//
you're reading...
Hacking / Counter Intelligence, Tips, Tools

Bruteforce Luks Encrypted Partition Password

First and foremost, you should know that bruteforcing Luks is no easy task: the PBKDF2 norm, used by Luks, make it hard to brute-force : Luks doesn’t use the passphrase you give him as a source to decrypt data. It use your passphrase as a source for a very complex alogrithm, done a great number of times (in my case 191609 times), which, at the end, requires about 1 full second of CPU time on my server to compute the resulting key. As a result, for each pass tried on this machine, it will take 1 second to know if it’s the right one or not! – http://benjamin.sonntag.fr/Luks-Bruteforce-test-all-your-passwords
  /*
   * Brute force a luks encrypted device
   * (C) Benjamin Sonntag 10/2011
   * License : GPL v3
   */

$all=array(
	   // One passphrase and all his varitions:
array(
      array(" ",""),
      array("","(","'"),
      array("the","The"),
      array(" passphrase you forgot "),
      array("!","?",".",""),
      array("",")","'"),
      ),
	   // Another one and all his variations:
array(
      array(" ",""),
      array("","(","'"),
      array("Another","another"),
      array(" one"),
      array(" ",", ",","),
      array("you could try"),
      array("!","?",".",""),
      array("",")","'"),
      ),

	   );

function recurse($pos,$previous) {
  global $p;
  if (!isset($p[$pos])) {
    echo "$previous\n";
    exec("echo ".escapeshellarg($previous)." | cryptsetup luksOpen /dev/md1 root",$out,$ret);
    if ($ret==0) {
      echo "FOUND !";
      mail("youremail@example.com","FOUND passphrase","Found correct phrase on the server !!");
      exit();
    }
    return;
  }
  foreach($p[$pos] as $mot) {
    recurse($pos+1,$previous.$mot);
  }
}

foreach ($all as $p) {
  recurse(0,"");
}

In summary the script above executes the following command with password being changed out for everything in the arrays. Looking like the following:

password | cryptsetup luksOpen /dev/md1 root

Backtrack has this great tool called crunch integrated by default, which is available from here: http://sourceforge.net/projects/crunch-wordlist/ Crunch is a wordlist generator where you can specify a standard character set or a character set you specify. crunch can generate all possible combinations and permutations.

general usage:

crunch [minlength] [maxlength] [charset] -o wordlist.txt

The full range of options is as follows:
-b Maximum bytes to write per file, so using this option the wordlist to be created can be split into various
sizes such as KB / MB / GB (must be used in combination with “-o START” switch)
-c Number of lines to write to output file, must be used together with “-o START”
-d Limits the number of consecutive identical characters (crunch v3.2)
-e Specifies when crunch should stop early (crunch v3.1)
-f Path to the charset.lst file to use, standard location is ‘/pentest/passwords/crunch/charset.lst
to be used in conjunction with the name of the desired charset list, such as ‘mixalpha-numeric-space’
-i Inverts the output sequence from left-to-right to right-to-left
(So instead of aaa, aab, aac, aad etc, output would be aaa baa caa daa)
-l When specifying custom patterns with the -t option, the -l switch allows you to identify which of the characters
should be taken as a literal character instead of a place holder ( @,%^ )
-o Allows you to specify the file name / location for the output, e.g. /media/flashdrive/wordlist.txt
-p Prints permutations of the words or characters provided in the command line.
-q Prints permutation of the words or characters found in a specified file
-r Resumes from a previous session, exact same syntax to be used followed by -r
-s Allows you to specify the starting string for your wordlist.
-t Allows you to specify a specific pattern to use. Probably one of the most important functions !
Place holders for fixed character sets are ;
@ — lower case alpha characters
, — upper case alhpa characters
% — numeric characters
^ — special characters (including space)
-u Supresses the output of wordlist size & linecount prior starting wordlist generation.
-z Adds support to compress the generation output, supports gzip, bzip & lzma

So, after understanding how to control crunch’s output and how to pipe it to luks we end up with something like the following.

crunch 2 4 abcdefghijklmnopqrstuvwxyz | cryptsetup luksOpen /dev/md1 root

Please keep in mind this command will vary on your system.

Advertisements

About Pythorian

Exploration and Production oriented security consultant for securing IT infrastructures relating to natural resources.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: