Loop Aes Debian How tos
Bruteforcing Linux Full Disk Encryption (LUKS) With Hashcat
by Patrick Bell
This walk-through will show you how to Bruteforce LUK volumes using hashcat, how you can mount a LUK partition, and how we can image it once it's decrypted.
Scenario: You’ve got a Macbook in. MacOS has been removed and Debian 9.0 has been installed. The suspect is using LUKS (Linux Unified Key Setup) full disk encryption to encrypt the disk. Password is unknown and we need a forensically sound method to access the data. This is how I’d do it:
Skip to step 5 to just see the hashcat step.
Skip to step 6 just to see the mounting and imaging.
1. Image the Macbook and load into EnCase
Imaging the hard drive can be done forensically sound via thunderbolt, another Mac, and target disk mode. This is fairly easy and common so won't be detailed here.
Once we have an evidence file loaded into EnCase we can see that the boot partition is visible but hda2 appears as Unallocated Clusters in an EXT2 partition.
We can see however the LUKS header, which is telling us it is AES encrypted using XTS-plain64.
2. Export the encrypted partition
To decrypt and mount this we need to export out the encrypted partition as a raw image. I found the easiest way to do this was using FTK Imager, either by mounting the partition in as emulated disk with EnCase or more easily by just loading the image file into FTK Imager.
Once loaded, right click on the encrypted partition and choose “Export Disk Image”.
Set your fragmentation to 0.
3. Partition header - Hashcat ‘hash’ file.
We will be using hashcat, a password cracking software available for both Windows and Linux.
Usually hashcat works by cracking a hashed copy of a password, so we would normally load in a single hash or a list of hashes in a text file.
LUKS is different in that it does not store this master key used to encrypt the data in one location. Rather is it stored in Anti-forensic (AF) Stripes. AF stripes cause the key to be stored across a larger disk area so that overwriting one stripe causes all the data to be lost. Darell Tan has an excellent write up and explanation of this.
This is to say that we therefore need to run hashcat over the partition, with hashcat being clever enough to locate all these stripes. Luckily hashcat only needs around the 1st 2MB to crack the password, which means we can make it much more portable by segmenting this away.
You can create a 2MB header using FTK imager by fragmenting the image to 2MB, canceling the imaging as quickly as you can, deleting the 100 or so 2mb fragments created and leaving just the first one. Alternatively, when you've moved the full partition to Linux you can use this dd command:
The FTK way:
Fragmentation set to 2.
If you prefer the dd method:
Now we're going to use hashcat. This step can be done in either Windows or Linux, but for the sake of convenience I'm using Linux as we’ll need that to decrypt the partition and mount it.
You’ll need a copy of hashcat 3.5+, either set as a variable on your system or just extracted into the folder you’re working from like I did.
Hashcat has many options to cracking a password, from straight bruteforcing to dictionary attacks, rule based attacks and mask attacks.
While bruteforcing is the most common when it comes to cracking, it is the most inefficient, most likely taking months or centuries (or a millennium) to crack. Rule-based attacks and mask attacks can massively increase the effectiveness of your attack and dramatically lower the cracking time. They are the best way to crack, I recommend learning them. For more info look in the hashcat forums.
For the sake of this tutorial I already know the password for the container, so I am using a dictionary attack with a custom dictionary file (a text file with the password in). There are many good dictionary files you can use based on known passwords, Rockyou is a good one and can be downloaded along with others here.
Once you have the partition image and the header image copied to Linux and hashcat is ready, you want to run this command from the terminal, from the location your image files are.
This runs hashcat using a dictionary attack, using a dictionary called "Dictionary.txt"
The general hashcat syntax is:
In this instance:
You should see this result (I've obscured my password):
5. Decrypting the partition
Now we have the password we can decrypt the container! Using cryptsetup with the command:
Enter your admin password, then enter the LUKS password provided by hashcat. This will create a "file" of the decrypted partition at: / dev / mapper / Decrypted_partition. Using ls we can see it:
6. Mounting the partition
First create a location you want to mount it to:
if you try to mount it with:
You'll likely get the error of "mount: Unknown Filesystem type"
If so, just run:
This shows you the logical volumes in the decrypted partition and we can now mount the root partition with:
-r FOR READ ONLY!
We could also easily mount the swap partition using the same mkdir and mount command.
7. Browsing the data
We can now browse to the / mnt / Decrypted_partition and see our previously hidden data!
8. Imaging the de-crypted partition
Imaging the decrypted data is now easy using dd or even better dc3dd! But make sure you point it to / dev / mac-deb-vg. I used the command:
9. Viewing it in EnCase!
With the decrypted partition imaged, we can load it into EnCase or any other tool and see that the data is now readable.
Thanks again for reading. If you have any comments or suggestions, please comment them below!
About The Author
Patrick Bell is a Digital Investigator for West Yorkshire Police. Graduating in 2015 with a 1st Class Hons in Computer Forensics BSc, he is skilled in both mobile and computer examinations. You can contact him at: [email protected], find out more about his skills and experience on LinkedIn or follow his Practical Forensics blog.
- Interview in which Zayn says Niall is cute
- How much is Newport Cigarette Company worth
- 800 MBit s correspond to the number of GBit s
- Nano Aquarium Gravel Cleaner How To Use
- What does well-circumscribed knot meaning mean
- Decimal places of the XML schema when multiplying
- Magicjack app how it works
- What does it mean to pop a speedball
- How to format sony xperia c2305 flash
- Levitt houses where the stove is located
- Break bad 2x04 legendado what if money
- When your love hurts quotes and poems
- What does CssD stand for in medicine
- Hypnosis Secrets - Learning to Hypnotize Anyone, Somewhere
- Fully ported 461 heads which intake seal
- What is a magma sanitation system
- How to ungroup a JPG image converter
- What do dance choreographers do with wearable technology
- Samuel lee chern how
- What does maniac mean in Arabic
- How to Send Cartoon Network Fan Art
- Safeeka death in Indonesia as they eat
- What are uncredited liabilities
- Statik selektah what's up with zippyshare