Ophcrack and encrypted drives

I had to use Ophcrack to recover a password yesterday on a computer that is being sold along with some equipment that it controls. We hadn't used it in years and no one had the password.

The boss was amazed that it could be recovered so quickly, but on the other hand, was a bit shocked as well. He asked if we encrypted all our drives, could the passwords still be recovered? I had no idea.

I looked around online last night, and couldn't find an answer to this. I have all my spare loaned out right now, so I cannot try it myself. So I am wondering if anyone has tried, and what their results were?

Find more posts tagged with

Comments

Bl8ckr0uter

I don't think it works but I haven't tried it. On another hand you could show him the evil maid attack and blow his mind:

https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html

powerfool

Assuming that whatever password storage mechanism (SAM, passwd, etc) is in encrypted, you will have to decrypt it first. This would either require bruteforcing the key, having the certificate and pin, or keylogging or something similar to get the key. It would go a long way to protect against that... for all intents and purposes, it will be well beyond the skill of most that would try to breach it.

Bl8ckr0uter

powerfool wrote: »

Assuming that whatever password storage mechanism (SAM, passwd, etc) is in encrypted, you will have to decrypt it first. This would either require bruteforcing the key, having the certificate and pin, or keylogging or something similar to get the key. It would go a long way to protect against that... for all intents and purposes, it will be well beyond the skill of most that would try to breach it.

Maybe not as much as you think powerful. Check out the evil maid attack.

demonfurbie

the password files are normally encrypted

now if the password file is stored locally on a non encrypted drive you can use a rainbow table and crack the hash (in most cases)

if you encrypt the entire drive your only able to brute force the password, takes alot longer to do

and even better use bitlocker then they have to have the dra (if one is setup) or the user its self... but to get this to work well you have to have a tpm on the motherboard and a usb key

edit: i live in a windows world atm, its diff in linux/unix/osx

it_consultant

The question is how powerful is the encryption key on the hard drive. If it is certificate based, forget about it. If it is a password less than 8 characters, assuming there isn't a timeout then you might be able to do it with a common password attack. Over 8 characters, forget about it. When one of my clients was being raided by the FBI they told me that fully encrypted hard drive (for example True Crypt) take many months of skilled technicians to crack the PW. Assuming they didn't find the password in the sock drawer or something

. Most crooks don't crack your password, they guess it, guess your challenge questions, or find it under your keyboard.

SteveLord

We use Winmagic's SecureDoc. As all state laptops that leave an office are required to be encrypted. It is annoyingly secure and unforgiving of the innocent. I'd be impressed if could be broken into easily.

Tackle

Bokeh wrote: »

The boss was amazed that it could be recovered so quickly, but on the other hand, was a bit shocked as well. He asked if we encrypted all our drives, could the passwords still be recovered? I had no idea.

I would be interested in finding this out as well. I've used Ophcrack a few times and found that it is amazing. I use what I would consider a decently long and complex password. Ophcrack cracked it in a matter of minutes.

I haven't used it in awhile, is there a different version for Windows Vista & 7?

Devilsbane

Encrypted drives are generally treated different than a machine password. I assume this was an XP machine and the password was fairly weak? Not too difficult to break that.

Drives however generally have multiple pieces to them, one of which is the unique TPM chip. I'm sure there are tools out there that can do this, but I'm not familiar with any and couldn't speak to their success rate. But Ophcrack vs XP, Ophcrack wins 9 times out of 10 (at least in my personal usage)

RobertKaucher

LucasMN wrote: »

I would be interested in finding this out as well. I've used Ophcrack a few times and found that it is amazing. I use what I would consider a decently long and complex password. Ophcrack cracked it in a matter of minutes.

I haven't used it in awhile, is there a different version for Windows Vista & 7?

Likely because your idea of a complex password is flawed. Mine are on average 25 characters in length and use a combonation of uppercase/lowercase and special characters/numbers. however the words are a ranom combination of dictionary words. Usually 4 to 5.

shaqazoolu

Your chances of success with cracking a Truecrypt volume is likely pretty low. I know there used to be a way around Truecrypt encryption if the BIOS was not password protected but I am not sure if that is still a problem or if it is limited only to Truecrypt. I think if you do full disk encryption, you have done your due diligence as long as the password is reasonably complex. If you do it right and someone still breaks in, they've earned it.

Unencrypted drives on the other hand, are cake to get into. Half the time you don't even need Ophcrack to get in. If I can get my hands on the hashes and have at least the 8GB rainbow tables, there is a pretty good chance you are toast in less than an hour, I don't care how ugly your password is. However, dumping and cracking hashes is not the only way to get into a box. If I have physical access to it, there are a number of other unauthenticated ways into the machine that are much faster and much easier that I am trying first...and some of them don't even require any nefarious tools.

EmersonH

RobertKaucher wrote: »

Likely because your idea of a complex password is flawed. Mine are on average 25 characters in length and use a combonation of uppercase/lowercase and special characters/numbers. however the words are a ranom combination of dictionary words. Usually 4 to 5.

Nice comic strip.

Tackle

RobertKaucher wrote: »

Likely because your idea of a complex password is flawed. Mine are on average 25 characters in length and use a combonation of uppercase/lowercase and special characters/numbers. however the words are a ranom combination of dictionary words. Usually 4 to 5.

I know, I've seen that comic a few times here in the last couple weeks. Thanks for posting it again though! None of my passwords are longer than 8 characters, anymore than that takes too long to type. Worst case would be someone gets password to my bank account, logs in and realizes I'm poor. Maybe they'd feel bad and deposit some monies for me while they are in there!

I know for sure I'd catch hell if I changed the password policy at work to have a minimum of 20 some characters.

crrussell3

A good read: https://www.grc.com/haystack.htm

Eramssion

有一些类似于Ophcrack的软件也可以为使用Windows 7/8/10计算机的用户恢复密码，例如chntpw,Trinity Rescue Kit and PassGeek Windows password recovery 。