Hibernation …. Well Kinda

If you are reading this post then you are still subscribe to my RSS feed (thank you kind person) or you have stumbled across this site for the info from one of my old postings.

So I wanted to make a quick post to say this blog isn’t forgotten, but I am more focused on www.subliminalhacking,net and I don’t see the point of posting something just for statistics sake. So when I get some time (there  isnt much as a new parent) I will post something worthy of your time.

 

We take a look at Elcomsoft iPhone Password Breaker… Its Good

Elcomsoft are a Russian based software company, who make excellent security and audit products. Perhaps the name doesn’t ring a bell, but I am sure if you look at their product offerings you will be more than familiar with their products.

I first heard about Elcomsoft around 2002 I think it was when I needed to do some password recovery for some Office documents, and a colleague had a copy and it did its magic and we had a happy user. Ever since then I have kept the site bookmarked and keep a check on it every now and again.

Fast forward to 2010 and I find myself looking at iPhones and their suitability for use in the corporate world, and then I hear again about Elcomsoft releasing an iPhone Password Breaker (EPPB). So here we are, reviewing this product, and seeing just how it works and if it does what it says on the tin.

At the time of writing the professional version is advertised at £199 and the home version at £79. To see the difference between the version, please see the end of the review, or click here to visit the Elcomsoft site.

Thanks to the guys at Elcomsoft for letting me have a copy to review, and for helping resolving any issues I came across on the way.

So first things first, the EPPB requires a Windows Platform, so I fired up an XP SP3 VM, and a physical W7 box to do some GPU based testing.

Once its installed we need to get hold of our encrypted iPhone backup. So the main file we are looking for is the Manifest.plist file, however if you will want to look at the keychain info you will want the complete contents of the appropriate folder.

When iTunes takes a backup of your iPhone it will include your settings files, from the preferences library, and databases, such as your calls, notes, bookmarks, password etc.

So if your on a Mac you need to look here > /Library/Application Support/MobileSync/Backup
On a PC you need to look here > Documents & Settings\\Application Data\Apple Computer\MobileSync\Backup or Users\\AppData\Roaming\Apple Computer\MobileSync\Backup

So once you have located your encrypted backup its time to fire up the password breaker and point it at the file in question. You will see the details of the device once you have selected it. We can see in this example the backup is that of an iPhone 4.

Now we have our file selected, lets make sure we are using the right hardware. So now we can enable / disable our CPU and GPU options.

So now the hardware is selected, we are almost ready to get cracking :) Now we just need to decide how we are going to go about it. We can use dictionary based attacks and supply files with the information (although it does come with some) or we can configure some brute force settings.

So now we are all configured, and lets face it, its all easy and straight forward. Now we kick off the cracking and watch the speed.

In the image below I am using a dual core Intel 3Ghz processor and a ATI Radeon 5880. As you can see its 15,108 passwords a second, not to shabby at all. My quickest crack was a 7 character dictionary password that was popped in 2.33 secs, GPU for the win. I also tried just a 64Bit Athlon 3Ghz on its own, and it only did 102 passwords a second, I also tried a 2.8Ghz Dual Core Intel in a VM and saw about 300 passwords a second, I then finally tried a cheaper GPU, a NVIDIA 8800 GTX and this provided the power to crunch 3,804 passwords a second.

So now we have the password for this backup. We can now open the file in iTunes and complete a restore if we had forgotten the password. Or we can launch the keychain explorer and have a look at the information stored within the backup from the iPhone, as well as exporting the contents to an XML file.

Obviously I have sanitised the screen shot as it contains information I dont want to share, but you are going to see details of services used, usernames and passwords, access point information and access passwords, phone numbers and more.

So you may be thinking this is all good, but why is this tool of interest to me. Well first of all, as I have mentioned before many organisations are looking at, and are deploying iPhones. Out of the box they are not an enterprise ready tool and require 3rd party enterprise tools. So you get a call from you user, the iPhone needs restoring, they dont want to lose their information so they want to restore from the backup. Fine, however they have forgotten their password. So now you have an option to recover with this tool.

Next is the addition of gathering this information as part of a penetration test, or even a social engineering engagement. Obviously you need to get the files off the users machine, not the iPhone itself. I don’t need to tell you guys the ways this is possible. If your feeling really lazy, you may want to check file sharing networks, people share all sorts.

If you are a file sharing network user, please check you are not sharing your entire hard disk, and if you are…. STOP IT.

To conclude I think this is a tool worth having if your organisation is offering the use of iPhones, and it also has a place in your pentesting toolkit. For more information check out Elcomsofts website, and read below for some more information on the tool itself.

Elcomsoft iPhone Password Breaker enables forensic access to password-protected backups for iPhone, iPhone 3G, iPhone 3GS, iPhone 4, iPad, and iPod Touch 1st, 2nd, and 3rd Gen devices. Featuring the company’s patent-pending GPU acceleration technology, Elcomsoft iPhone Password Breaker is the first GPU-accelerated iPhone/iPod password recovery tool on the market. The new tool recovers the original plain-text password that protects encrypted backups containing address books, call logs, SMS archives, calendars, camera snapshots, voice mail and email account settings, applications, Web browsing history and cache. The program is also able to read and decrypt keychains (saved passwords to mail accounts, web sites and 3rd party applications) from password-protected backups (if password is known or recovered).

  • Gain access to information stored in password-protected iPhone and iPod Touch backups
  • Recover the original plain-text password
  • Read and decrypt keychain data (email account passwords, Wi-Fi passwords, and passwords you enter into websites and some other applications)
  • Save time with cost-efficient GPU acceleration when one or several ATI or NVIDIA video cards are installed
  • Hardware acceleration on Tableau TACC1441 hardware
  • Perform advanced dictionary attacks with highly customizable permutations
  • Perform offline attacks without Apple iTunes installed
  • Recover passwords to backups for original and ‘jailbroken’ iPhone, iPhone 3G, iPhone 3GS, iPhone 4, iPad, and iPod Touch 1st, 2nd, and 3rd Gen devices
  • Compatible with all versions of iTunes (incl. 10.0) and iOS (3 and 4, incl. 4.1)

Elcomsoft iPhone Password Breaker supports Windows XP, Windows Server 2003, Windows Server 2008, Windows Vista or Windows 7 with x32 and x64 architectures. Password-protected backups to iPhone, iPhone 3G, iPhone 3GS, iPhone 4, iPad, and iPod Touch 1st, 2nd, and 3rd Gen devices are supported.

Patching Windows XP SP2 for the Shortcut LNK Vulnerability MS10-046

So we all know that on the 13th July 2010 Microsoft support for Windows 2000 Service Pack 4, and Windows XP Service Pack 2 came to an end.

Then on the 16th July they release a Microsoft Security Advisory 2286198 regarding a critical vulnerability that could allow remote code execution. This was then updated to  Security Bulletin and out of band patch MS10-046.

The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

So Microsoft then release the patch for XP SP3 and above, which is fine and great. However many organisations still have XP SP2, and this is a pretty good vuln, so you really would want to patch it. So obviously the best thing to do is pull your finger out and get upto XP SP3, as these sort of issues will continue and you need to be on a supported platform. Easier said than done for some companies, but we really should put the effort in.

However….. I was speaking to a friend who will remain unamed and he informed me that his company have been issued with a patch for XP SP2 to resolve the shortcut LNK vulnerability (MS10-046). So we start talking to our Microsoft reps, and apparently they is no such thing, etc etc. So I speak to my friend some more and get the filename and hash for the file. Then speaking to Microsoft some more, still denial, but they they say, oh well there is something like that, but its for embedded systems only.  Security Update for Windows XP Embedded (KB2286198)

So I think to myself, well I will check with my friend, and he confirms the hash’s are the same, and its the same file. I look at the properties and it says its ok for XP SP2, nothing about being embedded. So I grab a spare XP SP2 machine and install it. All verifies ok, and installs. Reboot. No problem. So this should work right???

Time to test.

Below is a simple quick and dirty video of an XP SP2 VM (This was the home edition I had handy, but have also checked on professional edition with the same results) where I use the Metasploit MS10-046 exploit to get a shell, I then patch the the KB2286198 patch mention above, and guess what no more shell. I am not sure why Microsoft are not sharing this info openly, but I guess at the same time it is there to test and download. Perhaps they don’t to set an out of support patching, bite them in the arse type situation.

Apologies the video is abit blurry, but this was a quick job, I recommend going HD on it for a little more clarity.

So basically this patch seems to fix the vulnerability in Windows XP SP2. So what now?? I recommend people carry out there own testing, and then if appropriate look to apply this patch as an interim measure. However it is still important to update your systems to XP Service Pack 3 or to Windows 7, as this issues will continue, and you may not be so lucky next time.

I have not seen this information anywhere else, so please spread the word and lets get these machines fixed.

DESlock+ Enterprise Review

Last year (2009) I got a call about reviewing a Full Disk Encryption product called DESlock+. I had not heard of the product, so a quick search later and more information was revealed. As encryption is an import consideration for users at home and within an organisation, and I had been looking at a few vendors for my day job I thought it would be some time well spent, and may be of use to some of you guys.

DESlock+ Enterprise is the product I am going to be look at, and its made by a company called DES. DES were founded in 1985, and the companies systems and methods originated within the British Government Communications Headquarters. The original users of DES products were government based, but over time have spread into other sectors. Over the past twelve years DES has also marketed the DESkey and DESlock range of software protection products. With an estimated 500,000 units in use throughout the world to date, sales of the DESkey continue to grow.

  • Full Disk Encryption
  • Removable Media Encryption
  • Encrypt Email, folders and files
  • Multiple encryption keys stored in a keyfile
  • AES, 3DES, Blowfish Algorithms
  • Encrypted mountable files
  • Secure data shredder
  • Keyfile backup utility
  • Scalable centralised licence and key management
  • Remote keyfile distribution
  • Software feature policy control
  • Includes DESkey USB manager tokens

When reviewing encryption products its can often be a difficult task. Lets face it the most important thing an encryption product can do is encrypt, if it doesn’t do that then we are in a pretty bad situation. So you will be happy to hear DESlock+ does encrypt and it works in a no nonsense way so with that in mind we are off to an excellent start.

To speed up my review Jamie Gordon (excellent guy) sent me a Windows 7 Virtual Machine with the DESlock product pre-installed, as like everyone getting the time to have a look at a product can be difficult. So the starting situation is essentially this. We have a Windows 7 client machine that has DESlock+ installed, and connecting back to DES HQ. The client gets its policy applied when we start up and authenticate for the first time, and we have various options available to us, but the Full Disk encryption has not yet been applied, our friend Jamie takes care of that for us remotely later.

I have a hell of alot of screenshot, about 120 or so, obviously I don’t want to post all of these, so as part of this review I will give an overview of whats going on, various configuration and functional options. I can tell you now the best thing for me about DESlock+ is it does what it says on the tin, with no fuss, and you don’t need to be a rocket scientist to configure your policy and get it up and running. I will basically show the shredder options, encrypting individual files, removable media and of course full disk encryption.

So to get things started we boot up our VM. Its important to remember that normally in an enterprise environment you would normally be logging onto a domain, however in this example this is not the case. So any credentials are not resolved from my domain credentials, its needs to be done manually. So I need to authenticate myself with the DESlock+ Enterprise Server using a one time password to get things started.

Once authenticated we need to change the password.

So now we are presented with the Desktop to go about our daily duties. Its worth noting we have the features of DESlock+ available to us now, but we have not yet had our hard disk encrypted.

So everything looks as normal, although we have the DESlock+ Shredder, and a couple of new icons in the task bar.

I will add a picture montage at the end of this review that shows various screen shots, so if you want to know what happens when you look further at these properties you can check them out.

So lets see what happens when I plug in a USB stick (A Dell branded 64Mb in this case). DESlock+ detects the USB device and prompts to do its thing.

So lets kick off the removable device encryption.

Encryption Completed.

Once the drive was encrypted a put a couple of files on there, ejected the drive and tried the stick on a windows machine, linux and Mac. All found the drive to be unreadable, so no chance at getting at that data. So good stuff.

So next I decided to decrypt the drive, and then try just encrypting a single file.

So now we create a file, and right click for our encryption options.

Once the file is encrypted the remainder of the stick was still usable, but as expected the encrypted file is not accessible. Obviously files can be encrypted like this locally, as well as on removable media. This allows for some versatile application, whilst ensuring control and protection over your data.

Of course for that little bit of additional protection its a good idea to securely erase files when your done with them, and this brings us along to the DESlock+ Shredder. You can choose how many passes you want to make when erasing the data, and choose between two methods.

So we know we can encrypt our files as needed, and we can securely erase them also. So the next thing to get sorted is obviously full disk encryption.

There is an option to encrypt using a local wizard, and an activation code you get from the administrator. I did have a look at this option as the screen shots below show. However I decided to go the remote route as this is an enterprise offering, and see how it works from the admin console.

As you can see above. If we had an authorisation code from our admin, we could kick off the full disk encryption ourselves.

So now lets take a brief look at what we see as an administrator from the DESlock+ Enterprise console.

Once we are in the admin console we have access to the various configuration options. We have the ability manage both DESlock vouchers (these control what you can or cant do based on what you have purchased) and users of the system. From a day to day perspective this is probably where you will spend time verifying what accounts are created, active machines and so forth when your first getting set up. Then there is the profiles section, this does what it says on the tin. It allows the for creation, modification and assigning of encryption profiles. Next is the Enterprise server section, this shows the user details and associated machine, when they last connected, keyfiles in use etc. The full disk encryption section is fairly obvious, this where you manage the FDE of machines in your environment. We then have the encryption keys section, this is a useful section as you can create multiple encryption keys for different parts of your organisation, to give extra levels of control. Finally the install admin section, this pulls various information together to form a registry key that is applied as part of the product install on client machines.

I viewed this section remotely with the DES guys, so I didn’t have time to have a proper play myself, but I did take some snapshots that you can see towards the end of the review.

So whilst viewing remotely, Jamie kicked off my remote encryption of my VM machine. It worked a charm with no fuss. My machine connected with the remote server, downloaded configuration updates, and then started encrypting. I even rebooted mid encryption as a test and it resumed once logged in.

So here are a couple of snaps to show what’s going on at the client end.

Now lets reboot.

Job Done :)

Wrap up and thoughts….

So we have gone through the motions, seen some screen shots, but is it actually any good. Personally yes I think it is. For me when it comes to encryption products it can be a difficult evaluation process, because lets face it if its encrypting our data in a secure method its ticking the box. I think what makes DESlock+ a good product is that its simple. I don’t mean that in a negative way at all, the product does what it says on the tin. It encrypts files, removable media, full disk encryption as well as emails and other bits and bobs I was not able to spend time in testing, and it does it in a professional no fuss approach. The menus and clear and simple to understand, policy configuration is easy and flexible, I like the fact you can use different encryption keys in different parts of the business, and for different users, this gives an extra level of access control. I like how easy it is to revoke access to encrypted files and devices in the event of loss, and I like the challenge response stuff for when people forget passwords and I like the secure deletion with the shredder.

I would certainly make organisations (especially SME’s) I work with aware of DESlock+ as well considering their similar home offering to family and friends who just want to encrypt files and don’t need FDE. However as with everything I had a few gripes with the product whilst reviewing. Its great that you can encrypt removable media, but its abit frustrating you cant share the content with non DESlock+ customers (they now have an offering for this coming soon), and I have seen some other products that allow custom configuration messages for users screens, this isn’t a major one for me but its a bonus sometimes. Lastly its my understanding that the product itself does not support distribution across the organisation, so you need to utilise some other tooling to package up and distribute DESlock+. None of this stops me thinking its a good tool, just sharing my thoughts. It is also worth noting the DESlock+ products only work on W2K upwards, so no support for Linux and OSX.

Since I have completed the review DESlock+ has been FIPS 140-2 validated, so congratulations and well done to the guys on that achievement. They have also made a product available called DESlock Reader which will allow non DES customers to decrypt emails, and files that have been encrypted with DESlock+ (obviously you will need to know a pre shared password to decrypt), this something that can be enabled or disabled at a policy level if you don’t want everyone having the ability to potentially share data outside the organisation. Another product is in the pipeline that should be out later this month, and this is DESlock+ Go. This product is all about encrypting removable media to share with 3rd parties in a secure manner. The 3rd party doesn’t need to install any software, it all runs from the encrypted package, and if its writable media such as a USB device, the 3rd party can even write data back to the device to share securely back with the original DES user. Finally they also have an MSI configuration in the pipeline that I think will help with the installation and distribution of the product, especially in larger enterprises.

For pricing your best of contacting DES yourself, but its my understanding the Home versions are about £45, which just provides secure file encryption (not FDE). Business Desktop licences start at around £75 for small numbers of licences and then decrease in cost as the number of users increases over 1000, and the Enterprise Server is about £250. Maintenance is also available at additional cost as needed.

Picture Montage


Ironkey S200 Personal Review

I don’t wont to go over to much of what has already been covered by the Enterprise Review from last week. The main focus of this review is to demonstrate that you don’t have to be part of a large organisation to benefit from what the Ironkey has to offer, as the personal versions are great to. As I previously said I have been using Ironkeys for a while myself and these are personal devices.

Below will be a brief recap of what the Ironkey Personal is all about and how you go from opening the box, to secure storage and browsing.

Personal Version Specs:
Rugged Metal Casing
Waterproof
Tamper-Resistant
AES 256BIT Hardware Encryption
FIPS Validated 140-2 Level 3
Strong Authentication
Secure Browser / Portable Apps
Secure Password Management
Self Service Password Recovery

So you have just got your hands on your nice new shiny S200 Ironkey personal, you have popped open the nicely designed black box and popped it into your USB slot. The first step is to initialise your key.

Its important to give your Ironkey an appropriate name, so that you can easily identify it in your personal online console, because your going to want more than one at some point. The next one is to obviously select a strong passphrase. It might be AES256 bit encrypted, but using the password “password” isnt going to be that secure.

The part it to read through and accept or reject the T’s and C’s.

Once thats all out of the way the Ironkey will start doing its thing, encryption, configuring and installing.

As with the enterprise version, you need somewhere to keep track of your keys, backup your password for recovery, etc etc. So now you need to create online account, or if like me add your Ironkey to your existing account.


Now your account is setup, Ironkey will send you an email with an activation code. You will need to enter this into your online account, to setup and confirm association with your account and your Ironkey.

Now your good to go. You should find that the Ironkey control panel has also launched, and this gives you access to the various pre-installed application and services. Secure Firefox browser, password managers, update manager and more.



You will also notice there is an option to fill in some Lost and Found information. This is then displayed to anyone who inserts and attempts to activate the Ironkey. They can then contact you to make you aware of how foolish you were to lose your precious key :)

So thats pretty much you good to go. However I will add one thing, that seems to be very unclear when your looking around online. People seem to think for some reason you are unable to install new applications onto your Personal Ironkey. Well of course you can. I will quickly go through how to install Pidgin, and other applications should be the same.

First off head along to Portable Apps, and get yourself a copy of Pidgin.

You then simply install this to the secure files location on your Ironkey. Then from your Ironkey control panel right click on the applications screen and select add application.

Now select the Pidgin Executable in your secure storage location. Then Bob’s your uncle you have Pidgin good to go.

I hope this review was information and helpful to a few of you. For more information on Ironkey and where to buy one check out their website.