Category Archives: Security

How to wrap basic HTTP authentication with PHP

Suppose you have a file hosted on an Apache server that is protected by Basic HTTP Authentication, often via an old-school ‘.htaccess’ file, to prevent anonymous users from downloading it without a valid username/password. Then someone asks you to wrap that protected file download with some kind of GUI, maybe a simple HTML form to gather some standard user data (e.g. name and email address). The trouble is once the user has submitted the form they then get prompted separately by the browser to enter a username/password for the HTTP authentication, and this two step process is a bad user experience and looks unprofessional. What you really want to do is ask the user for the username and password as part of the first form, and then just supply those credentials behind the scenes so the download just starts once the form has been submitted. I was recently asked to solve this exact problem, and there simply wasn’t time to address this properly with a nicer solution.

So here is a simple way to pass in credentials for Basic HTTP Authentication from a PHP download script. You must have the PHP “Client URL Library” (“cURL”) extension installed on the web server hosting the PHP script.

If you just want to download the complete working script, you can get it from my GitHub Gist. If you’d like to read about some of the details, please continue…

Continue reading How to wrap basic HTTP authentication with PHP

Unlock your TrueCrypt Encrypted Device without the Exact Password

So here’s the rather embarrassing story…

A couple of years ago, I encrypted a USB stick using TrueCrypt encryption to store some important/valuable files. I then put it in my bag and forgot about it. This weekend I came back to it and realised I had forgotten the password. I could remember using a combination of a couple of other passwords for increased security, but I couldn’t remember which passwords I had used, or in what order or combination. After numerous manual attempts to find the right combination, I gave up resigned to the fact that I would just have to wipe the device and start again.

Then something occurred to me – “Hang on a minute, I’m a programmer!”. And then I thought “How could I lose such an important password?”. Since I encrypted this USB stick, I’ve become a disciplined user of KeePass and LastPass, and to be fair this is the only password not in my password database. But still, it must be possible for me to solve this problem.

The first piece of the puzzle was the command-line interface to the Windows version of TrueCrypt. This is more than adequate to be wrapped with a script. The second piece of the puzzle was the itertools Python module, which provides some very nice functions for iterating over various permutations/combinations of values.

So the stage was set – how easy will it be to write a Python script to solve this problem? It turns out the answer is pretty easy. I found the itertools.product() function to be the best fit for my requirements, as it will generate the Cartesian product of an iterable list of possible password components with itself, giving me every possible combination of the specified password components.

The other critical part of my solution was discovering the right combination of command-line arguments to provide TrueCrypt. Here is the magic Python statement, which will attempt to mount the specified device as drive letter “T:” using the given password in a non-interactive manner:

truecrypt_command = "\"%s\" /q /s /v %s /lT /m ro /a /p \"%s\" /b" % ( truecrypt_exe, truecrypt_device, password )

The rest was just glue code to read in the list of possible password components from a separate text file, and then loop over every possible combination/permutation until the password is found (or we run out of options).

Good news – the script works, and it found my missing password! The script is very basic and still uses some hard-coded settings, but you can download TrueCryptPasswordHunter.py if you think it will be of any use to you. It was written and tested with Python v2.7.3 32 bit on a Windows 7 64 bit machine.

Usage

Create a text file called password_components.txt in the same directory as the script, and populate it with possible password components, one per line. For example, if you think your missing password might be “monkeydoghorse” or “horsedogmonkey”, or something similar, then your password components file should contain the following:

monkey
dog
horse

Then just run the script and cross your fingers.