Bruteforcing Linux Full Disk Encryption (LUKS) With Hashcat

by Patrick Bell

This walk-through will show you how to Bruteforce LUK volumes using hashcat, how you can mount a LUK partition, and how we can image it once it’s decrypted.

Scenario: You’ve got a Macbook in. MacOS has been removed and Debian 9.0 has been installed. The suspect is using LUKS (Linux Unified Key Setup) full disk encryption to encrypt the disk. Password is unknown and we need a forensically sound method to access the data. This is how I’d do it:

Requirements:


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Skip to step 5 to just see the hashcat step.
Skip to step 6 just to see the mounting and imaging.

1. Image the Macbook and load into EnCase

Imaging the hard drive can be done forensically sound via thunderbolt, another Mac, and target disk mode. This is fairly easy and common so won’t be detailed here.

Once we have an evidence file loaded into EnCase we can see that the boot partition is visible but hda2 appears as Unallocated Clusters in an EXT2 partition.

We can see however the LUKS header, which is telling us it is AES encrypted using XTS-plain64.

2. Export the encrypted partition

To decrypt and mount this we need to export out the encrypted partition as a raw image. I found the easiest way to do this was using FTK Imager, either by mounting the partition in as emulated disk with EnCase or more easily by just loading the image file into FTK Imager.

Once loaded, right click on the encrypted partition and choose “Export Disk Image”.

Set your fragmentation to 0.

3. Partition Header – Hashcat ‘hash’ file.

We will be using hashcat, a password cracking software available for both Windows and Linux.

Usually hashcat works by cracking a hashed copy of a password, so we would normally load in a single hash or a list of hashes in a text file.

LUKS is different in that it does not store this Master Key used to encrypt the data in one location. Rather is it stored in Anti-forensic (AF) Stripes. AF stripes cause the key to be stored across a larger disk area so that overwriting one stripe causes all the data to be lost. Darell Tan has an excellent write up and explanation of this.

This is to say that we therefore need to run hashcat over the partition, with hashcat being clever enough to locate all these stripes. Luckily hashcat only needs around the 1st 2MB to crack the password, which means we can make it much more portable by segmenting this away.

You can create a 2MB header using FTK imager by fragmenting the image to 2MB, cancelling the imaging as quickly as you can, deleting the 100 or so 2mb fragments created and leaving just the first one. Alternatively when you’ve moved the full partition to linux you can use this dd command:

sudo dd if=LUKS_Partition.001 of=LUKS_Header.dd bs=512 count=4079

The FTK way:

Fragmentation set to 2.

If you prefer the dd method:

4. Hashcat

Now we’re going to use hashcat. This step can be done in either Windows or Linux, but for the sake of convenience I’m using Linux as we’ll need that to decrypt the partition and mount it.

You’ll need a copy of hashcat 3.5+, either set as a variable on your system or just extracted into the folder you’re working from like I did.

Hashcat has many options to cracking a password, from straight bruteforcing to dictionary attacks, rule based attacks and mask attacks.

While bruteforcing is the most common when it comes to cracking, it is the most inefficient, most likely taking months or centuries (or a millennium) to crack. Rule-based attacks and mask attacks can massively increase the effectiveness of your attack and dramatically lower the cracking time. They are the best way to crack, I recommend learning them. For more info look in the hashcat forums.

For the sake of this tutorial I already know the password for the container, so I am using a dictionary attack with a custom dictionary file (a text file with the password in). There are many good dictionary files you can use based on known passwords, Rockyou is a good one and can be downloaded along with others here.

Once you have the partition image and the header image copied to linux and hashcat is ready, you want to run this command from the terminal, from the location your image files are.

This runs hashcat using a dictionary attack, using a dictionary called “Dictionary.txt”

./hashcat-3.5.0/hashcat64.bin -m 14600 -a 0 -w 3 LUKS_Partition.001 Dictionary.txt -o luks_password.txt

The general hashcat syntax is:

hashcat <METHOD> <HASH> <DICTIONARY> <OUTPUT>

In this instance:

-m = hash method - 14600 for LUK encryption
-a = Crack method - 0 for standard dictionary (3 for bruteforce)
-w = resource allocation - 3 for high
LUKS_Partition.001 = Encrypted partition
Dictionary.txt = dictionary
-o = output luks_password.txt

You should see this result (I’ve obscured my password):

5. Decrypting the partition

Now we have the password we can decrypt the container! Using cryptsetup with the command:

sudo cryptsetup luksopen LUKS_Partition.001 Decrypted_partition

Enter your admin password, then enter the LUKS password provided by hashcat. This will create a ‘file’ of the decrypted partition at: /dev/mapper/Decrypted_partition. Using ls we can see it:

6. Mounting the partition

First create a location you want to mount it to:

sudo mkdir /mnt/Decrypted_partition

if you try to mount it with:

sudo mount /dev/mapper/Decrypted_partition /mnt/Decrypted_partition

You’ll likely get the error of “mount: Unknown Filesystem type”

If so, just run:

sudo apt-get install lvm2

then:

sudo lvscan

This shows you the logical volumes in the decrypted partition and we can now mount the root partition with:

sudo mount /dev/macdeb-vg/root /mnt/Decrypted_partition –r

-r FOR READ ONLY!

We could also easily mount the swap partition using the same mkdir and mount command.

7. Browsing the data

We can now browse to the /mnt/Decrypted_partition and see our previously hidden data!

8. Imaging the de-crypted partition

Imaging the decrypted data is now easy using dd or even better dc3dd! But make sure you point it to /dev/mac-deb-vg. I used the command:

sudo dc3dd if=/dev/macdeb-vg/root of=/media/Patrick/KINGSTON/decrypted_partition.dd

9. Viewing it in EnCase!

With the decrypted partition imaged, we can load it into EnCase or any other tool and see that the data is now readable.

Thanks again for reading. If you have any comments or suggestions, please comment them below!

About The Author

Patrick Bell is a Digital Investigator for West Yorkshire Police. Graduating in 2015 with a 1st Class Hons in Computer Forensics BSc, he is skilled in both mobile and computer examinations. You can contact him at: [email protected], find out more about his skills and experience on LinkedIn or follow his Practical Forensics blog.

5 thoughts on “Bruteforcing Linux Full Disk Encryption (LUKS) With Hashcat”

  1. Nice article!
    Just one minor thing: your first dd-command seems to contain an error as ‘count=4079’ should probably read ‘count=4097’ as the size required by hashcat is 2MiB + 1 sector AFAIK.
    A quite convenient method to export this data with a forensic tool running on windows without any hazzle might be WinHex or Xways as it directly allows to define a block-start, jump a defined number of sectors (4097), define a the blocks end there and select ‘Edit’ -> ‘Copy Block’ -> ‘Into New File’ (also accessible by the shortcut CTRL + SHIFT + N).

  2. After grabbing the LUKS header from the LUKS partition, running Hashcat 6.2.4 and a few older versions of 4, I get “Invalid LUKS version. No hashes loaded” Any suggestions?

Leave a Comment

Latest Videos

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 20th March 2023 11:00 am

In this episode of the Forensic Focus podcast, Si and Desi explore the cutting-edge technology of deepfake videos and image manipulation. In addition to discussing the latest technological developments and efforts being made to detect manipulated media, they also examine the associated legal and ethical implications.

Show notes:

Boris Johnson image - https://www.theguardian.com/politics/2023/jan/10/spot-the-difference-boris-johnson-appears-scrubbed-from-photo-posted-by-grant-shapps

Deep Fake Neighbour Wars - https://m.imdb.com/title/tt21371376/

Stalin image - https://www.history.com/news/josef-stalin-great-purge-photo-retouching

Nvidia eye contact AI - https://www.polygon.com/23571376/nvidia-broadcast-eye-contact-ai and https://www.youtube.com/watch?v=xl87WTDrReo

Birthday problem - https://en.wikipedia.org/wiki/Birthday_problem

Same frightening woman in AI images - https://petapixel.com/2022/09/09/the-same-frightening-woman-keeps-appearing-in-ai-generated-images/

Inherent mysogeny of AI portraits - https://www.theguardian.com/us-news/2022/dec/09/lensa-ai-portraits-misogyny

Midjourney - https://www.midjourney.org/

Deepfake porn legality - https://www.theverge.com/2022/11/25/23477548/uk-deepfake-porn-illegal-offence-online-safety-bill-proposal and https://www.technologyreview.com/2021/02/12/1018222/deepfake-revenge-porn-coming-ban/

AIATSIS - https://aiatsis.gov.au/cultural-sensitivity

Fake tiger porn story - https://www.dailydot.com/unclick/tiger-porn-britain-law/

Group photo with no blinking - https://www.countrylife.co.uk/comment-opinion/curious-questions-group-photo-179102

Emma Watson deefake audio - https://www.thetimes.co.uk/article/ai-4chan-emma-watson-mein-kampf-elevenlabs-9wghsmt9c

Domestika - https://www.domestika.org/en/courses/981-introduction-to-interviewing-the-art-of-conversation

Investigative Interviewing - https://www.amazon.co.uk/dp/0199681899?ref=ppx_pop_mob_ap_share

Forensic Focus events calendar - https://www.forensicfocus.com/events/

Si Twitter - https://twitter.com/si_biles

In this episode of the Forensic Focus podcast, Si and Desi explore the cutting-edge technology of deepfake videos and image manipulation. In addition to discussing the latest technological developments and efforts being made to detect manipulated media, they also examine the associated legal and ethical implications.

Show notes:

Boris Johnson image - https://www.theguardian.com/politics/2023/jan/10/spot-the-difference-boris-johnson-appears-scrubbed-from-photo-posted-by-grant-shapps

Deep Fake Neighbour Wars - https://m.imdb.com/title/tt21371376/

Stalin image - https://www.history.com/news/josef-stalin-great-purge-photo-retouching

Nvidia eye contact AI - https://www.polygon.com/23571376/nvidia-broadcast-eye-contact-ai and https://www.youtube.com/watch?v=xl87WTDrReo

Birthday problem - https://en.wikipedia.org/wiki/Birthday_problem

Same frightening woman in AI images - https://petapixel.com/2022/09/09/the-same-frightening-woman-keeps-appearing-in-ai-generated-images/

Inherent mysogeny of AI portraits - https://www.theguardian.com/us-news/2022/dec/09/lensa-ai-portraits-misogyny

Midjourney - https://www.midjourney.org/

Deepfake porn legality - https://www.theverge.com/2022/11/25/23477548/uk-deepfake-porn-illegal-offence-online-safety-bill-proposal and https://www.technologyreview.com/2021/02/12/1018222/deepfake-revenge-porn-coming-ban/

AIATSIS - https://aiatsis.gov.au/cultural-sensitivity

Fake tiger porn story - https://www.dailydot.com/unclick/tiger-porn-britain-law/

Group photo with no blinking - https://www.countrylife.co.uk/comment-opinion/curious-questions-group-photo-179102

Emma Watson deefake audio - https://www.thetimes.co.uk/article/ai-4chan-emma-watson-mein-kampf-elevenlabs-9wghsmt9c

Domestika - https://www.domestika.org/en/courses/981-introduction-to-interviewing-the-art-of-conversation

Investigative Interviewing - https://www.amazon.co.uk/dp/0199681899?ref=ppx_pop_mob_ap_share

Forensic Focus events calendar - https://www.forensicfocus.com/events/

Si Twitter - https://twitter.com/si_biles

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i41eg24YGZg

Deepfake Videos And Altered Images - A Challenge For Digital Forensics?

Forensic Focus 13th February 2023 10:30 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...