, thanks!

@jfoug
Collaborator
jfoug commented Dec 10, 2015

above key into hex is:

53434e4500014145532d5854533235362d504c41494e3634000000000000000000000000000050424b4446322d53484132353600000000000000000000000000000000000000400000007ac5f4ad6286406e84af31fd36881cf558d375ae29085b08e6f65ebfd15376ca200000000340f137136ad54f59f4b24ef0bf35240e140dfd56bbc19ce70aee6575f0aabfd0070000709f6df123f1ccb126ea1f3e565beb78d39cafdc98e0daa2e42cc43cef11f786d0070000400000000a27e178f47a0b05a752d6e917b89ef4205c6ae76705c34858390f8afa6cf03a45d98fab53b76d8d1c68507e7810633db4b83501a2496b7e443eccb53dbc8473

Broke down is:

signature: 53434e45
version:    0001
EVP:   4145532d5854533235362d504c41494e36340000000000000000000000000000  AES-XTS256-PLAIN64
PBKDF2: 50424b4446322d53484132353600000000000000000000000000000000000000 PBKDF2-SHA256
Key Len: 40000000  (0x40, it is in Little Endian format)
Final hash: 7ac5f4ad6286406e84af31fd36881cf558d375ae29085b08e6f65ebfd15376ca
Key len in 2nd pbkdf2:  200000000 (0x20)
Salt 2nd PBKDF2: 340f137136ad54f59f4b24ef0bf35240e140dfd56bbc19ce70aee6575f0aabf
iterations (2nd pbkdf2): d0070000  (0x7d0 2000)
Salt 1st PBKDF2: 709f6df123f1ccb126ea1f3e565beb78d39cafdc98e0daa2e42cc43cef11f786
iterations (1st pbkdf2): d0070000  (0x7d0 2000)
EVP len:  400000000
Encrypted password used in the second call to PBKDF2 (to be used as input in the call to AES-XTS):
a27e178f47a0b05a752d6e917b89ef4205c6ae76705c34858390f8afa6cf03a45d98fab53b76d8d1c68507e7810633db4b83501a2496b7e443eccb53dbc8473

Now that I can create these at will (I use the heck out of virtualbox), I can create a vdi2john and a format. It really does not look 'that' hard. I guess first step is to get a format hash, then build a pass_gen.pl generator :)

@kholia
Collaborator
kholia commented Dec 10, 2015

Hopefully, vdi2john won't be written in C :-)

@jfoug
Collaborator
jfoug commented Dec 10, 2015

Nope, I figure brainf*** would be better, lol

@magnumripper
Owner

lolcode FTW

@jfoug
Collaborator
jfoug commented Dec 10, 2015

I really figure it will be in perl, since the first code I will do is pass_gen.pl

@jfoug
Collaborator
jfoug commented Dec 11, 2015

Ok, now at least I 'know' I can get this working:

sub vdi {
    my $p = "jtr";
    my $evp_pass = pp_pbkdf2($p, pack("H*","709f6df123f1ccb126ea1f3e565beb78d39cafdc98e0daa2e42cc43cef11f786"), 2000, \&sha256, 0x40, 64);
    print "evp_pass = " . unpack("H*",$evp_pass)."\n";
    my $enc_dat = pack("H*","0a27e178f47a0b05a752d6e917b89ef4205c6ae76705c34858390f8afa6cf03a45d98fab53b76d8d1c68507e7810633db4b83501a2496b7e443eccb53dbc8473");
    print "enc_dat  = " . unpack("H*",$enc_dat)."\n";
    my $tweak = "\x00"x16;  #first block of file
    my $dec_pass = _tc_aes_256_xts_d($evp_pass,$enc_dat,$tweak);
    print "dec_pass = " . unpack("H*",$dec_pass)."\n";
    my $final = pp_pbkdf2($dec_pass, pack("H*","0340f137136ad54f59f4b24ef0bf35240e140dfd56bbc19ce70aee6575f0aabf"), 2000, \&sha256, 0x20, 64);
    print unpack("H*",$final)."\n";
    print "7ac5f4ad6286406e84af31fd36881cf558d375ae29085b08e6f65ebfd15376ca\n";
    exit 1;
}

and when run:

$ ../run/pass_gen.pl vdi

Enter words to hash, one per line.

evp_pass = 9103f1260b5895dadeff5409e4582043463b9d03d060f317e59b37bb519c3295077434f51ceb7882adda9bda66e2c3537f203ee9ed5bc8c0c67b280044dc5489
enc_dat  = 0a27e178f47a0b05a752d6e917b89ef4205c6ae76705c34858390f8afa6cf03a45d98fab53b76d8d1c68507e7810633db4b83501a2496b7e443eccb53dbc8473
dec_pass = b28bbee6b27bf4fe683a9e277fc364c54411eb21a9e628418555d52e565efd6cafa8b5b7ce0a436b1e25c0bc8f04200f7e62dfb7c217ad8649a51dd8af96d8e0
7ac5f4ad6286406e84af31fd36881cf558d375ae29085b08e6f65ebfd15376ca
7ac5f4ad6286406e84af31fd36881cf558d375ae29085b08e6f65ebfd15376ca

So the dec pass matches. Now, this is not pass_gen.pl creation (this would be what JtR will be doing), BUT it shows that I can do this in perl, and easily do this in JtR. The true-crypt is very similar. It also uses AES-XTS so is almost identical in the algorithm manner.

I do have concerns about putting too much into this. I know the php lists sha1, sha256 and sha512 pbkdf2. I have virtualbox, and the only 'options' I see are AES(128)|(256)-XTS.

So all I plan on coding at this time is pbkdf2-sha256 with 128/256 AES code. Then later if we DO see other implementations, we can expand this.

@kholia
Collaborator
kholia commented Dec 11, 2015

Sounds great 👍

@jfoug
Collaborator
jfoug commented Dec 11, 2015
$ ../run/john -test=5 -form=vdi_aes_xts
Will run 8 OpenMP threads
Benchmarking: vdi_aes_xts, VirtualBox-VDI AES256_XTS [SHA256 128/128 AVX 4x]... (8xOMP) DONE
Raw:    3162 c/s real, 431 c/s virtual

What should we label this? what I have it here or simply 'vdi' ??

@kholia
Collaborator
kholia commented Dec 11, 2015

I would say vdi (will be easier for the users).

@jfoug
Collaborator
jfoug commented Dec 11, 2015

The format is in. I have not done AES128 (yet). Also, there is no vdi2john (yet).

b78a12c The speed is basically PBKDF2-SHA256 4000 iteration. The AES plays almost no part in the speed.

NOTE, this is slower than 'normal' pbkdf2-sha256. This is becuase there are 2 pbkdf2's. The first decodes 64 bytes (takes 2 runs of pbkdf2). The 2nd decodes 32 bytes (normal, 1 pbkdf2 limb). So really instead of 4000 iterations, we 'really' are at 6000 iterations. So, on my machine here is the speeds:

pbkdf2-sha256 (1000 iterations) 19163. VDI 3181. 19163/6=3193.8333 So we can see that in this hash, 99.6% of the time is in the PBKDF2 work.

@jfoug
Collaborator
jfoug commented Dec 11, 2015

Here is a AES-128 encrypted with 'jtr'

``
U0NORQABQUVTLVhUUzEyOC1QTEFJTjY0AAAAAAAAAAAAAAAAAABQQktERjItU0hBMjU2AAAAAAAAAAAAAAAAAAAAAAAAACAAAAAwL0xPWMDe6Wdt/a862p49fsS1v8fmVlyUH07HM3No1CAAAADvVghYtMBovY2ZTN8Dj1HLG59ZM11yy4dOeaE8W2qoStAHAADT/SuydzTyWRiscmcXsZIJElNEHEvHGoFNCmSD5zMl6tAHAAAgAAAAef8AD3Y405sNAq0I387eh0AIfjNOmAIkZaOAvfeP/xMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

KeyStore contents:
Header 454e4353 (SCNE)
Version 1
Algorithm AES-XTS128-PLAIN64
KDF PBKDF2-SHA256
Key length 32
Final hash 302f4c4f58c0dee9676dfdaf3ada9e3d7ec4b5bfc7e6565c941f4ec7337368d4
PBKDF2 2 Key length 32
PBKDF2 2 Salt ef560858b4c068bd8d994cdf038f51cb1b9f59335d72cb874e79a13c5b6aa84a
PBKDF2 2 Iterations 2000
PBKDF2 1 Salt d3fd2bb27734f25918ac726717b192091253441c4bc71a814d0a6483e73325ea
PBKDF2 1 Iterations 2000
EVP buffer length 32
PBKDF2 2 encrypted password 79ff000f7638d39b0d02ad08dfcede8740087e334e98022465a380bdf78fff13
0000000000000000000000000000000000000000000000000000000000000000

@jfoug
Collaborator
jfoug commented Dec 11, 2015

7775e14 adds AES128-XTS.

Now the only thing left is vdi2john.pl

@jfoug
Collaborator
jfoug commented Dec 12, 2015

This should close this one out. ba431d6 MUCH faster than the php script ;)

@jfoug jfoug closed this Dec 12, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment