±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 33501
New Yesterday: 7 Visitors: 170

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Bruteforcing Linux Full Disk Encryption (LUKS) with hashcat

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Bruteforcing Linux Full Disk Encryption (LUKS) with hashcat

Post Posted: Sat Feb 10, 2018 5:43 am

Hi,

I've written another write-up: how to Bruteforce LUK volumes using hashcat, how you can mount a LUK partition, and how we can image it once it's decrypted.

You can read it here:
http://blog.pnb.io/2018/02/bruteforcing-linux-full-disk-encryption.html

I hope it's useful to someone.


If you have any feedback, I'd appreciate it.

Thanks,
Patrick  

Patrick.bell
Newbie
 
 
  

Re: Bruteforcing Linux Full Disk Encryption (LUKS) with hash

Post Posted: Sat Feb 10, 2018 7:18 am

Very, very, nice Smile , thanks.

A couple notes/suggestions, if I may:

1) I do like the practical and "hands on" approach you have Smile , and the very specificity of naming exactly the programs used and the exact procedures used, but the suggestion of using FTK Imager to extract 2 MB or so from a RAW file and "stop it as soon as possible, then delete excess files" seems to me like (while ingenious Idea ) "pure folly" Shocked .
I mean, if the audience is people interested in digital forensics, they should already have - besides each and every available dd and dd-like programs, any number of suitable hex editors and/or other programs with that capability.
If you prefer, the FTK Imager should IMHO be marked as optional as Encase is, maybe providing a few suggestions for Windows users, including FTK Imager itself, but focusing more on the steps needed (finding the offset to the beginning of the encrypted partition and get the first two MB out of it).

2) The time needed to "bruteforce" with hashcat, 18 seconds total from the screenshot is of course "unreal", as you correctly stated, what you actually did for the sake of the example was to supply a dictionary with just the correct password, so it is hardly "bruteforcing", it is more like "entering the correct password".
Actually bruteforcing will likely take days or weeks and with no guarantee whatsoever of success.
Maybe you could add a more visible note/warning to that effect just under the screenshot of the Hashcat run, or less experienced users may somehow assume that decrypting a LUKS volume is "almost instantaneous" and "guaranteed".


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Bruteforcing Linux Full Disk Encryption (LUKS) with hash

Post Posted: Sat Feb 10, 2018 7:53 am

Hi,

Thanks for your feedback!

You're absolutely right about the FTK method for grabbing the header being pure folly. I was smiling broadly to myself while I was writing it, thinking it was silly, but I wanted to show an alternative to dd. I've taken your suggestion of marking FTK imager as optional :).

I've noted your second point and amended that bit to include a paragraph about how difficult bruteforcing is and stated my preferred method. Perhaps I was wrong to entitle the post "Bruteforcing LUKs" and would have been better with "Cracking LUKs" to save any confusion.

Thanks again  

Patrick.bell
Newbie
 
 
  

Re: Bruteforcing Linux Full Disk Encryption (LUKS) with hash

Post Posted: Mon Feb 12, 2018 4:07 am

Why not just use the cryptsetup command to create the LUKS header?

Code:
cryptsetup luksHeaderBackup  LUKS_Partition.001 --header-backup-file LUKS_Header.dd
 

AmNe5iA
Senior Member
 
 
  

Re: Bruteforcing Linux Full Disk Encryption (LUKS) with hash

Post Posted: Mon Feb 12, 2018 4:41 am

Also, you go to the effort of extracting the LUKS header but then run hashcat across the whole partition...  

AmNe5iA
Senior Member
 
 
  

Re: Bruteforcing Linux Full Disk Encryption (LUKS) with hash

Post Posted: Mon Feb 12, 2018 7:57 am

Thank you for the write-up! We've been exploring other options outside of Passware for LUKS because the speeds we're getting are just abysmal (only 13k/sec running 30-odd agents, all with multiple GPUs...yeek).

(One extremely minor error: you said the Macbook was running iOS instead of OSX/macOS)  

nodecaf
Newbie
 
 
  

Re: Bruteforcing Linux Full Disk Encryption (LUKS) with hash

Post Posted: Tue Feb 13, 2018 11:28 am

- AmNe5iA
Why not just use the cryptsetup command to create the LUKS header?

Code:
cryptsetup luksHeaderBackup  LUKS_Partition.001 --header-backup-file LUKS_Header.dd


Seems like a good way to do it. The reason why is: I didn't know. So thanks  

Patrick.bell
Newbie
 
 

Page 1 of 2
Go to page 1, 2  Next