Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how to use Hashcat to break Linux disk encryption". In daily operation, I believe many people have doubts about how to use Hashcat to crack Linux disk encryption. Xiaobian consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts of "how to use Hashcat to break Linux disk encryption". Next, please follow the editor to study!

First, create a Macbook disk image and load it into EnCase

The hard disk image can be obtained through the lightning interface, connecting to other Mac computers, or in target disk mode. This step is relatively simple and we will not repeat it here.

When we load the image file (forensics file) into EnCase, we can see the boot partition directly, but hda2 seems to be an "unallocated volume" in the format of EXT2 partition.

However, we can see the LUKS header information directly in the lower area, and this message tells us that it uses XTS-plain64 's AES encryption.

2. Export encrypted partitions

In order to decrypt and load the partition, we first need to export the encrypted partition as the original image. I found that this step is easiest to implement with FTK Imager, but you can also use EnCase to load the partition as a simulated disk, but FTK Imager is simpler.

After loading successfully, right-click the encrypted partition, select "Export disk Image" (Export Disk Image), and set fragmentation to 0.

3. Partition header-hashcat 'hash' file

Next, it's time for hashcat, a password-cracking software that supports Windows and Linux platforms. Generally speaking, hashcat is used to crack password hashes, so we need to load a hash value or write multiple hashes in a text file.

For LUSK, however, we need to run hashcat on the entire partition because LUKS stores the master key used to decrypt the data throughout the disk area. Fortunately, hashcat only needs about 2MB to crack the password, so we can use FTK Imager to create a Header for 2MB, and then use to run the following command:

Sudo dd if=LUKS_Partition.001 of=LUKS_Header.dd bs=512 count=4079

FTK method:

Fragmentation is set to 2. If you want to use the dd command, please refer to the method given above.

IV. Hashcat

This step can be done on Windows or Linux, but for convenience, I chose to use Linux to decrypt and load the partition.

Download hashcat 3.5 + [click I download], hashcat has a lot of options for cracking passwords, but the most commonly used is to crack them violently, but this method is so inefficient that you may not be able to break a password for months. What we need to use here is a dictionary attack (custom dictionary), you can download a variety of very powerful password dictionaries from [here].

After you copy the partition image and the header image to Linux and set up hashcat, you need to change to the directory where the image is located and run the following command on the terminal (using a dictionary file called "Dictionary.txt"):

. / hashcat-3.5.0/hashcat64.bin-m 14600-a 0-w 3 LUKS_Partition.001 Dictionary.txt-o luks_password.txt

The common hashcat statements are as follows:

Hashcat

Our scenario is configured as follows:

-m = hash algorithm-14600 for LUK encryption-a = cracking method-0 for standard dictionary cracking (3 for brute force cracking)-w = r resource allocation-3 for 'high' LUKS_Partition.001= Encrypted partitionDictionary.txt= dictionary-o = output luks_password.txt

If all goes well, you can see the result of the password cracking.

Decryption Partition

Now that we have the password, we can use cryptsetup to decrypt the container! Run the following command:

Sudo cryptsetup luksopen LUKS_Partition.001 Decrypted_partition

Enter your administrator password and output the LUKS password provided to you by hashcat. This command will create a decrypted partition file with the file path / dev/mapper/Decrypted_partition. Next, you can use the ls command to view the file.

6. Mount the partition

First, you need to create a location where the image file needs to be mounted:

Sudo mkdir / mnt/Decrypted_partition

If you use the following command to mount:

Sudo mount / dev/mapper/Decrypted_partition / mnt/Decrypted_partition

You may get an error message: "mount: Unknown Filesystem type"

If it appears, you can run the following command to solve the problem:

Sudo apt-get install lvm2

Then run:

Sudo lvscan

In this way, you can see the logical volume of the decrypted partition, and then mount the root partition with the following command:

Sudo mount / dev/macdeb-vg/root / mnt/Decrypted_partition-r

Note:-r, that is, read only!

We can also mount the swap partition using the same mkdir and mount commands.

7. Browse the data

We can browse / mnt/Decrypted_partition directly and view our previous hidden data!

8. Create decrypted partition image

Now that we can directly use the "dd" or "dc3dd" commands to mirror the decrypted data, make sure you set it to point to / dev/mac-deb-vg. I suggest that you use the following command:

Sudo dc3dd if=/dev/macdeb-vg/root of=/media/Patrick/KINGSTON/decrypted_ partition.ddIX. View disk data in EnCase

After getting the decrypted partition image, we can load it into EnCase (or other tools), and then you will find that all the data is directly readable.

At this point, the study on "how to use Hashcat to violently crack Linux disk encryption" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.