A little while back, a colleague of a colleague approached me with a favour request that was hard to refuse (no, not that kind…) They had one of these external harddrives that supports on-drive encryption and, as you will have guessed, had forgotten the password. No more saved business docs, but also no more saved baby pics. “Could we have a look?”, they asked. A brief search online revealed companies who claim to be able to recover passwords for these very drives, but required shipping the drive from South Africa to Europe, and the cost was not instantly dismissible. Surely there was another way?
Automating password entry was easy enough; when powered on, the drive’s password entry dialog popped up and it was simple to drive the GUI and enter passwords. However, the slight hiccup was that, after five password guesses, the drive needed to be powercycled to reset the guess counter. One of my many failings is a distinct lack of basic electronic experience, and even being able to switch a relay from a computer borders on magic in my eyes. Enter a good friend, Alex Schutz, resident mechatronic engineer at eDart Slurry Valves and go to electronics guy. He quickly whipped up a rig that used a USB extension cable with one of the power lines spliced through a relay controlled by a programmable board, that was driven through a serial interface. From the controlling laptop, enabling HDD power was as simple as “echo b > COM3” and cutting the power was “echo a > COM3”.
With this test rig built, the project then went dormant for a bunch of reasons. Last week we were asked for the drive back, but Alex was determined to give it one more go. Cue final polishing and the production of passwords based on the user’s common password combinations, and the brute-force was ready to run. If you’ve run a brute-force before, you’ll know the success case isn’t always immediately obvious. We know what a failed password attempt looks like, but detecting a successful password attempt without ever seeing one is trickier. Instead, we took the simpler approach of grabbing a screenshot after each attempt, for subsequent analysis.
The rig looked like this:
The comforting sound of the relay firing followed by the visual feedback of the password dialog being attacked was the source of much happiness.
In the end, the password was guessed correctly on about the 500th attempt, which made up for the effort that went into the test rig. Cue happy colleague of colleague, and the satisfaction that comes from a dirty dirty hack.