PRTK

Password Recovery ToolKit

EFS (Encrypting File System)
http://en.wikipedia.org/wiki/Encrypting_File_System
 PRTK Overview - Interface
Manage Profiles... Dictionary Tools...

Right or double click to get more properties

and information about the recovery job
Note! May need to be started as admin
 PRTK Overview - Modules

Help > User Guide...

F1 - Very good!

Recovery Modules →

RM listing is also
available
in the user guide

Goes on to Z … ~ 110 modules

Starting a Session
Add files via
- Menu, Add Files...
- Drag and drop or
- DropFolder
 Setup Options

Edit and Import

Dictionaries

Setup
Profiles
 Importing a new dictionary
Add new dictionaries (from your word lists)
• Full-text index from FTK
• Other user-created text file

”More Settings” button depends

on dictionary type, contains
- Dictionary Settings
- Word Settings
Importing a new dictionary

Windows Vista/7
C:\ProgramData\AccessData\PR\dictionaries
 Importing a new dictionary

• Codepage (-c) and

Unicode (-u)

• Large dictionaries
segmented at
500,000 words
Biographical Dictionary
Biographical Dictionary

• Add words by category

• Consider case sensitive issues

• Consider concatenating

• Generate when complete

 Biographical Dictionary
The 14 entries generated almost 16,000 words in the dictionary!

Results in:
• Codepage
• Unicode
• XML (AS-IS)
 Other dictionaries & Golden Dictionary
• Permutation Dictionary
– Builds dictionaries by using permutations of
words from a word list file
• Pass-phrase Dictionary
– Builds dictionaries from a phrase file
Attack Level
GoldenDictionary.xml = Golden Dictionary

Windows Vista/7
C:\ProgramData\AccessData\PR\dictionaries
 Setting Up a New Profile
Set up a customized profile to dictate how
PRTK attacks the encrypted file

Använd PRTK profile och

New from selected...
Lägg till eventuellt eget
dictionary från word list
Spara din nya profil
Nu är det svårt att misslyckas! BAS-2-17 Dictionary primary search
 Setting Up a New Profile
1

3
 The New Profile

• Rules are ordered smallest to largest

• All English dictionaries selected by default

 The Default Profile (English)

• No custom
dictionaries
• Not efficient!

This was designed for the untrained user!

 The PRTK profile
• Based on 1,000,000-
password study
• Rules are ordered for
efficiency
• Designed to complete
in 1 week on average
• If unsuccessful,
consider DNA
• Use it as a template
• Rename, update dictionary selections,
and save for each new profile
This was designed for the trained user
Make it your default!
 User defined rules
Edit > Rules... Create and edit user defined rules
 FTK Export Word List...
• File > Export Word List...
• Exporterar indexerade sök registret till en fil, alltså alla
textsträngar funna i caset (kom ihåg strängar från
registry filer!)
• Notera var du spar din word list!
• Om man lyckats dekryptera något dokument etc.
– I FTK kör Evidence > Additional Analysis..., markera följande
boxar i ”Search Indexes” så de nya textsträngarna kommer med
och merga indexet. Generera en ny word list, uppdatera sedan
dictionary i PRTK.
• Snabb word list attack
– Utgå från FTK Wordlist Import
mallen i Manage Profiles med
”(BAS-3-10) Uses entries 'AS-IS' from
selected dictionaries”. Välj din word list som dictionary.
 Användarkonto exempel
• Enbart word list dictionary används, skall inte ta mer än
några minuter maximalt!
• Enbart LAN hash markerad > vad innebär det?
– LAN hash går snabbt att
knäcka med Brute Force!
 Possible PRTK attacks
• Decryption Attack
– Decrypts the password that locks the file
• Dictionary Attack
– Uses the words in a dictionary, applies rules to the words, and applies
the password to the files or converts the possible words into keys
• Keyspace Attack
– Tries every possible key because there is a finite number of keys for
the file
– The possible number of keys can be very large, therfore used on
applications that use 40-bit encryption or less
• Reset Attack
– Rewrites the key that opens the file to a key that comes from a
password that you specify. Few applications are susceptible to it.
• Multiple Attacks
– Some applications are susceptible to more than one attack type which
can decrease the time necessary to decrypt a file. PRTK starts with
the least time-consuming attack type.
 Bit Strength Classification
Key: Any One of a Larger Number of Values
Keyspace: Range of Possible Values (this can get big!)
1 2

Easy 2
3
4
8
4 16
5 32
Moderate 6 64
7 128
8 256

Difficult 9
10
512
1 024
20 1 048 576
30 1 073 741 824
DNA !! 32 4 294 967 296
33 8 589 934 592
40 1 099 511 627 776
&%@# !!! 50 1 125 899 906 842 620

Check out the keyspace_password.xls file

 Break MS DPAPI (Data Protection
Application Programming Interface)
• DPAPI is built in Windows since Win2K
– http://en.wikipedia.org/wiki/Data_Protection_API
• DPAPI (Vista/IE7 and up) is the successor of the legacy PSSP (Protected
Storage System Provider) which store (below) and moved to IntelliForms key
– Form data, Web search queries, Web passwords and Outlook/Express passwords
(PSSP are on the fly decrypted by RV)
– Storage1 - queries and form data
– Storage2 - login password info
• To break DPAPI protected data we need: user logon password, users protect
folder and information specific below
– For URL logon pages: the address of the page accessed
– For search terms: the query engine header
– For form data: the field name of the form field used
– The AccessData PDF “Decrypting IntelliForms” have instructions performing the
DPAPI information decryption with PRTK at their support web
• DPAPI programming example with a C++ wrapper class
– http://www.codeproject.com/KB/system/protected_data.aspx
 Windows EFS
(Encrypting File
System) operation
in short
• FEK
– File Encryption Key - new
random one for every file
– Stored in an ADS, the
$Logged Utility Stream
attribute in MFT
– Marked as $EFS in FTK
• Transparent for apps
(Windows API)
• Decrypted if copied/moved
outside NTFS or over the
network
• Vista/7 supports storage of
private key on smart card
 EFS and FTK
When PRTK has obtained the login password, use Tools > Decrypt Files...
 PRTK new functions
• Accelerating Password Recovery using GPU Hardware
– PRTK will automatically detect if GPU acceleration is possible and will
utilize the hardware as necessary. No additional steps are
required.
– Using GPU acceleration is transparent on the computer. DNA
and PRTK utilize the supported hardware if it is available. In
the absence of such hardware, CPUs will continue to be
utilized to their greatest capacity.
• Supports
– List of jobs that can be run with GPU – see the manual
– Nvidia CUDA GPUs