filed under: security hacks
[Dogbert] took a look at the security that goes into BIOS passwords on many laptops. He starts off with a little background about how the systems work. People are bound to forget their passwords, so when you enter a wrong one three times in a row you get a message similar to the one above that locks you out until all power is removed from the system (then you get three more tries). But check out that five-digit number in the picture. That’s a checksum of the password. Some BIOS versions display it automatically, some require you to hold down a certain key during POST, but it’s the pivotal data needed to crack the password.
[Dogbert's] post doesn’t go into verbose detail about the algorithms he uses to brute force the passwords. But he has posted the Python scripts he uses to do so. Learning how to generate the passwords based on the checksum is as simple as studying the code, which is often the best way to learn.tagged: checksum, laptop, password, python, bios, bruteforce
Saturday, May 2, 2009
The dramatic 'System Disabled' message is just scare tactics: when you remove all power from the laptop and reboot it, there are not new penalties such as additional passwords, locks and so on. From such a checksum (also called "hash"), valid passwords can be found by means of brute-forcing. Another method commonly used is that instead of a checksum, a number is displayed from which a randomly generated password can be calculated. Quite often, vendors also resort to storing the password in plain text, and instead of printing out just a checksum, an encrypted version of the password is shown. Either way, my scripts can be used to derive valid passwords with the hash.
Some vendors have implemented obfuscation measures to hide the hash from the end user - for instance, some FSI laptops require you to enter three special passwords for the hash to show up (see other post). HP/Compaq laptops only show the hash if the F2 or F12 key has been pressed prior to entering an invalid password for the last time.
Depending on the "format" of the number code/hash (e.g. whether only numbers or both numbers and letters are used, whether it contains dashes, etc.), you need to choose the right script - it is mostly just a matter of trying them all and finding the right one. This is an overview of the algorithms that I took a look at so far:
|Vendor||Hash Encoding||Example of Hash Code/Serial||Scripts|
|Compaq||5 decimal digits||12345||pwgen-5dec.py|
|Dell||serial number||1234567-595B |
|Fujitsu-Siemens||5 decimal digits||12345||pwgen-5dec.py |
|Fujitsu-Siemens||8 hexadecimal digits||DEADBEEF||pwgen-fsi-hex.py |
|Fujitsu-Siemens||5x4 hexadecimal digits||AAAA-BBBB-CCCC-DEAD-BEEF||pwgen-fsi-hex.py |
|Fujitsu-Siemens||5x4 decimal digits||1234-4321-1234-4321-1234||pwgen-fsi-5x4dec.py |
|Hewlett-Packard||5 decimal digits||12345||pwgen-5dec.py |
|Hewlett-Packard/Compaq Netbooks||10 characters||CNU1234ABC||pwgen-hpmini.py |
|Phoenix (generic)||5 decimal digits||12345||pwgen-5dec.py |
|Samsung||12 hexadecimal digits||07088120410C0000||pwgen-samsung.py |
The .NET runtime libraries are required for running the Windows binary files (extension .exe). If the binary files (.exe) don't work out for you, install Python 2.6 (not 3.0!) and run the .py script directly by double-clicking them.
Please comment on what make/model the scripts work and on what they don't. Also, be aware that some vendors use other schemes to handle the passwords - among them are e.g. IBM/Lenovo. You are then at the mercy of their service.