Password Recovery with PRTKTM-DNA(1).pdf

(244 KB) Pobierz
Paper
Password Recovery with PRTK /DNA
March 2006
®
A
CCESS
D
ATA
, O
N
Y
OUR
RADAR
Password Recovery with PRTK
/DNA
®
One way to keep information confidential is to encrypt it, rendering it unreadable until it
is decrypted. To encrypt a file, the application you are using, for example Microsoft
®
Word
®
, will have you select a key or a password, which is used to both encrypt the file
and to decrypt it.
Since the password owner must be able to remember the password, password recovery is
based on these simple facts:
The password will usually be in a language familiar to the owner
The password will usually be an aspect of the owners life
New passwords might be a modification of old passwords
Passwords should be difficult for others to guess. However, the owner of the password
needs to be able to remember it, which means it must conform to some rules known and
employed by the owner. That is, it should be something familiar enough for the owner to
recall and repeat. That’s why passwords are usually composed in a language familiar to
the password owner.
In order to more easily remember a password, the owner often chooses one from the
names of family, pets, product names, dates, or less wisely, telephone and social security
numbers. If the password isn’t obvious enough, or if it’s chosen for the owner, the
password owner may write down the password close to where it’s needed, or into a file
used to record all current passwords.
Understanding Password Recovery
Whether it has been forgotten or abandoned, you will eventually need to recover a
password. Software products can help you discover a password by trying to decrypt the
encrypted file with successively longer sequences of characters presented as the
password. Even with the fastest computers, this trial and error approach (called an
attack) can take a very long time. If many files need to be decrypted, the problem is
multiplied.
Recovering passwords takes more than just dropping a file into a software product and
hoping that it will find something. This approach would take more time than is practical.
Because of the way people usually select passwords, finding the passwords can be done
much more quickly by combining as much information about the owner as is available
with an application that can apply that information fast and logically.
AccessData Corporation offers two software solutions for password recovery: Password
Recovery Toolkit
, or PRTK, and Distributed Network Attack
®
, or DNA. These
applications work on the same technologies, but provide a choice on distribution, or how
the work load of guessing passwords is shared among multiple machines. For simple
password recovery jobs, PRTK is the perfect application. If large numbers of encrypted
© AccessData Corp.
April 2006
Page 2
files need processing, consider DNA the solution. AccessData also provides classes
training clients on password recovery strategies and on how to best exploit these tools.
Password Recovery Strategy
Given that encrypted files have been discovered and need to be opened, the
following are a set of processes that are critical to the recovery of passwords using
PRTK/DNA:
1. Determine the languages familiar to the creator of the password.
Determine the language, codepage, or keyboard setting used on the
owner’s computer.
2. Search the location of the owner for any hand-written notes that may
contain possible passwords. These possible passwords can be used to
create a biographical dictionary, or entered into a wordlist file that can
then be turned into a custom dictionary.
3. If the owner’s hard drive has been imaged, process the image and export a
wordlist file that can be turned into a custom dictionary.
4. Adjust the order in which the levels are processed, and add any new levels
that may be necessary.
The more information that can be gathered about the person that created the
passwords being recovered, the more likely that the passwords will be found
quickly.
Password recovery is waiting for the set of target passwords to be tried against the
encrypted file. Once all the background information about the creator of the
password has been gathered and submitted to the recovery process, time becomes
the limiting factor to recovering a password. A machine’s speed, or the amount of
machines available, will have a noticeable effect on the password recovery.
Password Recovery Operation
PRTK operates on a single computer to recover passwords from a wide variety of file
types such as Excel
®
, Zip, or Quicken
®
. File types are supported through the use of
modules
1
. Each module is designed to employ those attacks that are most effective for
the particular file type for which it was developed.
Multiple files can be added as jobs, and each job is prioritized based on the complexity of
the encryption algorithm used by the program that created the encrypted file. Simpler
encryption algorithms are faster to process, so jobs with those kinds of files are attacked
first. Recovered passwords are displayed with their corresponding job and are also stored
in a filed called a Golden Dictionary.
Because files from the same source are likely to share the same password, those
successfully retrieved from files with less complex encryption are applied to files with
more difficult encryption.
1
See Appendix B for the complete list of modules supported by PRTK and DNA.
© AccessData Corp.
April 2006
Page 3
Because passwords can be expected to be based on a language familiar to the person who
encrypted the file, selecting the language to be used by PRTK is the first step toward
successfully recovering the password.
Language and Character Groups
By selecting the appropriate language and character groups
2
, target passwords
will be constructed that are familiar and used by the person who created the
password in order to constrain the amount of passwords to be guessed. If the
password creator is known to favor using upper or lower case characters, for
example, or if you suspect that symbols are used, you can enable or disable these
options for each group.
Dictionaries
Words to try as passwords are taken from files called dictionaries
3
, which contain
a list of words in the languages to which they correspond. PRTK includes some
predefined dictionaries for some languages. PRTK can create custom dictionaries
from information about the person who created the encrypted files, if you suspect
the password was created from that information.
Any recovered passwords are stored in a special dictionary called the Golden
Dictionary, and are automatically tried every time a new job is added.
Levels
PRTK conducts password attacks using rules called levels. Levels provide the
means by which the complexity of the passwords to be tested is gradually
increased, starting with the simplest attacks (simple dictionary attacks) and
proceeding to the more complex (enhanced dictionary and brute force attacks,
where every possible character combination is tried). Of course, simpler attacks
require much less time and resource than do more complex attacks.
Password recovery is a numbers game; the more passwords tried against an encrypted
file, the more likely you’ll find a password that can open it. The settings you apply to
PRTK/DNA will provide the number of passwords generated, and determine the odds of
recovering the one. They also determine the amount of time each attack will take.
Carelessly selecting your settings will reduce the time it takes to test, and yet increase the
chances of success. Thoughtlessly applying your settings will slow things down, and
even prevent you from finding the password.
Improving Testing Performance
Password Recovery Tool Kit is an application for password recovery using a single
machine to attack encrypted files. It has been designed to share the machine with other
applications running at the time, which will slow down the recovery process.
2
3
See Languages and Character Groups
See Biographical and Custom Dictionaries
© AccessData Corp.
April 2006
Page 4
Distributed Network Attack (DNA) is a solution that addresses this issue by allowing
many machines to be designated as resources for password recovery. DNA is able to use
each processor in a multi-processor or multi-core processor machine, enhancing the
overall performance. These machines may be used in one of two different worker modes:
dedicated or nondedicated.
A dedicated worker is a machine designated for exclusive use by the DNA network. No
other tasks are performed by this mode other than DNA password recovery. A
nondedicated worker is a machine that serves other purposed as well, such as an
employee station for regular business use. The advantage to using a collection of
nondedicated machines is that your organization already has a base of machines, usually
available after hours. By assigning them to DNA, these machines provide valuable
computing power to your password recovery operation when not in use by their primary
users.
To illustrate how multiple machines may impact a password recovery job, imagine a
single machine capable of testing 1,000,000 passwords per hour. A single machine can
therefore test approximately 24,000,000 in a 24-hour period. If a DNA network with ten
nondedicated workers is put on the job and the machines are available for about 14 hours
each day, they are able to test approximately 140,000,000 passwords in the same 24-hour
period—an increase of about six times.
By making more machines available as DNA workers, the number of passwords that can
be tested increases.
DNA distributes the current workload by providing each worker machine the IP address
of the supervising machine. As long as each worker has a network connection and is able
to resolve the provided IP address, it can establish a connection to the supervisor, which
will allocate work for it as jobs are submitted. All machines assigned to the same
supervisor form a cluster. As the size of the cluster increases, so does the number of
passwords that can be tested.
The cost of the expertise and equipment needed to maintain a large DNA cluster should
be carefully considered in deciding between PRTK and DNA, but with the correct
personnel and hardware, a DNA cluster can dramatically increase the probability of
password recovery.
© AccessData Corp.
April 2006
Page 5

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin