+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: General Talk (https://hashcat.net/forum/forum-33.html)
+--- Thread: decrypt a Twofish encrypted file (/thread-2856.html)
decrypt a Twofish encrypted file - m4rtin - 11-24-2013
I have a 50MiB encrypted file which was created with Sentry 2020(version 2.8) for Windows Mobile. This 50MiB file is a virtual volume which appears as a directory in Windows Mobile root directory once the correct password is provided and volume is mounted. Along with the 50MiB encrypted file, there is a 760 byte key-file:
Code:
root@T60:~# hexdump -C /media/0C64-8931/encrypted2.key
00000000 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 |................|
00000010 01 00 00 00 00 00 00 00 18 00 00 00 00 00 00 00 |................|
00000020 00 00 00 00 41 00 00 00 00 1a 71 18 02 00 00 00 |....A.....q.....|
00000030 00 00 00 00 5e f8 cf 93 02 00 00 00 0a 00 00 00 |....^...........|
00000040 98 00 00 00 00 00 00 00 45 df 28 34 dd 14 bf 6d |........E.(4...n|
00000050 5b 5b c5 a2 78 68 e4 ab f8 13 2d 0d 07 ab 1e fd |[[..xh....-.....|
00000060 b8 66 41 ea 43 51 49 9c c5 8a 9b 52 2d 2b e8 6c |.fA.CQI....R-+.l|
00000070 2d 7e 1d 7f 40 66 a6 77 2a 1a 80 33 2e 14 71 16 |-~..@f.w*..3..q.|
00000080 3f 26 84 91 ff 03 80 03 40 9f 63 8e 93 45 b0 b2 |?&......@.c..E..|
00000090 a4 e9 17 60 e5 62 d3 e0 5d 0d 06 14 c2 b0 a1 69 |...`.b..]......i|
000000a0 9c 0f 94 fd dc 52 58 0f c6 9c 46 3f c1 b9 92 df |.....RX...F?....|
000000b0 6e 4e 1d c0 9a bc 77 75 c8 71 7c 73 a4 23 da 0a |nN....wu.q|s.#..|
000000c0 b3 c6 cc 2a 70 c8 9f 8a 32 d0 6b c5 2d 6c 18 df |...*p...2.k.-l..|
000000d0 4d ce 48 01 e9 4f 06 c3 7b 8f 84 34 f7 eb 53 01 |M.H..O..{..4..S.|
000000e0 03 00 00 00 02 00 00 00 08 02 00 00 00 00 00 00 |................|
000000f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000002f8
root@T60:~#According to security details of Sentry 2020, this 50MiB file is encrypted using a randomly generated key, which itself is encrypted using a user supplied password. The randomly generated key is stored in a 760 byte key file, encrypted with a user supplied password and a randomly generated "salt" value stored in the same file. This means that once I have decrypted the 760 byte key file I could access the content of the 50MiB file? Is there a way to tell which encryption method is used for a key file? For 50MiB file I chose Twofish encryption with 256 byte key. I would guess that the key file is encrypted with the same method.
Is there a way to brute-force this key-file using hashcat? I guess not as this key-file is probably encrypted with Twofish which is not supported by hashcat. What tool should I use here? In addition, it's important to mention that while my password was ~15 characters long, I *think* I remember the characters and order of character to large extent in the password so number of variations is few thousands.
RE: decrypt a Twofish encrypted file - m4rtin - 11-26-2013
I solved this in a way that I created a password file with maskprocessor. It contained less than 200k passwords all separated by carriage return and line feed. Then I made a Windows batch script which read those passwords line by line from the password file:
Code:
FOR /F "usebackq delims=" %a in ("C:\Users\winuser\Desktop\passfile.txt") do SentryCommand.exe mount /file test-volume.key /password %a /drive A /timeout 10 /volume encrypted-file..and used those in Sentry 2020 command line interface:
Code:
Sentry.exe supports following command line options:
mount [/volume] file.raw [/key file.key] [/password 12345]
dismount [/volume] file.rawRE: decrypt a Twofish encrypted file - atom - 11-26-2013
Cool, thanks for letting us now