How to crack a disk image
September 24, 2006 3:01 PM Subscribe
How can I run a dictionary attack against a password-protected disk image file on OS X?
I created the disk image, but have forgotten the password. I'm pretty certain that the password I used would be short and not terribly fancy, so it should succumb to a brute-force attack pretty quickly, if I knew how to run one against it.
I created the disk image, but have forgotten the password. I'm pretty certain that the password I used would be short and not terribly fancy, so it should succumb to a brute-force attack pretty quickly, if I knew how to run one against it.
Response by poster: bonaldi, thanks for the pointer. That's very helpful.
The related question is whether there is an optimal way to generate passwords to throw at it. The 26 letters plus 10 digits gives almost three trillion passwords even at just 8 characters.
posted by alms at 3:24 PM on September 24, 2006
The related question is whether there is an optimal way to generate passwords to throw at it. The 26 letters plus 10 digits gives almost three trillion passwords even at just 8 characters.
posted by alms at 3:24 PM on September 24, 2006
It depends on how well you can roughly guess what you made the password. If you only ever use english words, for instance, you can narrow it right down. There are english dictionaries out there you can patch in.
posted by bonaldi at 3:34 PM on September 24, 2006
posted by bonaldi at 3:34 PM on September 24, 2006
Response by poster: Bonaldi, are you sure it is possible to open disk images with passwords using AppleScript? I've looked around trying to find out how to do that, and the only scripts I've found just invoke hdiutil, which as far as I can tell, wants to read a password from standard input.
posted by alms at 4:21 PM on September 24, 2006
posted by alms at 4:21 PM on September 24, 2006
alms, can't you redirect stdin using the less-than redirector? In other words:
hdiutil [whatever] -stdinpass < filewithpassword
I've not used hdituil from the command line with passwords, but I'm not sure why that wouldn't work. You still have to generate all the passwords, but you can pass 'em to hdiutil that way...
posted by delfuego at 4:28 PM on September 24, 2006
hdiutil [whatever] -stdinpass < filewithpassword
I've not used hdituil from the command line with passwords, but I'm not sure why that wouldn't work. You still have to generate all the passwords, but you can pass 'em to hdiutil that way...
posted by delfuego at 4:28 PM on September 24, 2006
Best answer: From the hdiutil man page:
So you'd want to do something like this:
(This syntax may not quite be right, I'm piecing together a few examples.)
posted by Remy at 4:31 PM on September 24, 2006
-stdinpass
read a null-terminated passphrase from standard input. Ifthe standard input is a tty, the passphrase will be read with readpassphrase(3). -stdinpass replaces -passphrase though the latter is still supported for compatibility. Beware that the password will contain any newlines before the NULL. See the EXAMPLES section.So you'd want to do something like this:
echo -n password|hdiutil attach -mount -encryption -stdinpass - image.dmg(This syntax may not quite be right, I'm piecing together a few examples.)
posted by Remy at 4:31 PM on September 24, 2006
Best answer: The best password dictionaries I've seen are here (the specific one you'll probably want is here).
I don't know OS X well myself, but based on Remy's syntax above, once you have a dictionary file, a Bash script to try to find your password would be as follows.
posted by gsteff at 5:31 PM on September 24, 2006
I don't know OS X well myself, but based on Remy's syntax above, once you have a dictionary file, a Bash script to try to find your password would be as follows.
#!/bin/bash
for word in $(cat wordlist.txt | grep -v "#")
do
echo -n $word | hdiutil attach -mount -encryption -stdinpass - image.dmg
if [[ $? = 0 ]]
then
echo "Password found!"
echo $word
exit 0
fi
done
echo "password not found :("
exit 1
posted by gsteff at 5:31 PM on September 24, 2006
Response by poster: OK, thanks to all for all of these pointers. I'm making progress. I've created a test image ("foobar.dmg") with the password FooBar. The following successfully mounts the image:
However, when try to use gsteff's shell script, the image does not attach correctly. (I've added another "echo" to verify that the password FooBar is indeed being pulled out of the file. I also removed what I believe to be a spurious hyphen in the fourth line.)
Here's the script I'm using:
and the output is:
Any thoughts?
posted by alms at 11:50 AM on September 25, 2006
echo -n FooBar | hdiutil attach -mount required -encryption -stdinpass ~/foobar.dmg
However, when try to use gsteff's shell script, the image does not attach correctly. (I've added another "echo" to verify that the password FooBar is indeed being pulled out of the file. I also removed what I believe to be a spurious hyphen in the fourth line.)
Here's the script I'm using:
#!/bin/bash
for word in $(cat ~/passwordlist.txt | grep -v "#")
do
echo $word
echo -n $word | hdiutil attach -mount required -encryption -stdinpass ~/foobar.dmg
if [[ $? = 0 ]]
then
echo "Password found!"
echo $word
exit 0
fi
done
echo "password not found :("
exit 1
and the output is:
AGIP-NET
hdiutil: attach failed - Authentication error
AGPS-NET
hdiutil: attach failed - Authentication error
AGPS-WAN
hdiutil: attach failed - Authentication error
AGRI-FER
hdiutil: attach failed - Authentication error
FooBar
hdiutil: attach failed - Authentication error
AlpoCAN
hdiutil: attach failed - Authentication error
^Ccanceling...
Any thoughts?
posted by alms at 11:50 AM on September 25, 2006
I can't explain what you're seeing, because I get no problems at all using your script. I created a test image, I created a file with passwords, and I successfully mount the image as soon as the right password comes up in the iteration through the file.
What is the format of your password file? What are the line endings? Is it possible that you're passing an invisible line-ending character in as the final character of your password? My password file is using LF line endings (not CRLF); that might be the difference.
posted by delfuego at 12:57 PM on September 25, 2006
What is the format of your password file? What are the line endings? Is it possible that you're passing an invisible line-ending character in as the final character of your password? My password file is using LF line endings (not CRLF); that might be the difference.
posted by delfuego at 12:57 PM on September 25, 2006
Best answer: Yeah, it appears that the dict file I linked to uses DOS style endings. You can convert those on the fly to unix style by changing line 4 to this:
posted by gsteff at 1:58 PM on September 25, 2006
for word in $(cat ~/passwordlist.txt | sed -e 's/.$//' | grep -v "#")posted by gsteff at 1:58 PM on September 25, 2006
Response by poster: Yay, success!
At least with the test case, that is. So now I get to try running it against my image, with some much larger password files.
Last question: how do I rewrite line 5 to remove the 'echo'. I don't want to take the time for the output. Just removing the "echo -n" did not work. (of course, I'll kill line 4 altogether).
Thanks again for this group effort. I'll report back about the ultimate success.
posted by alms at 4:10 PM on September 25, 2006
At least with the test case, that is. So now I get to try running it against my image, with some much larger password files.
Last question: how do I rewrite line 5 to remove the 'echo'. I don't want to take the time for the output. Just removing the "echo -n" did not work. (of course, I'll kill line 4 altogether).
Thanks again for this group effort. I'll report back about the ultimate success.
posted by alms at 4:10 PM on September 25, 2006
I don't understand -- you want to remove the echo that's providing the password via stdin to hdiutil? You can't, because, well... it's providing the password to hdiutil.
posted by delfuego at 5:23 PM on September 25, 2006
posted by delfuego at 5:23 PM on September 25, 2006
No, hdiutil spits out an error message of its own each time, alms wants to get rid of that. Try appending "&> /dev/null" onto the end of the hdiutil command.
posted by gsteff at 5:37 PM on September 25, 2006
posted by gsteff at 5:37 PM on September 25, 2006
Response by poster: Try appending "&> /dev/null" onto the end of the hdiutil command.
Yep, that worked, thanks.
posted by alms at 6:17 PM on September 25, 2006
Yep, that worked, thanks.
posted by alms at 6:17 PM on September 25, 2006
I knew I had to be misreading that, alms -- glad you got it working the way you want!
posted by delfuego at 6:28 PM on September 25, 2006
posted by delfuego at 6:28 PM on September 25, 2006
This thread is closed to new comments.
posted by bonaldi at 3:04 PM on September 24, 2006