Cracking linux full disc encryption, luks with hashcat.

Luks (linux unified key system), and dm-crypt are the standard that linux, and many others use for doing whole disk encryption. When implemented correctly, it can be nearly impossible to brute force. However when using a poor password or a shared password, it can fail horribly.

For this example we will create our own luks container using the standard process, and a terrible password. Then we will extract the header and using open source hashcat, crack the password quickly and easily. There is a fantastic write up on how luks works below, if the nuts and bolts of the process are important to you.

TLDR, just give me the commands!

The way that luks handles the master key and the encrypted data is, it passes the master key through a salt and iterations cycle and then ciphers that key, the hash is then stored in the luks header. However, while it is almost impossible to recover the key from the header because the master key is broken up across all of the headers in the filesystem, it is possible to send guesses of the key through the same salt, iterations and cipher process and compare the end result. Therefore all that we need is the header file and then we can jam that header file into hashcat and run it through a password list.

The password! This password is going to be used every time the machine boots up or every time the container gets mounted. Entropy ridden passwords are a pain to type in manually, the drive is “encrypted” so it is totally safe, let’s just use a crappy password… UGH.

Time to grab that tasty header hash!

dd if=test of=luks-header bs=512 count=4097

This can also be done to a block device as well as a file, dd is one flexible and awesome tool. Once we have that header file we have all the data we need off of the drive or from the container. From there we will load up our trusty password file of 1 password and proceed to crack the container. Yes, knowing the password is cheating, but the premise is the user reused a password.

Shared passwords! When password dumps happen, those password are thrown out on pastebin and then archived for all time. Sharing a password on a site that was breached and dumped will leave the door open for that password to be reused in a password list. It all boils down to the password complexity, and never reuse critical passwords, period. Also, getting cute and swapping letters for numbers doesn’t make the password any better. Hashcat has a fantastic rule engine behind it that can guess those permutations too. There is enough meat in rulesets for another blog post all together. In the meantime take a look here if you are interested, and happy hacking!

Links and sources !!

Posted by Web Monkey