What tool should I use to brute-force it?
I found a program called "pgpcrack" by Mark Miller, but it wants to be given a list of every passphrase to try. I think I need something more brutish than that.
ph33r my l33tn3ss
Ok, this is kind of embarassing... About nine years ago, it seems that I PGP-encrypted some of my archived mail files (maybe because the files were on computers at work? I don't remember doing it, let alone why.) Anyway, I can't remember the passphrase, and it's not in /usr/dict/words. Chances are I picked a moderately-good password, and possibly even a long one.
Tags: computers, firstperson, lazyweb, linux, security
Current Music: Elastica -- 2:1 ♬
49 Responses:
Can't John the Ripper be told to spit out a list of attempts without actually dealing with a password file directly? I seem to recall that...
Anyway, feed that to pgpcrack.
<lj-raw>
A glance at the manpage says "no", but you can buy CDs of wordlists from their website, or download reduced words lists from their mirrors.
</lj-raw>
Oh, sheesh. The damn wordlists are in there somwhere, dammit. (They may be in Berkeley DB format or something, though.)
Oh, wait, JtR is the one that builds its wordlists from your local /usr/dict/words, contents of the GECOS fields in /etc/passwd, and anything else you feed it upon install, isn't it? I must have been thinking of something else...
Well, it still might be possible to feed it a reasonable corpus (like, say, the rest of <lj user=jwz>'s mail archive) and then extract the wordlist from its DB format, but that's a bunch of stupid work.
<lj-raw>
That's the one. Personally, I'd snag an 11Mb wordlist from their mirror and see if pgpcrack likes it before breaking out the perl.
</lj-raw>
Looks like pgpcrack gets false positives; with the 11Mb file, it will often come up with a dozen results, none of which actually work (pgp itself starts decrypting then gets an error part way through.)
Meanwhile I'm sitting here trying to remember every password I've ever used. Gaah, this is so frustrating!
john -incremental -stdout
pipe that to pgpcrack
Um... you do still have the private key, right? Because if not, you're really screwed...
This is just "passphrase" encryption, not public key.
If you try every combination of letters and digits (62 possible characters), up to 8 characters, that's 222 trillion combinations. I think that it would be fairly slow to test, so lets figure 1,000,000 attempts per second.
That's 7 years to run through all the combinations, for an average of 3.5 years to break open the file.
If you don't have some list of less-brutish passphrases to start from, you might be looking at a pretty tough task...
Oh, just passphrase encryption might be orders of magnitude faster, so maybe nevermind.
Yeah, I lost the passphrase to an SSL cert once. I tried to brute force it. Then I did the math and figured out it would take years. Its absolutely pointless. I just had to pay for a new cert.
hopefully someone from the cia or fbi will read this post and help you out..
Unless you can restrict the charset, you're fucked. You're contemplating trying every string <15 characters matching [a-zA-Z0-9]* (probably plus some punctuation); call it 68^15 or around 2^90 possible combinations.
The folks at passcracking.com solve a similar problem for MD5 on [a-z0-9]* N<=8 and are pushing the limits of what's reasonable. According to a mailing list post, some French researchers did 2^50 hash evaluations in 20 days on 160 Itanium processors, so multiply that by 2^(90-50) = 1099511627776 and you're looking at... 60 million years on 160,000 CPUs. (Assuming you can answer "is this the right passphrase?" just as quickly as their MD5 hash.)
So the problem becomes, how do you generate a stream of possible passphrases to feed to pgpcrack. I dunno what the answer is, but whoever comes up with a serious result in this area is going to be famous.
He's already suggested that we can restrict the search space to Real English Words, give or take some l33t speak, which narrows things significantly. The way may still be months, but that might be worth it.
Their MD5 hash crack was based on a birthday attack, which invalidates it for finding a password.
Hey, the passphrase is in your brain somewhere...
Get hypnotized?
this isn't the worst idea in this thread, and remember, <lj user="ilovezombies"> is a hypnotherapist...
That's what you get for not using 2-rot-13.
That's what you get for using that inferior UNIX. Had you just used Windows, this problem could have been avoided. I present you with my two main reasons why this would not have happened with Windows.
1) The PGP implementation on Windows would have had a major flaw in the way it encrypts thus making it easy enough for a 3rd grader to crack the password.
2) You wouldn't have the archives in the first place. they would have been lost to a virus through either corruption or a late night reinstall fest.
This might be a silly question, but, have you checked the under-side of your keyboard for a post-it note with the password on it?
Genius! All he needs now is the keyboard he used (at work?) nine years ago! We'll invent a time machine, and... [etc.]
Bah! Details!
Unless he worked for Enron, in which case the note's been shredded.
Just the note? I ususally shred the keyboard as well, just to be safe.
this is an opportunity for you to create a new xscreensaver module to distribute the brute-force attack.
i've got plenty of spare CPU cycles i'd send your way.
Try "dioisgod1984".
Shit now I have to change all of my root passwords.
I need more detail please. Did you use PGP Disk File 4.0 or PGP Secret Key Ring?
Oh, or is it PGP Disk 4, 5, or 6?
"PGP 2.6.3ia, 1996-03-04 International version." The files were encrypted from emacs crypt.el, which appears to use "pgp +batchmode +verbose=0 -c -f -z".
Actually these might have been encrypted with a slightly older version of PGP (but not more than a year or two older.)
Damnit. I keep forgetting that 8 years ago WASN'T THAT LONG AGO anymore... 1996. I keep forgetting it isn't 1996 NOW...
Yeah okay, I do know of a program that will do it... at least the current beta does. I'll have to check on the release version.
Is price much of an issue?
This will be good, thinks I.
I know jwz has the money, that does not correspond to him wanting to spend it for this.
Oh, I wasn't expressing concern about the money, either. Rather, I was wondering what sort of software you might possibly be able to offer up. The whole point of PGP/GPG is that if you don't know the passphrase, you are very sincerely and intentionally SOL.
Therefore, and given that no one on the net seems to be saying that they have managed to crack PGP/GPG, I mistrust your ability to come up with something helpful.
On the other hand, I'd love to know more if you think you know something most techies don't.
There is no program to my knowledge that "cracks" PGP. There are programs that will perform an intelligent brute force attack on PGP.
That's what jwz said he was looking for, and that's what I sent him via e-mail.
The knowledge level of other techies is not my concern.
Well, I'd want to know what I was buying first and whether it was likely to work any better than the junk I'm already trying...
You have mail. :-)
This happened to me once (actually I forgot the passphrase to my private key, but the end result was similar). I'd given up, but a couple of years I tried one more time--and it worked!
It turns out that all along I had mispelled the passphrase, but since I was touch typing I never noticed. I only recovered it by accident.
So anyway, you might take the passwords you've used in the past and try some qwerty variations.
Noah! You are LJ enabled! :)
didn't I tell you the story of how I did that?
dork. delete the file. You haven't used it in a decade there is nothing there you need.
by the way I tried all kinds of shit to get the password and nothing worked. but then again I did it back in the mid nineties so maybe there's tools to help more now. The sick part is that I know I was within one or two characters of knowing what password I used. Now of course I use much more complicated weird passwords that I wouldn't even have hope of remembering. Amd actually forgot a bunch of ones for the servers at work over my east coast trip and that was bad.
Keep in mind that PGP passphrases are generally multiple words, so you might want to try combinations of dictionary words, etc. Try to think back, what was on your desk at work when you encrypted that file? Your passphrase might be something like "phone keyboard stack-of-money keys-to-helicopter stock-options-package". You might want to try alt.security.pgp, I'm sure that everyone there would know who you are and be willing to help.
Also, this quote from The PGP Passphrase FAQ makes me laugh: "You can't trust Windows 3.x, Windows 95, OS/2, and any other operating system that swaps memory to the hard drive or that uses virtual memory."
I think this means that PGP can only be trusted on CP/M and MS-DOS, then. Fun.
This is why most linux distributions install gpg setuid root, so it has permission to lock the memory (so it won't get written to swap).
So which distros don't? I'll know to avoid them.
Well, I hope virtually all of them do (or alternatively have one of the kernel patches that lets you give the ability to particular binaries without giving wholesale root privileges). I don't have a list handy, but I can tell you with certainty that Debian installs it setuid.
Red Hat and Fedora don't. See this bug.
I just threw the I Ching for you, and there's an astoundingly pertinent interpretation of the hexagram in the newly updated Baynes/Willhelm interpretation from Bollingen Press:
Thunder over the lake
Delete the encrypted file
It furthers the superior man to move on with life
I have a mysql install that I remember the mnemonic for, but not the precise spelling/caps/etc I used for it. Fortunately in my case, I can just use this as an excuse to just reinstall mysql. But alas, you don't have that option.
OTOH, do you even vaguely remember the passphrase? I'm assuming not given the need for uberbruteforce, but unfortunately that does seem like it might be your best shot. Perhaps make a list of likely things you would have used then, and markov chain play with them for feeding into pgpcrack?