Automating password entry was easy enough; when powered on, the drive's password entry dialog popped up and it was simple to drive the GUI and enter passwords. However, the slight hiccup was that, after five password guesses, the drive needed to be powercycled to reset the guess counter. One of my many failings is a distinct lack of basic electronic experience, and even being able to switch a relay from a computer borders on magic in my eyes. Enter a good friend, Alex Schutz, resident mechatronic engineer at eDart Slurry Valves and go to electronics guy. He quickly whipped up a rig that used a USB extension cable with one of the power lines spliced through a relay controlled by a programmable board, that was driven through a serial interface. From the controlling laptop, enabling HDD power was as simple as "echo b > COM3" and cutting the power was "echo a > COM3".
With this test rig built, the project then went dormant for a bunch of reasons. Last week we were asked for the drive back, but Alex was determined to give it one more go. Cue final polishing and the production of passwords based on the user's common password combinations, and the brute-force was ready to run. If you've run a brute-force before, you'll know the success case isn't always immediately obvious. We know what a failed password attempt looks like, but detecting a successful password attempt without ever seeing one is trickier. Instead, we took the simpler approach of grabbing a screenshot after each attempt, for subsequent analysis.
The rig looked like this:
The comforting sound of the relay firing followed by the visual feedback of the password dialog being attacked was the source of much happiness.
In the end, the password was guessed correctly on about the 500th attempt, which made up for the effort that went into the test rig. Cue happy colleague of colleague, and the satisfaction that comes from a dirty dirty hack.