Brute Force Through WD Password Protection

Jared

Administrator
Staff member
So I'm considering looking into setting up a hardware brute force decryption machine for the purpose of breaking WD's encryption. Perhaps something like this: https://sagitta.pw/hardware/gpu-compute-nodes/invictus/ only homemade.

According to this article it seems that it's totally doable to crack the user password once you have the key sector stored in the SA. From what the article explains most WD encryption works like this:

User password is used to generate Key Encryption Key (KEK)
KEK is then used to encrypt Disk Encryption Key (DEK - what we normally use to decrypt data)
This results in a eDEK which can be read the normal way by PC-3000 in lieu of the DEK (which was replaced with the eDEK).

So a brute force attack would basically be running every possible AES-256 password possible to see which one results in the key for the eDEK so it can be decrypted back to the DEK and used in PC-3000 to decrypt.

A simple open source tool like hashcat could probably be employed and run on hardware with multiple GPUs to accomplish it.

Of course such a service would only be offered to law enforcement agencies. Doing this commercially would simply be unethical.
 

Jared

Administrator
Staff member
Not according to every article I've read. Would take a billion years if you didn't have the eDEK and had to just gust guess the DEK. However guessing a user pass is much faster as they rarely are 64 digits in length. Most user passwords I've seen are around 10 characters. Also they made the mistake of using a date stamp as part of the DEK and while I've yet to investigate how to use that to help, supposedly it drops the time necessary down to a few hours.

Though it's assumed they did fix that on the latest version.

Sent from my SM-N900V using Tapatalk
 

HaQue

Moderator
I'm with Jared on this. but not brute force... using a decent wordlist with some well defined rules can bring some pretty good results. a 64 char pass would be very uncommon, as well as anything over 9 chars.

But I don't agree with doing it only for law enforcement. Ive seen too many people just screwed because of the lost password. and if it is theirs, the benefit is most times they can give you some info of a likely password, making it much easier. Why should regular people have to lose their files just because it looks kind of questionable? just some basic proof required and I would be happy to do it. Obviously It would be not blindly done for anyone, but I don't like the general public getting screwed
 

jol

Member
Jared":1qwpms0w said:
jol":1qwpms0w said:
Digits only ?

Characters, digits. Potato, parsnip. What's the difference?
A Hugh difference, if its only digits, then brute force will taka much less time then brute forcing every possible combination of Characters + digits + Potato + parsnip ;)
 

DRUG

New member
The best way to do this would be with a GPU station. https://www.digitalintelligence.com/pro ... erstation/

However you must keep in mind that this tool and service are kinda of hard to pay off.

1- Power consumption, using this beauties will kill your bill.
2- you wont have many clients willing to pay.
3- hardware lifetime (this kind of hardware usage will make is lifespan short)

If this is a tool for a top notch forensic lab ? Of course.
Would this be viable on a DRlab ? Not in my opinion :/

P.S: You should also setup cracking ranges, like: password is between 4 chars and 10 chars, uses characters with numbers(ANkey) uses symbols, bla bla bla, this would reduce your cracking time!
 

HaQue

Moderator
Okay, for the record I don't know anything about the implementation in WD HDDs.. but, I am thinking:

do you know what algorithm you can use to simulate the WD? I mean, what exactly are you going to process? Have you ripped some code from the WD or are able to somehow know what to test against? and how will you know if you have found the key?

When AES is implemented, I assume there isn't one simple algorithm used everywhere, I mean surely you would not:

stored passkey = AES-256(user_password)

would it not make sense to implement AES in some small algorithm? Then it would be extremely difficult to figure out how to use even knowledge of AES to decrypt it?

something like :

temp = backward(user_password)
temp = temp+temp
stored passkey = AES-256(temp)

then you can bang away at AES-256 as much as you want but you won't find the key.

or have I got it wrong and there is knowledge of how to compare a key to an encrypted one without using the drive?
 
Top