Password Recovery

Solutions

Andrey Belenko

Security Researcher, CISSP

a.belenko@elcomso-.com  

More  than  15  years  in  Password  Recovery  

Agenda

 About us

 Types of passwords

 Hardware acceleration

 Distributed password recovery

 QQ passwords

  iPhone/iPod/iPad backup passwords

More  than  15  years  in  Password  Recovery  

About us

 Established in 1990, privately held

 Based in Moscow, Russia

 Resellers worldwide

 Customers from Fortune 500, military and

governmental institutions

 Patent-pending technologies (GPU

acceleration, Thunder Tables)

 100+ file formats supported

h0p://www.elcomso-.com  

Industry Certified and Acknowledged

  Microsoft Gold Certified Partner

  Intel Software Partner

  NVIDIA Registered Developer

  Member of the Association of

Shareware Professionals (ASP)

  Member of the Russian

Cryptology Association (RCA)

Password Protection Types

"   Reversible passwords transformation

Instant recovery

Instant Recovery

Password Protection Types

"   Reversible passwords transformation

Instant recovery

"   One-way password transformation

Can reset password

Password Reset

Password Protection Types

"   Reversible passwords transformation

Instant recovery

"   One-way password transformation

Can reset password

"   Encrypted documents

Break encryption

Guess password

Breaking Encryption

Password Guessing

Password Guessing

Problems

•  «Salt»

– Rainbow tables don’t work

•  Strong crypto

– Key search attacks not possible

•  Iterated transformations

– Trying password takes longer

Key is to test smart and fast!

How to Increase Speed?

• No  special  hardware  • Limited  speedup  (10-­‐20%)  

So-ware  OpFmizaFon  

• Convenient  to  use  • Not  very  cost-­‐effecFve  

Special  Hardware  

• Cost-­‐effecFve  • Might  require  user  experFse  

Common  Hardware  

• Scalable  • Difficult  to  manage  

Distributed  compuFng  

Supported Hardware

GPU:

• NVIDIA GeForce

• NVIDIA Tesla

• ATI Radeon

• ATI FireStream

Supported Hardware

Tableau TACC1441 (FPGA)

Performance (WPA)

4000  

22000  

30000  

103000  

14500  

29000  

0   20000   40000   60000   80000   100000   120000  

Core  i7  920  

GTX  295  

GTX  480  

HD5970  

TACC1441  

2x  TACC1441  

Passwords  per  Second  

Distributed Password Recovery

Internet/WAN

LAN

Controller

Server

Workers

Distributed Password Recovery

•  Needs little traffic and bandwidth

•  Can work over LANs and WANs

•  Scales (almost) linearly with number of

nodes

•  Workers can join and leave

•  Nodes can use hardware acceleration

QQ Passwords

•  Password is not stored in clear

•  QQ 2005 stores MD5 hash

•  QQ 2009 stores encrypted MD5 hash

– Encryption key depends on hardware

•  Can extract hash and run password

recovery

•  Use any tool for cracking MD5

•  Demo

iPhone Backup Passwords

•  100 millions iPhone/iPod touch/iPad sold

•  iTunes backs up device regularly

•  Backup contains lots of valuable info

– Contacts, call logs, SMS, e-mail accounts

– Photos

– Location history

– Application files (cleartext password)

iPhone Backup Passwords

•  Device can encrypt backups

•  Need original password to decrypt

•  Not same as passcode!

Elcomsoft & Oxygen provide solution for

handling encrypted backups!

iPhone Password Breaker

•  Supports iPhone/iPod touch/iPad backups

•  Supports iOS 4 and iTunes 9.2

•  Wordlist and bruteforce attacks

•  Hardware acceleration with NVIDIA and

ATI GPUs and Tableau TACC1441

•  Use Oxygen Forensic Suite to decrypt and

analyze

Thank You!