Thursday, January 5, 2017
Cracking Android encryption using brute forcer
Cracking Android encryption using brute forcer
In the latest update, viaExtract now supports cracking Android encryption using brute force for both Android 4.0 (Ice Cream Sandwich) and 4.1 (Jellybean) devices. Our technique for breaking Android encryption was presented at our Def Con 2012 talk, “Into the Droid – Gaining Access to Android User Data”.
Android Encryption Brute Force
In our initial release, we support numeric passcodes ranging from 4-digit through 6-digits, however this can be easily expanded to included more complex (alpha numeric) and longer passcodes.
We currently support the Samsung Nexus S and Samsung Galaxy Nexus models and will continue to add support for new devices. In our initial release of this module, the device must have an unlocked boot loader, however we will expand support for locked devices as well. Follow us on Twitter (@viaforensics) and check out our blog for updates.
Once the passcode has been successfully cracked it will be displayed to the analyst who can then access the device. Future releases will include:
- Support for additional devices
- Support for devices with locked boot loaders
- Support for complex passcodes
- Ability to mount encrypted file systems from a .dd image
- For current viaExtract users, load your viaExtract VM as well as the viaExtract program itself. In the top right of your viaExtract UI there is an “Update software” button that will become active. Simply click this button and follow the prompts to update.
- New users: download version 1.7 (brute force encryption cracking only available in full version).
How to Crack Android Encryption Using viaExtract
After downloading, follow the instructions below to use the new feature (this is also available in the help documentation inside viaExtract).The devices need to have an unlocked bootloader running Android 4.0 or higher. If the bootloader is locked do not attempt to unlock it (a successful unlock may wipe the device).
To use this feature you must first put the device in fastboot mode. To do this, first power off the phone. For the Nexus S; with the device turned off, hold the volume down button then press and hold the power button. For the Galaxy Nexus; with the device turned off, hold both volume buttons and the press the power button. This should put the device into fastboot state. From there, pass the device to the VM the same way you would a traditional phone (Devices –> USB Devices –> “Fastboot Device”). After passing your device through to the VM, open a case, click ‘New’ –> ‘Encryption Brute Force’.
With your device now in fastboot mode, select “Automatically download footer and header from device” and click “Forward”.
After it is complete, click “Forward”. If the brute force was successful, the pin will be shown on the ‘Results’ screen.
To complete this manually and upload your own header and footer files, issue these commands:
For a Nexus S:
Header:
adb shell dd if=/dev/block/mmcblk0p2 of=tmp_header bs=512 count=1
adb pull tmp_header
Footer:
adb shell mount -t yaffs2 /dev/block/mtdblock6 /root
adb pull /root/userdata_footer tmp_footer
For a Galaxy Nexus
Header
adb shell dd if=/dev/block/mmcblk0p12 of=tmp_header bs=512 count=1
adb pull tmp_header
Footer:
adb shell dd if=/dev/block/mmcblk0p13 of=tmp_footer
adb pull tmp_footer
After pulling both the header and footer files, return to the VM, select the “Encryption Brute Force” option, and select the “Decrypt from header and footer file”. From there, select the location your header and footer files are stored and click “Forward”. Next, follow the prompts to brute force the passcode.
It may take anywhere from a few minutes to a few hours to brute force the passcode, depending on its length and complexity. You will see a progress indicator detailing the completion level of the brute force.
VIA
Available link for download
