Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: "PenTest" a container file

from [Benjamin Anderson] Network Security [Permanent Link]
Subject: Re: "PenTest" a container file
Date: Thu, 18 Jan 2007 19:00:29 -0600
I consider the fact they are using a private encryption type as a giant red flag for the system. There is no reason to use a proprietary system when there are many free algorithms that have been thoroughly examined by the crypto community. The security of any crypto-system should exist solely in knowledge of the key and not rely on the secrecy of the algorithm.

That said, failing at cracking the system doesn't prove anything. If I used a slight modification of DES the odds of cracking it in a few weeks without knowledge of the algorithm is pretty slim. However, once the algorithm is released or discovered, it could be cracked in hours. If you don't have the application that reads or writes from the container, finding the algorithm probably isn't possible in any reasonable time, unless you use some social engineering to get it from the company.

Knowing that they enter a password doesn't provide any real information, as the "password" could simply be the hex-digits representing an actual key. Of course a key would have to be entered to decrypt the container file. It might also use a "regular" password and use a hash of that to generate the key used, but it still doesn't matter unless it is limited in some way like using 8 characters or less. In general, I think you would want to locate the key in RAM when it is in use, or check if it ended up in swap space. Unless, of course, they actually store the password for some reason.

If you just have the container file and not the app and any associated files, I don't think there is much chance of cracking it, unless they used something horrible like ROT13. I think a better test would be seeing if using it on a system leaves any data that could be exploited to handle a stolen laptop type of scenario.

I don't think I helped at all, but good luck with it.

Benjamin Anderson
Ph.D. Student
Iowa State University


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Automated Nmap Scans / Front End, tom jones
Next by Date:  Apache Concurrent Users, ranebshekhar
Previous by Thread:  Re: "PenTest" a container file, Steve Friedl
Next by Thread:  Re: "PenTest" a container file, Thor (Hammer of God)
Indexes:  [Date] [Thread] [Top] [All Lists]