I have a hash file from the image, my device is Surface Pro BitLocker encrypted image
Recovery Key hash #0:
$bitlocker$2$16$57debb77a3b130a92397f8c063049274$1048576$12$20cfa3155178d70198020000$60$ad91090585684fe3da68e053c0cbfdaae24e8bd5c6b50978790b964d3b2a808c3394a833c690cc9c99c0364d9df1fac40bdcadcd2b987a7d780bfdc3
when I run
hashcat.exe -m 22100 bitlocker.txt rockyou.txt
I get an error
Hashfile 'bitlocker.txt' on line 1 ($bitlo...9df1fac40bdcadcd2b987a7d780bfdc3): Salt-value exception
No hashes loaded.
Note also that Hashcat only supports $bitlocker$1$...
You should try to extract a $1 hash ... alternatively it should work with bitcracker
Related
I'm trying to automate centos installs via PXE and kickstart with encrypted filesystems. In case we mislay the passphrase we want to use escrow files and encrypt them using the public key attached to an x509 certificate obtained from a web server. The relevant line in the kickstart file is
logvol /home --fstype ext4 --name=lv02 --vgname=vg01 --size=1 --grow --encrypted --escrowcert=http://10.0.2.2:8080/escrow.crt --passphrase=XXXX --backuppassphrase
Leaving the cert as PEM encoded on the web server rather than DER doesn't seem to matter, either work up to a point.
The filesystem is created and encrypted using the supplied passphrase and can be opened on reboot with no issues. Two escrow files are produced as expected and if by using the NSS database containing the private key and the first escrow file I obtain what I think is the passphrase but it doesn't unlock the disk. For example:
# volume_key --secrets -d /tmp/nss e04a93fc-555b-430b-a962-1cdf921e320f-escrow
Data encryption key:<span class="whitespace other" title="Tab">»</span>817E65AC37C1EC802E3663322BFE818D47BDD477678482E78986C25731B343C221CC1D2505EA8D76FBB50C5C5E98B28CAD440349DC0842407B46B8F116E50B34
I assume the string from 817 to B34 is the passphrase but using it in a cryptsetup command does not work.
[root#mypxetest ~]# cryptsetup -v status home
/dev/mapper/home is inactive.
Command failed with code 19.
[root#mypxetest ~]# cryptsetup luksOpen /dev/rootvg01/lv02 home
Enter passphrase for /dev/rootvg01/lv02:
No key available with this passphrase.
Enter passphrase for /dev/rootvg01/lv02:
When prompted I paste in the long numeric string but get the No key available message. However if I use the passphrase specified in the kickstart file or the backup escrow file the disk unlocks.
# volume_key --secrets -d /tmp/nss e04a93fc-555b-430b-a962-1cdf921e320f-escrow-backup-passphrase
Passphrase:<span class="whitespace other" title="Tab">»</span>QII.q-ImgpN-0oy0Y-RC5qa
Then using the string QII.q-ImgpN-0oy0Y-RC5qa in the crypsetup command works.
Has anyone any idea what I'm missing? Why don't both escrow files work?
I've done some more reading and the file ending in escrow is not an alternative passphrase for the luks volume but it contains the encryption key which is encrypted of course. When decrypted the long string is the encryption key and there's a clue in the rest of the text which I confess I didn't read very well.
I've setup a dual boot so I have windows 10 and ubuntu.
Following steps on this page I'm able to retrieve the lockout password and the owner password of my TPM in the windows 10 registry. Result looks like this :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TPM\WMI\Admin
OwnerAuthStatus REG_DWORD 0x1
LastAuthLevel REG_DWORD 0x4
OwnerAuthFull REG_SZ iTcW8t1B+tIKmP/uxXPL94QF2Jw=
LockoutHash REG_SZ Ki1RiIu8d+eqeDoEFYcAqIoi1n4=
SRKPub REG_BINARY A3FEFDE6DBAA425D24717422C46C7E9C85C433CB
StorageOwnerAuth REG_SZ
TPMCleared REG_DWORD 0x0
OwnerAuthFull and LockoutHash are both base64 encoded so I can decode them using this link for instance (it give 893716F2DD41FAD20A98FFEEC573CBF78405D89C in hexa for the owner password).
After that booting on the ubuntu I'm trying to interact with the TPM using these passwords. I'm using tpm2-tools to interact with the TPM under ubuntu.
Tpm2-tools works pretty well when the linux controls the TPM and sets up these passwords. But here I'm trying to let Windows have control of the TPM and still be able to communicate with it under Ubuntu. For instance when I run these commands (which works when ubuntu controls the TPM).
$ tpm2_createprimary --hierarchy e -g sha256 -G rsa -C primary.ctx
attributes:
value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|decrypt
raw: 0x30072
$ tpm2_create -g sha256 -G rsa -u key.pub -r key.priv -c primary.ctx
algorithm:
value: sha256
raw: 0xb
attributes:
value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt|sign
raw: 0x60072
type:
value: rsa
raw: 0x1
rsa: d14e5b7473972e4430b780dff0ec31a3a021fa0049ea1bafc17e2de4e232cba3afcdd8504c9f7dc2fa57df04ec1f64759f6bb0d8563c1ac53a7ce8d563ab7437f1f4b760960acfde7c414355c371ac8c94bba0e004bb08b499f115ba5e8efd655174c87309d64a23e198f6fce8e5451a851b7e96f7c172ba3d4be8e339176d136752e5d038ad9979585008e35bdedfdabe3236b92c60d5c4eabcafaabc8c65401aab5b479d8471d20ca18631c31404b38f3d373b5612ca906599914865cf281e550a748685fed4d60a7aa9c955d374c1d0852bb36ce9d39209e66fada20e4c473765160988470e93b63d81361613e3f5b918da167048ff8afe5e74768544fe03
$ tpm2_load -c primary.ctx -u key.pub -r key.priv -n key.name -C key.ctx
Load succ.
LoadedHandle: 0x80000100
$ tpm2_evictcontrol --auth o -c key.ctx --persistent 0x81010003 -P hex:893716F2DD41FAD20A98FFEEC573CBF78405D89C
persistentHandle: 0x81010003
ERROR: Tss2_Sys_EvictControl(0x9A2) - tpm:session(1):authorization failure without DA implications
I get ERROR: Tss2_Sys_EvictControl(0x9A2) - tpm:session(1):authorization failure without DA implications.
Does anybody knows why I get this error / why this password doesn't work? Where could I get the right password ? Well any pointer on how to solve this problem is appreciated!
Thx!
I think I got my answer, in fact Windows make a sha1 hash of the password then converts it to base64 and then stores it in the registry if gpedit is configured like so :
https://msdn.microsoft.com/en-us/library/windows/desktop/aa376421(v=vs.85).aspx
b3nj1's answer is incorrect. Using the --auth o option for tpm2_evictcontrol means you're selecting the TPM's owner control domain (note that is true in Feb 2018 when the question was posted, --auth means something else now) which requires owner authorization. OwnerAuthFull and LockoutHash are indeed generated as described in b3nj1's answer, but OwnerAuthFull stores the TPM's lockout authorization, while LockoutHash's purpose is unknown.
The base64-decoded value of OwnerAuthFull is the lockout authorization value. This can be verified using tpm2-tools' tpm2_changeauth - the base64-decoded value enables one to successfully change the lockout authorization. You can use the following powershell command to do base64 decoding to hex string:
([System.BitConverter]::ToString([System.Convert]::FromBase64String('stringToConvert'))).Replace('-','')
So what is the owner authorization value in Windows? As per this page: https://learn.microsoft.com/en-us/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings, it is StorageOwnerAuth for b3nj1. From the result quoted in the question, it is just an empty string, meaning the owner authorization value is just a 0-byte buffer. This is the default value. Again, you can verify this using tpm2_changeauth.
Note that the link claims that the lockout authorization for TPM 2.0 is stored in LockoutAuth. This is incorrect. As seen in b3nj1's results above (as well as in my computers), there is StorageOwnerAuth, so it must be a TPM 2.0, but there is no LockoutAuth. Instead there is LockoutHash, but the article makes no mention of this value. Trying to use tpm2_changeauth with LockoutHash to modify any of the owner, endorsement, and lockout authorizations fails, so it is unclear what this value is for.
For the link in Wang's comment to b3nj1's answer, it is incorrect. One can use tpm2_changeauth to verify that the owner and endorsement authorization values in Windows are both empty strings, and lockout authorization is stored in OwnerAuthFull. This means that none of the authorization values controlled by Windows are unknown and/or discarded.
I've raised these issues with the documentation on GitHub and will update if there are any developments.
I am trying to use plink(Putty link) to connect to test servers using a batch file so as to avoid any user prompts and executing shell scripts. But it is pausing by showing a user interactive prompt after logging in with username and password provided which I don't want.
Please provide any suggestion for why this is happening or if I need to change any settings in the configuration to make this work.
Below is the log for the same. I am expecting it to execute a shell script after this step before which it gets stopped and plink puts me in an interactive shell
D:\>plink -v -ssh xxx#xxx.xxx.xxx.xx.com –pw XXXXX
Looking up host "xxx#xxx.xxx.xxx.xx.com"
Connecting to xxx.xx.xxx.xx port 22
Server version: SSH-2.0-OpenSSH_5.1
Using SSH protocol version 2
We claim version: SSH-2.0-PuTTY_Release_0.63
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-256
Host key fingerprint is:
ssh-rsa 1024 a5:c3:96:57:53:7c:72:06:8d:86:09:76:27:3e:18:8d
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA1 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA1 server->client MAC algorithm
Using username "xxx".
Attempting keyboard-interactive authentication
Access granted
Opening session as main channel
Opened main channel
Allocated pty (ospeed 38400bps, ispeed 38400bps)
Started a shell/command
Last login: Wed Mar 5 09:56:41 2014 from 10.34.39.22
←[?1034hxxxxavu2:←]2;xxx#xxxxavu2~ >
When using SSH, upon first connection you are required to verify a service host key in order to make a connection.
Through plink, the command line will generate a prompt, asking the user to "accept service host key? (y/n)".
Step 1: Fix the "Keyboard Interactive Authentication prompts from server"
Follow the URL instruction and Deselect the "Attempt keyboard Interactive auth (SSH-2) in your putty.
https://support.linuxacademy.com/hc/en-us/articles/360027730172-How-Can-I-Copy-and-Paste-into-Putty-on-Windows
Step 2: Below is the commands will fix the "verify a service host key" for every Linux server first SSH connection using plink.
echo yes| C:\PuTTY\plink.exe user-name#10.148.147.41 -pw *************** date
Step 3: Now you can immediately ran your next scripts like "server uptime checks" or "monitoring agent restart" using plink with -batch option (disable all interactive prompts)
C:\PuTTY\plink.exe -batch user-name#10.148.147.41 -pw *************** -m C:\uptime_linux.sh
C:\PuTTY\plink.exe -batch user-name#10.148.147.41 -pw *************** -m C:\monitoring-agent-check_linux.sh
Above mentioned information's 100% will help you to automate the linux tasks using plink utility.
It's giving you an interactive shell because you are not actually giving it a command to execute after connecting. Enclose your command in quotes, eg:
D:\>plink -v user#xxx.xxx.xxx.xxx -pw XXXXX "df -h"
I connect to 8 different unix servers from Windows, using connection type 'SSH' in putty. I use the same username/password for each server.
Currently when I need to change passwords (every 60 days), I need to open putty, select the session I want to connect to, type my current password (in the putty window that opens), type "passwd", enter my current password, and then enter my new password.
Then I exit and repeat the process 7 times.
How can I convert this to an automated process where I simply need to supply a script/batch process with my old and new password?
Here is how I automated the process:
Download and install ActiveTCL Community Edition (download the 32 bit version, even if you are on 64 bit windows, as the 64 bit version does not have "Expect" which is what you need to run the automated script)
Open the tclsh85 executable that was created by the install
Run this command "teacup install Expect" (note, this is case sensitive. You may need to setup special http settings if you receive an error and/or are on vpn or using a proxy)
Download Putty's "plink.exe" and either place it in the bin directory of ActiveTCL (default install directory is "C:\Tcl\bin") or alter your "Path" environment variable to include the path to this executable (wherever you downloaded plink.exe). This is the command-line version of Putty which your script will use.
Anywhere on your drive, create a text file named "servers.txt" with a list of the servers (one per line). They should all share the same password, as the script will login to all of them with the same password (that you supply), and change the password to the one you supply.
In the same directory as "servers.txt" create a new text file called "ChangePassword.tcl" (or whatever you want to call it, but be sure its file type is "tcl"). Right click the file and edit in notepad (or whatever text editor you prefer) and paste this script in it.
package require Expect
exp_log_user 0
set exp::nt_debug 1
proc changepw {host user oldpass newpass} {
spawn plink $host
log_user 0
expect {
"login as: " { }
}
exp_send "$user\r"
expect "sword: "
exp_send "$oldpass\r"
expect "\$ "
exp_send "passwd\r"
expect "sword: "
exp_send "$oldpass\r"
expect "sword: "
exp_send "$newpass\r"
expect "sword: "
exp_send "$newpass\r"
set result $expect_out(buffer)
exp_send "exit\r"
return $result
}
label .userlbl -text "Username:"
label .oldpasslbl -text "\nOld Password: "
label .newpasslbl -text "\nNew Password: "
set username "username"
entry .username -textvariable username
set oldpassword "oldpassword"
entry .oldpassword -textvariable oldpassword
set newpassword "newpassword"
entry .newpassword -textvariable newpassword
button .button1 -text "Change Password" -command {
set fp [open "servers.txt" r]
set file_data [read $fp]
close $fp
set data [split $file_data "\n"]
foreach line $data {
.text1 insert end "Changing password for: $line\n"
set output [changepw $line $username $oldpassword $newpassword]
.text1 insert end "$output\n\n"
}
}
text .text1 -width 50 -height 30
pack .userlbl .username .oldpasslbl .oldpassword .newpasslbl .newpassword .button1 .text1
Save the script and then launch the ChangePassword.tcl file.
Here is a picture of what it looks like when you open the ChangePassword.tcl file:
The rest should be self explanatory. Note the program does not output when your password change was successful but it will tell you when it fails. Also note, this was my first tcl script (and first time using Expect) so the script is by no means "optimized" and could probably be improved but it gets the job done. Feel free to edit, or make suggestions/improvements.
Sounds like you want Expect, an extension of TCL that can mimic typing at a keyboard for a console application. See the examples for how to do this.
Now there is something you've written that worries me:
I connect to 8 different unix servers, using connection type 'SSH' in putty. I use the same username/password for each server.
Why aren't you using SSH keys for automating the logon?
Great article! Just elaborating on step-3. Please note the commands to provide Proxy server information in case "teacup install Expect" fails due to connectivity issue:
%teacup install Expect
Resolving Expect ... Not found in the archives.
...
Aborting installation, was not able to locate the requested entity.
child process exited abnormally
% teacup list teacup
0 entities found
Problems which occurred during the operation:
* http://teapot.activestate.com :
{connect failed connection refused} {can't read
"state(sock)": no such element in array while executing
"fileevent $state(sock) writable {}"} NONE
% teacup proxy "abcproxy.mycorp.com" 8080
Proxying through abcproxy.mycorp.com # 8080
% set http_proxy_user MyNetworkID
MyNetworkID
% set http_proxy_pass MyNetworkPassword
MyNetworkPassword
% teacup list teacup
entity name version platform
----------- ------ --------------- ----------
application teacup 8.5.16.0.298388 win32-ix86
----------- ------ --------------- ----------
1 entity found
% teacup install Expect
Resolving Expect ... [package Expect 5.43.2 win32-ix86 # http://teapot.activestate.com]
Resolving Tcl 8.4 -is package ... [package Tcl 8.6.1 _ ... Installed outside repository, probing dependencies]
Retrieving package Expect 5.43.2 win32-ix86 ...# http://teapot.activestate.com ...
Ok
Installing into C:/app/Tcl/lib/teapot
Installing package Expect 5.43.2 win32-ix86
%
Say my program attempts a read of a byte in a file on a ZFS filesystem. ZFS can locate a copy of the necessary block, but cannot locate any copy with a valid checksum (they're all corrupted, or the only disks present have corrupted copies). What does my program see, in terms of the return value from the read, and the byte it tried to read? And is there a way to influence the behavior (under Solaris, or any other ZFS-implementing OS), that is, force failure, or force success, with potentially corrupt data?
EIO is indeed the only answer with current ZFS implementations.
An open ZFS "bug" asks for some way to read corrupted data:
http://bugs.opensolaris.org/bugdatabase/printableBug.do?bug_id=6186106
I believe this is already doable using the undocumented but open source zdb utility.
Have a look at http://www.cuddletech.com/blog/pivot/entry.php?id=980 for explanations about how to dump a file content using zdb -R option and "r" flag.
Solaris 10:
# Create a test pool
[root#tesalia z]# cd /tmp
[root#tesalia tmp]# mkfile 100M zz
[root#tesalia tmp]# zpool create prueba /tmp/zz
# Fill the pool
[root#tesalia /]# dd if=/dev/zero of=/prueba/dummy_file
dd: writing to `/prueba/dummy_file': No space left on device
129537+0 records in
129536+0 records out
66322432 bytes (66 MB) copied, 1.6093 s, 41.2 MB/s
# Umount the pool
[root#tesalia /]# zpool export prueba
# Corrupt the pool on purpose
[root#tesalia /]# dd if=/dev/urandom of=/tmp/zz seek=100000 count=1 conv=notrunc
1+0 records in
1+0 records out
512 bytes (512 B) copied, 0.0715209 s, 7.2 kB/s
# Mount the pool again
zpool import -d /tmp prueba
# Try to read the corrupted data
[root#tesalia tmp]# md5sum /prueba/dummy_file
md5sum: /prueba/dummy_file: I/O error
# Read the manual
[root#tesalia tmp]# man -s2 read
[...]
RETURN VALUES
Upon successful completion, read() and readv() return a
non-negative integer indicating the number of bytes actually
read. Otherwise, the functions return -1 and set errno to
indicate the error.
ERRORS
The read(), readv(), and pread() functions will fail if:
[...]
EIO A physical I/O error has occurred, [...]
You must export/import the test pool because, if not, the direct overwrite (pool corruption) will be missed since the file will still be cached in OS memory.
And no, currently ZFS will refuse to give you corrupted data. As it should.
How would returning anything but an EIO error from read() make sense outside a file system specific low level data rescue utility?
The low level data rescue utility would need to use an OS and FS specific API other than open/read/write/close to to access the file. The semantics it would need are fundamentally different from reading normal files, so it would need a specialized API.