Bruteforcing Linux ...
 
Notifications
Clear all

Bruteforcing Linux Full Disk Encryption (LUKS) with hashcat

8 Posts
4 Users
0 Likes
1,010 Views
(@patrick-bell)
Posts: 9
Active Member
Topic starter
 

Hi,

I've written another write-up how to Bruteforce LUK volumes using hashcat, how you can mount a LUK partition, and how we can image it once it's decrypted.

You can read it here
http//blog.pnb.io/2018/02/bruteforcing-linux-full-disk-encryption.html

I hope it's useful to someone.

If you have any feedback, I'd appreciate it.

Thanks,
Patrick

 
Posted : 10/02/2018 11:43 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Very, very, nice ) , thanks.

A couple notes/suggestions, if I may

1) I do like the practical and "hands on" approach you have ) , and the very specificity of naming exactly the programs used and the exact procedures used, but the suggestion of using FTK Imager to extract 2 MB or so from a RAW file and "stop it as soon as possible, then delete excess files" seems to me like (while ingenious idea ) "pure folly" 😯 .
I mean, if the audience is people interested in digital forensics, they should already have - besides each and every available dd and dd-like programs, any number of suitable hex editors and/or other programs with that capability.
If you prefer, the FTK Imager should IMHO be marked as optional as Encase is, maybe providing a few suggestions for Windows users, including FTK Imager itself, but focusing more on the steps needed (finding the offset to the beginning of the encrypted partition and get the first two MB out of it).

2) The time needed to "bruteforce" with hashcat, 18 seconds total from the screenshot is of course "unreal", as you correctly stated, what you actually did for the sake of the example was to supply a dictionary with just the correct password, so it is hardly "bruteforcing", it is more like "entering the correct password".
Actually bruteforcing will likely take days or weeks and with no guarantee whatsoever of success.
Maybe you could add a more visible note/warning to that effect just under the screenshot of the Hashcat run, or less experienced users may somehow assume that decrypting a LUKS volume is "almost instantaneous" and "guaranteed".

jaclaz

 
Posted : 10/02/2018 1:18 pm
(@patrick-bell)
Posts: 9
Active Member
Topic starter
 

Hi,

Thanks for your feedback!

You're absolutely right about the FTK method for grabbing the header being pure folly. I was smiling broadly to myself while I was writing it, thinking it was silly, but I wanted to show an alternative to dd. I've taken your suggestion of marking FTK imager as optional ).

I've noted your second point and amended that bit to include a paragraph about how difficult bruteforcing is and stated my preferred method. Perhaps I was wrong to entitle the post "Bruteforcing LUKs" and would have been better with "Cracking LUKs" to save any confusion.

Thanks again

 
Posted : 10/02/2018 1:53 pm
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
 

Why not just use the cryptsetup command to create the LUKS header?

cryptsetup luksHeaderBackup LUKS_Partition.001 --header-backup-file LUKS_Header.dd

 
Posted : 12/02/2018 10:07 am
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
 

Also, you go to the effort of extracting the LUKS header but then run hashcat across the whole partition…

 
Posted : 12/02/2018 10:41 am
(@nodecaf)
Posts: 5
Active Member
 

Thank you for the write-up! We've been exploring other options outside of Passware for LUKS because the speeds we're getting are just abysmal (only 13k/sec running 30-odd agents, all with multiple GPUs…yeek).

(One extremely minor error you said the Macbook was running iOS instead of OSX/macOS)

 
Posted : 12/02/2018 1:57 pm
(@patrick-bell)
Posts: 9
Active Member
Topic starter
 

Why not just use the cryptsetup command to create the LUKS header?

cryptsetup luksHeaderBackup LUKS_Partition.001 --header-backup-file LUKS_Header.dd

Seems like a good way to do it. The reason why is I didn't know. So thanks

 
Posted : 13/02/2018 5:28 pm
(@patrick-bell)
Posts: 9
Active Member
Topic starter
 

(One extremely minor error you said the Macbook was running iOS instead of OSX/macOS)

My pleasure, I hope it helps! And thanks, I've corrected it now

 
Posted : 15/02/2018 7:05 pm
Share: