Got a Nokia 920 running Windows 8 with an unknown passcode. I was able to get a physical of the device with Cellbrite, but no data was parsed out. Attempted importing it with XRY and got the same result. In looking through the bin I can can see the partition imgs and noticed that the OS and Userdata were encrypted via Bitlocker. It's a four digit passcode and I found software that lets me mount the partitions (prompts for the password), but typing 10000 possible combinations is not in the cards. Any info on how I could automate the password tries to unlock the data?
Dump the hash, salt and length then crack the passcode using
I am not sure if the question is "how to type all 10000 possible PIN's" ? , if it is you can use *any* scripting engine, but there are "brute force" password creators.
Of course it depends on which OS you are running and what is the "software" you are inputting the password(s) in.
If the range is just 0000 to 9999, even on a slow responding interface, 3 seconds per PIN, is 30000 seconds, or 500 minutes or 8.33 hours, slowish but doable.
jaclaz
I've always been led to believe that the Bitlocker key is securely stored in the processor and cannot be recovered. The PIN code is also stored in the encrypted userdata partition, so that can't be brute forced either.
I am not sure if the question is "how to type all 10000 possible PIN's" ? , if it is you can use *any* scripting engine, but there are "brute force" password creators.
Of course it depends on which OS you are running and what is the "software" you are inputting the password(s) in.
If the range is just 0000 to 9999, even on a slow responding interface, 3 seconds per PIN, is 30000 seconds, or 500 minutes or 8.33 hours, slowish but doable.
jaclaz
I reckon he might choose the scripted option above rather than spending doing 8 hours doing that! lol
(if that's possible and doesn't lock out or increase time between attempts)
I reckon he might choose the scripted option above rather than spending doing 8 hours doing that! lol
(if that's possible and doesn't lock out or increase time between attempts)
Sure, never thought of actually typing that, I was talking of the time needed using the scripted option, time depends on how responsive is the input interface, if there is some delay (for checking the pin, etc.).
And of course the script may take into account countermeasures such as increasing time for next attempt or resettting/rebooting every n attempts, etc. that will increase meeded time.
I was trying to convey the idea that even if slow, a 4 figures 0-9 PIN is doable, i.e. can be simply bruteforced in a reasonable amount of time.
Even (if needed) using a "fake" keyboard, like a USB RubberDucky or similar, example
https://
in this case overall time is 17 seconds per attempt as there is the need to reset periodically.
jaclaz
I would be doing it on the physical image of the device, not the device itself. The software I have mounts the drive and prompts for a password. Type the code, fails with a box, hit ok, clear the code, enter new code. But I'll see if I can find the hash and then run the script…would definitely save a lot of time.
The software I have mounts the drive and prompts for a password. Type the code, fails with a box, hit ok, clear the code, enter new code.
And again, depending on the OS that you are running this can be scripted.
Only as an example and on Windows AutoHotKey or AutoIt or aany other means to "SendKeys" would do nicely.
Example #1
https://
Example #2
https://
jaclaz
The PIN code is also stored in the encrypted userdata partition, so that can't be brute forced either.
You are correct, think I misread the original post. Last time I ran into one, it was encrypted but no passcode set strangely enough! In this case, you've hit a brick wall! |
Thanks all! Also noted that the TPM was used so I am SOL since the pin won't matter with out it.