How To Unlcock A Dmg File When You Forgot Password
Sep 10, 2009 The file is a.dmg Pretty much everything I am reading says it is just about impossible to retrieve the info without the password. But I thought wouldn't hurt to. I think by default DMG passwords use 128-bit AES encryption so it could be a bit of a task using brute force if your password is complex. If it is simple-ish, however, a dictionary or brute force.
Two weeks ago I was in the midst of a nightmare. I’d forgotten a password. Not just any password. THE password. Without this one password I was cryptographically locked out of thousands and gigabytes worth of files I care about. Highly sensitive and valuable files that include work documents, personal projects, photos, code snippets, notes, family stuff, etc. The password in question unlocks these files from the protection of locally stored AES-256 encrypted disk image. A location where an “email me a password reset link” is not an option. File backups? Of course! Encrypted the same way with the same password. Password paper backup? Nope. I’ll get to that. I somehow needed to “crack” this password. If not, the amount of epic self-pwnage would be too horrible to imagine.
Before sharing how I got myself into this predicament, it’s necessary to reveal some details about my personal computer security habits. More specifics than I’m normally comfortable sharing.
As my badge wall shows, I travel a lot, all around the world, and often with the same laptop. A MacBook Pro. My computer becoming lost, stolen, or imaged by border guards and other law enforcement officers is a constant concern. To protect against these potential physical attacks, OS X dutifully offers FileVault.
FileVault is a full disk encryption feature utilizing XTS-AES 128 crypto. Enabling FileVault means that even if someone has physical possession of my computer, or obtains a full copy of the hard drive, they’d be the proud new owner of a cutting-edge machine, but unable to get any useful data off of it. That is unless my admin password, which unlocks FileVault, is ridiculously simple, and it isn’t. By all practical means, “cracking” this password is impossible.
What is possible is law enforcement, or a robber, forcibly stopping me and “asking” for my admin password, a method capable of defeating FileVault’s full disk encryption. Realistically, while my brazilian jiu-jitsu black belt certainly helps in many situations, it can be utterly useless in other real-world encounters. I’ll of course resist giving up my admin password to the extent I’m able, but must assume I may have to “comply” at some point. If this should happen, ideally my data, other than email, should remain safe even after the adversary lands on my desktop.
Setting up this type of layered security fall-back plan is where we return to the conversation of encrypted disk images. On OS X, Disk Utility can be used to create encrypted disk images called DMGs. DMGs are self-contained portable files, of customizable size, that when mounted (i.e. double-clicked) display on the desktop like any other disk drive where files can be stored.
Upon creation of DMGs the level of encryption strength can be set, the highest being AES-256. If FileVault’s AES-128 crypto is already “impossible” to crack, AES-256 DMGs are exponentially more impossible. To ensure this, all you have to do is set a reasonable password. We’re talking even 6 characters or longer, some upper and lower case, and maybe toss in a digit and special character. DON’T SAVE THE PASSWORD IN YOUR KEYCHAIN. Doing so defeats the entire purpose of what we’re trying to accomplish, because the admin password unlocks the keychain.
A great thing about DMGs is that they can be stored anywhere. Hidden in some obscure directory on the local machine, a network storage device, a USB drive, whatever. All my confidential files are typically stored this way, in a series of encrypted DMGs with separate passwords. Also very important, DMGs containing sensitives files are only mounted on an as-needed basis. This is for two reasons:
- If I must hand over my admin password, the person now on the desktop should still have a difficult time learning these disk images exist and a password is required to open them. As they begin to snoop around, image the drive, run forensics, etc., they should feel they have the keys to the kingdom. If they do manage to find the DMGs, hopefully by then I’m on my way and seeking legal help.
- Should my computer get “hacked,” a remote attacker will find it extremely difficult to transfer out many many gigabytes worth of data as a single DMG file before being noticed, the computer loses its connection to the Internet, or the image is unmounted.
What’s also cool is a DMG can be used to store additional account passwords, flat file style. Passwords, which can be made super strong and don’t have to be committed to memory. Simply copy-paste as necessary. This FileValue / DMG setup makes it very convenient to only have to remember a small hand full of passwords, including the admin password, to access everything important and without sacrificing security. Well, convenient up until the point where you forget a DMG password. In my case, caused by my scheduled ritual of “change all my passwords.” Ugh!
I wake up once upon a recent morning and begin my daily routine. Check calendar. Check email. Checks RSS. Check Twitter. Start working, start reading. As is common, I mount a DMG and am greeted by the familiar password dialog. First password attempt, fail. Second attempt, fail. Third attempt, fail. Warning dialog appears. That’s weird, I thought. Normally I’m a proficient touch typist. Am I’m fat-fingering the password? Three strikes and I’m out again.
Annoyed, but not concerned. Check the caps lock key. Nope. Try the password again. Fail, fail, fail. Fail, fail, fail. Rinse, repeat several more times. WTF! Am I at least trying to type the correct password for the DMG? I believe so. Let me try a few “shouldn’t work passwords” just in case Morning Brain is causing problems. A few dozen password fails later, annoyance begins constricting into panic. It’s OK, consoling myself, I’ll come back to this in a little while. It’ll be fine. I have some non-DMG-required work to complete anyway.
An hour later, I repeated the same password attempt cycle. No dice. The password fails mounting up are now in the hundreds. I start to mouth some obscenities and my keyboard is really not liking the pounding. My wife is beginning to eyeball me with concern. I’m running out of ideas of what that problem could be. That’s about when I recalled recently changing all my passwords. A few moment laters, that’s when it hit me, like really hit me. For whatever reason, I’d forgotten what I changed the password to. *Gulp*. Oh, no!
Credit: http://xkcd.com/Think positive, think optimistic. Keep calm. Carry on. It’ll come to me. I’ve never forgotten these passwords before. I even remember most of it. At least, I think I do.
I’m periodically trying different passwords throughout the day, throughout out the evening. One day turns into two, two into three. All like the first. Only now I’m losing sleep. I’m waking up in the middle of the night and have to try a few more passwords just so I can get back to sleep. For those who don’t know, dreaming of password combinations sucks. What also sucks is without access to this DMG, more specifically the work documents within it, my daily productivity plummets.
Finally, after nearly a week I have to admit to myself, I forgot it. That I’m in trouble. Time for Plan B. Google.
I begin searching around for DMG password cracking tools. My thought is since I have a partial password, I should be fine. Most of the results pages are littered with people responding by cracking jokes when asked about cracking DMG AES crypto. That’s not very encouraging. Then I come across something called crowbarDMG, which is basically a GUI for command:
>$ hdiutil attach -passphrase <passphrase> DiskImage.dmg
hdiutil locks a DMG file when attempting to mount it, so crowbarDMG runs single threaded, which essentially means a cracking speed of 1 password c/s. Yeah, slow. For my particular circumstance, this was fine. I figured I was only missing between 1 – 3 characters of the password anyway. A day of cracking, maybe two, and I’d be back in business. It was not to be. Then my fuzzy memory suggested I might be missing as much as 6 characters. If that be the case, by sheer math, at least multiple decades worth of cracking would be necessary at current speed. Time for Plan C. Twitter.
Having ~15,000 followers interested in computer security has its perks. Through the years I’ve come to expect a good percentage of them have a stinging sense of humor. Similar to the Google search, 99% of the responses received were sarcastic. This included one such retort from a friend who works in law enforcement computer forensics. I’m sure some tweets were funny, but I was in no laughing mood. I was freaked. A sense of futility and finality was setting in.
That was until Solar Designer, gat3way, Dhiru Kholia, and Magnum, the guys behind the infamous John the Ripper (JtR) password cracker answered my plea. Then Jeremi Gosney of Stricture Consulting Group graciously offered up the use of his mega hash cracking computing resources as well. You remember Stricture from their Ars article, they have an insane “25-GPU cluster cracks every standard Windows password in < 6 hours.” Collectively, these guys are the amongst the world’s foremost experts in password cracking. If they can’t help, no one can. No joking around, they immediately dove right in.
Now, I couldn’t just share out my DMG for others to attempt to crack. Its enormous size basically precluded that. But even if I could, I wouldn’t. Given the sensitive nature of the data, I actually preferred the data lost than suffer any risk of a leak. Fortunately, JtR has something called dmg2john. dmg2john scrapes the DMG and provides output which can be cracked with JtR by others without putting the data at risk. Nice! Unfortunately, when I got there, dmg2john and JtR were broken when it came to DMGs. I provided the bug details to john-dev and john-users mailing list to replicate. The JtR developers had the issues fixed in a couple days. These guys are awesome.
Next step, send the dmg2john output of my DMG over to Jeremi at Stricture along with everything I think I remember about what my password might have been. Jeremi informs me of the next challenge, he’s only able to crack my DMG at a speed of ~100 c/s! At that rate it’s going to take a little over a decade worth of cracking to exhaust the password key space. I’m thinking this is very odd, it’s only maybe 6 extra characters tops. Jeremi explains why…
The reason it’s so slow is because your AES256-encrypted DMG uses 250,000 rounds of PBKDF2-HMAC-SHA-1 to generate the encryption key. The ludicrous round count makes it extremely computationally expensive, slowing down the HMAC-SHA1 process by a factor of 250,000.
My Xeon X7350 can crack a single round of HMAC-SHA1 at a rate of 9.3 million hashes per second. But since we are using 250,000 rounds, it means I was reduced to doing ~ 37 hashes per second. Using all four processors I was only able to pull about 104 hashes per second total (doesn’t scale perfectly.)
Once understanding this, Jeremi begins asking for more information about what the extra six or so characters in my password might have been. We’re they all upper and lower case characters? What about digits? Any special characters? Which characters were most likely used, or not used? Ever bit of intel helped a lot. We managed to whittle down an in initial 41106759720 possible password combinations to 22472. This meant the total amount of time required to crack the DMG was reduced to 3.5 minutes on his rig.
Subsequently, Jeremi sent me what had to be one the most relieving and frightening emails I’ve ever received in my life. Relieving because I recognized the password immediately upon sight. I knew it was right, but my anxiety level remained at 10 until typing it in and seeing it work. I hadn’t touched my precious data in weeks! It was a tender moment, but also frightening because, well, no security professional is ever comfortable seeing such a prized password emailed to them from someone else. When/if that happens, it typically means you are hacked and another pain awaits.
Interestingly, in living out this nightmare, I learned A LOT I didn’t know about password cracking, storage, and complexity. I’ve come to appreciate why password storage is ever so much more important than password complexity. If you don’t know how your password is stored, then all you really can depend upon is complexity. This might be common knowledge to password and crypto pros, but for the average InfoSec or Web Security expert, I highly doubt it.
Now, after telling everyone a few of my best tricks and enduring an awful deficiency in one of them, I’ll obviously have to change things up a bit. Clearly I need paper backup, and thinking maybe about giving it to my attorney for safekeeping where it’ll enjoy legal privilege protection. We’ll see.
In the meantime, I can’t thank the John the Ripper guys and Jeremi from Stricture Consulting enough. If you need a password cracked, for personal and professional reasons, this is where you look to.
- Products ▼
- For Windows
- Android Manager for Win
- Android Data Recovery
- Phone Transfer for Win
- Android Root Pro
- For Mac
- Android Manager for Mac
- Android Data Recovery Mac
- Phone Transfer for Mac
- More >>>
How To Unlock Phone If Forgot Password
Forgetting your Windows password is one of the most unpleasant experiences in the world. It ranks somewhere between stubbing your toe on the table and having to eat a dead frog. Most people who have forgotten their Windows 10 password simply assume that the only way out of this predicament is to reinstall Windows from scratch. This is not at all true. There are actually several ways in which you can unlock your Windows 10 computer with or without additional tools.
Unfortunately, some of them come with their own set of disadvantages. Some of them are quite complex to execute and require knowledge of command line work. Some require more than one utility to complete the entire process. Other methods might be unreliable or play havoc with your data, and so on. But if you don't want to lose all your data doing a reinstallation of Windows 10, then the next best thing is to see what methods and tools are available as alternatives. Let us first look at the methods that do not require any additional software.
Part 1: Guess out the Password (Local User Account)
If you are like the majority of Windows users around the world, it is very likely that you have used a password that is easy to remember or guess. Start off the guessing process by analysing the passwords that you have used for some of your other accounts, such as your internet banking account, your Facebook, Gmail and so on. Most of the time, when you do this, you will see a pattern emerging. This pattern will tell you what password you most likely used for your Windows 10 computer. It could be something like your date of birth in a particular sequence, the name of some relative, the name of an old company that you used to work for, the name of your school or college, or any one of those. Most probably it will be a variation of one of these things or a combination of them.
If you are able to guess your password this way, this is probably the best way to unlock your Windows 10 computer. There is also another way to get in, but as you will see it has its own disadvantages.
Part 2: How to Unlock Administrator Account Windows 10/8/7
Another way to access a locked Windows computer is to create a new user and add them to the administrator group. This will let you get into your PC, after which you can change the password for the locked user account using some basic command line executions.
The one disadvantage is that you will need a Windows 10 installation disk to use this method. If you upgraded to Windows 10 from an older version through an over-the-air update, you might not have the disk, in which case you will need to create one by downloading the appropriate ISO file from Microsoft's website and then creating the bootable media using your native ISO burning utility.
Step 1: The purpose of using the Windows 10 installation disk is not to reinstall Windows 10, but to be able to access the command prompt where you will be adding the new administrator account. Insert the disk and boot up from the inserted media rather than the default installation. You can change the boot order by pressing F2 (or other specified key) to enter the boot menu.
Step 2: You will now need to access command prompt by simultaneously pressing the Shift + F10 keys during the Windows setup process.
Step 3: Once you see the command prompt, you will need to execute three commands, as shown below:
move d:windowssystem32utilman.exe d:windowssystem32utilman.exe.bak
copy d:windowssystem32cmd.exe d:windowssystem32utilman.exe
wpeutil reboot
Step 4: You will now see the sign-in screen, where you will need to press the Ease of Access icon to open up another command prompt dialogue. In this dialogue, you will need to execute the two following lines (again, without quotes):
net user /add [username] [password]
net localgroup administrators [username] /add
Step 5: You will now be able to restart your PC and enter using the newly created administrator account. However, you must first execute one last command to replace the original utilman.exe file. You can use the following command to do this:
copy d:windowssystem32utilman.exe.bak d:windowssystem32utilman.exe
Step 6: Once you create the administrator account and access your Windows 10 PC this way, you need to open the command prompt again to reset the password for your locked user account. To do this, execute the following line of command on the command prompt:
net user user_name new_pwd
Step 7 : In the about command, replace user_name with your locked user account, and replace new_ pwd with a new password for that account. You will now be able to access your locked user account with this new password.
Note: If you find this method too complicated for your liking, then you can explore other methods to unlock your Windows 10 computer. Two of these methods have been described below.
Part 3: Unlock Windows 10/7/8 Password with Androidphonesoft
This method is very much like the Linux Live CD method but much, much simpler. For example, you do not need another ISO burning utility to create the password reset disc. This functionality is already built into Androidphonesoft Windows Password Recovery for the sake of the user's convenience.
It has been extensively tested on all the popular models of Windows 10 PCs, laptops and tablets. It also works effortlessly with older versions of Windows, and it is one of the few such software applications that has a 100% password recovery rate. It is trusted by millions of Windows users all around the world, and when you see how easy the steps to bypass Windows password.
Step 1 Install Windows Password Recovery
On a different PC, download this program and install it. Then insert an USB drive or a writable DVD/CD into the optical drive of the PC and launch the application.
Step 2 Burn ISO Image to USB or DVD
Choose the appropriate ISO burning option and click on the Burn button next to it. Your reset disk will now be ready in a few moments. Now remove the disk from this other PC and insert it into your locked Windows 10 machine.
Step 3 Boot from Locked Computer
Boot up your Windows 10 PC from the bootable media as described in the section for Linux Live CD. When you see the PassMoz LabWin interface, select the appropriate OS version and the user account that is locked.
Step 4 Reset Windows 10/8/7 Admin Password Instantly
Click on the 'Reset Password' button, and subsequently the Reboot button, and that's all there is to it. You may now remove the password reset disk and restart your computer, and you will be able to access your user account without requiring a password.
Part 4: Linux Live CD (Windows Password Unlocker)
You can also reset a Windows 10 password using the Linux Live CD method, and for this you will need an Ubuntu Live CD. You can also use a Kali Live USB, but let's use Ubuntu Live CD method for this example. This involves creating a password reset disk using Ubuntu, which you can then use to unlock your computer by resetting the password.
Since you do not have access to the computer at this point, the first two steps to create the password reset disk will need to be executed on a different PC with admin rights. Here is the process described:
Step 1: Download Ubuntu desktop (ISO file). The current version is 18.04 LTS (long-term support) for desktops and laptops.
Step 2: You can now use an ISO burning utility like ImgBurn to create the bootable disk to unlock your main Windows 10 PC. The disk with the bootable media is your Linux or Ubuntu Live CD.
Step 3: Remove this disk from the other computer and insert it into your locked Windows 10 PC. You will now need to boot up the machine from this disk. To do this, you will need to change the boot order during the boot up process by pressing a special key like F2, Del or Esc. Once you have changed the boot order, in a few moments you should be able to see the Ubuntu Live window. Click on the first option, which says 'Try Ubuntu'.
Step 4: Now go into System Settings, find the option that says Software and Updates, and click on it. On the Ubuntu Software tab, you will need to tick the checkbox next to where it says 'Community- maintained free and open-source software (universe)'.
Step 5: Close the current window and click the Reload button on the next popup. You can now open a terminal and type in the following command: sudo apt-get install chntpw
Step 6: Now go to this location: WindowsSystem32Config, then right click somewhere on an empty white space and click on 'Open in Terminal'.
Step 7: This will give you a list of all the user accounts on that machine. In order to reset a password for a particular user account, type in the following command (no quotes): chntpw -u user_name SAM
Step 8: You will now need to type the numeral 1 and press Enter. This will clear the password for the specified user account. Now type the letter q and press Enter once again. Finally, type the letter y and hit Enter again to confirm the changes. You may now remove the Ubuntu Live CD and reboot your computer. You will be able to access the previously locked user account without requiring a password.
As you can see this is a fairly complicated process, so if you are a novice user you may not be comfortable using this method to unlock your Windows 10 computer. If you want a much simpler method, see the final option below.
Summary
As you can see, you don't need to reinstall Windows 10 if you have forgotten your password. These effective methods described above can get you access in different ways. Depending on your level of comfort with the technical aspects of each method, choose an appropriate technique or utility and proceed to unlock your Windows 10 computer.
How To Reset Iphone Forgot Passcode
Related Articles
I Forgot My Iphone Password
- Windows 10 Password Crack | Remove Windows Admin Password | Change Windows Password | Bootable Windows USB | ISO to USB Tool | Create Windows Reset Disk | Burn ISO to CD | Create Windows Reset Disk | More>>>