A lot of people ask the question: How can I recover my truecrypt password? Others ask the question: How can I crack a truecrypt container? So out of curiousity I went on a little investigation to know what the current tools are to bruteforce a truecrypt container. So here is a small compilation of the methods I’ve found to bruteforce a truecrypt container.
This is just my little hate/love affair with python. This post will be a bit chaotic but ohwell…
Well when I first read about python my inmediate reaction was: HATE HATE HATE. This reaction was only triggered because of one reason: indentation. This kept going on for a while until I finally decided to try python out and create my opinion based on using the language instead of prejudices. I’ll explain what the word ‘hidden’ does in the title of this blog posting later on.
Well I’ve been developing this for a while now and still haven’t finished, mainly because I’ve got little time to spare for coding. Previously I wrote about using somekind of ping to see if your computer is still connected to the net. The solution is fun but it will not prevent forensic analysis of your computer. I have expanded upon that previous post and started to write a toolkit which could be used if we assume the following:
You want to prevent live-forensic analyses of your computer at all costs. You don’t care about normal forensic analysis because your harddisk is encrypted and you have used a real long password and a keyfile.
So with that in mind I started to construct something which frustrates live forensics and at the same time is easy to expand. If you are concerned about normal forensic analysis you can always turn to some of the current anti-forensics projects like the one at metasploit.
WoW beeing ill really SUCKS. Happy NEW YEAR. That part is also done. Hmmm what’s left…oh yeah the reason I didn’t write too much on my blog. It’s not because I was ill, it’s just because I was lazy ass hell and my my gf was staying over…so busy busy busy.
Only thing I could not switch of during these ‘holidays’ was my brain. It seems to be twisted since my birth and oh well I learned to live with it. So I had a midnight thought the other day. Nothing to funky nonetheless interesting. It’s all about connect back backdoors. If a connect back backdoor is used you always have the question: To where must it connect back?
Well in my quest to move my old kd-team.com tools and papers to my new blog here is another one from the old website. Two ways to detect rootkits, one of them doesn’t work anymore (assuming all rootkits hook the function used back then) the other one I don’t know haven’t tested it latley. Here are the readme’s and the source codes.
I always loved this subject. In movies they are all so cool about it. It’s all like:
Sir, his ip is 18.104.22.168.
Go ahead triangulate it so we can nail him.
Sir, we have got him, he is in bla bla bla
Last night a buddy of mine asked me if it was possible to geolocate an IP address, he was interested for fun where the hell his “viagra” spammer lived. So triggered by his question I started investigating the possible methods and resoures to geolocate an IP address and at the same time find out how realistic hollywood is in it’s movies.
Here we go again, another really old paper from the old kd-team.com archives. This was one of my first real fun encounters with Reverse Engineering. I know it’s not used anymore and it’s old and it’s probably bah…but still :) there are a lot of people who everyday start learning RE and what better way then with some nostalgy and a good laugh.
Here is some sourcecode of an old kd-team post. Sending a ICMP packet where you can specify all you want yourself. This source can be used for a variaty of stuff and well…just use your imagination.
No really, it’s easy, it’s proven and it works. Installing is really easy…lotsa documentation also. The best part of it was that…spidermonkey does not have default support for things like document.write(); After googling I found out about 2 ways to achieve it. The first method involved changing the C files and recompiling and such…the other method was so much easier. Have a look:
part1 for a nice introduction
part2 with the solution to add document.write(); support.
For the ones interested here is the method where you need to recompile spidermonkey and such.
There are a lot more of interesting deobfuscation tools out there to play with though.
So no reversing section but still a reversing post. My personal opinion is that reversing is part of a forensic research in some way or an other…you could state that reversing is like a very specific forensic investigator. Most people asociate reversing with copyright infringements and bypassing security measures to access forbidden goodies(game cheats for example). Reversing can also be used for legal purposes just to name a few:
- perform a blackbox audit on an executable
- perform a investigation on a piece of malware
- help develop a quick patch until the official one is released
- learn and understand compiler optimization
I love reversing, I also hate reversing. Yet I keep practicing it and trying to learn. Why ? Because it really is a beautifull way to learn new things and to relax(this depends on the person reversing of course).
So here I was relaxing and watching Friends…when suddenly one of my old and almost forgotten ideas popped in my head. The problem context is as follow:
Let’s say you image(or you just want to search) a harddisk and want to know if the person has any crypto containers on his/her harddisk? How would you go about this?
Well truecrypt 6.1 has been released and I thought it was time to update my machine. Since I’ve started using truecrypt I’ve kept screenshot of the benchmarks so for the ones who love numbers here they are. I’ve also made volume headers backup and disabled the boot message that states the machine is encrypted with truecrypt. I have to admit I’m totally fond of truecrypt it’s easy and good for free. Oh and YES I’ve made volume header backups and rescuedisks, you never know when bad luck strikes.
I love it. It was like so easy to get my internet connection going on my ubuntu through my mobile phone. All I had to do was connect the mobile to my laptop using a mini-usb cable. Ubuntu then automatically recognized it all and all I had to do was choose my provider and it WORKED!!!
I’ve installed ubuntu 8.10 on my laptop just to see how it goes and well I have to admit it works pretty good. Until now I haven’t had any problem with it.
Well so much for my ubuntu experience, I’ll keep you posted because somehow I always screw up when I use linux. So I really hope I hang on to it this time.
Ah man…beeing busy really ***** (sucks). I don’t like censoring words….
Lucky for me this time it was pleasure busy. I’ve been away for a few days in one of the cities famous for their diamonds. It was really impressive to see a whole street with only juwel stores. The funny thing was that the local building for diamond exchange seemed to have better security measure then the bank that was next door. Just to clarify things up , I wasn’t there for the diamonds. Those are boring. They just shine and well shine. So what’s next? I’ve been thinking about posting my todo list but then again…if I do that people will actually see that I never get it done.
So I’ll just post stuff when it’s done.
For the moment beeing I’m concentrating on the latest burp release which is comming up in december I can’t wait till I can hit the download button. Got some nice ideas to expand the current poc’s I’ve written and hopefully abuse the new and improved API.
If you get the impression this was written in a hurry , yes it was. I’m tired and want to sleep but I also wanted to write so this is the end result, I’m now going to sleep.
Maybe “IDE Sniffing” is a bit misleading…but I was not sure how to call it otherwise. So this is the problem context: You need to know if a harddisk is encrypted but you are not allowed to disconnect or move the computer. You have no access to the computer, like no login,no firewire to exploit and no vulnerable services running. Let’s also assume that this computer is using normal IDE ( I know it’s a bit outdated) disks. How on earth are we going to find out?