hashcat Forum

Full Version: LUKS Hash search is failing - what am I doing wrong?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
So I have a LUKS encrypted filesystem that I set up ages ago. When I was actively using it, I simply typed the password from memory when the prompt came up. I took a break from that machine for a year or two and... have forgotten the password. I know it was something relatively simple, but all my attempts to run various hashcat dictionaries at it have failed. I suspect I'm doing it wrong.

Environment: Windows laptop with hashcat 6.1. I've pulled several 'human readable' and 'everything but the kitchen sink' dictionaries. Last night's run went for 9 hours and didn't find the key. This was on a 15gig dictionary (!!)

The original image (these are mac / unix commands - i just use the windows box to run hashcat because it has a graphics card that works for it)


Code:
-rw-r--r-- 1 root staff 13008633856 May 6 2020 crypt.img

-rw-r--r-- 1 xxxxxxx staff 26214400 Jan 18 14:34 crypt1.hdr


The crypt1.hdr is a dd 'slice' of the image, that should have enough data to include the keys:


Code:
$ file crypt.img crypt1.hdr
crypt.img: LUKS encrypted file, ver 1 [aes, xts-plain64, sha1] UUID: 3f6f590e-119f-432b-a7d7-94c2aabeb038
crypt1.hdr: LUKS encrypted file, ver 1 [aes, xts-plain64, sha1] UUID: 3f6f590e-119f-432b-a7d7-94c2aabeb038


On my windows box, I use:

hashcat -m 14600 -a 0 -w 3 crypt1.hdr --status ..\..\realuniq.lst -o found

The realuniq.lst is about 15gig

After 9 hours of running, I have 0 keys recovered Sad


Code:
Session..........: hashcat
Status...........: Exhausted
Hash.Name........: LUKS
Hash.Target......: crypt1.hdr
Time.Started.....: Sun Jan 31 00:05:54 2021 (9 hours, 10 mins)
Time.Estimated...: Sun Jan 31 09:16:12 2021 (0 secs)
Guess.Base.......: File (..\..\realuniq.lst)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 36718 H/s (57.62ms) @ Accel:256 Loops:256 Thr:64 Vec:1
Recovered........: 0/1 (0.00%) Digests
Progress.........: 1212336035/1212336035 (100.00%)
Rejected.........: 0/1212336035 (0.00%)
Restore.Point....: 1212336035/1212336035 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:26112-26314
Candidates.#1....: $HEX[e3808ae9ad94e7958ce8b685e5b091e5b9b4e3808befbc88e7b4b0e9a6ace4bfa1e4b880efbc89] -> $HEX[bfe9bea5d7b4]
Hardware.Mon.#1..: Temp: 73c Util:100% Core:1860MHz Mem:5500MHz Bus:16
Started: Sun Jan 31 00:04:18 2021
Stopped: Sun Jan 31 09:16:14 2021


What am I doing wrong?
just step back a little bit.

grab a new HDD/SDD put a LUKS encrypted and working operating system or data on it. make sure that the encryption and decryption works with that disk. Remember the password for it.

Given this example / test disk, you can now extract the bytes that you need and try to run it with hashcat by using a small password list that also contains the correct password that you used for this test.

If it works, you have successfully recovered the password for this test with hashcat and you can be quite confident that it should work the same way for your target partition / disk.

Of course hashcat only print the correct password if the password candidates you are running also contain the correct password (could of course be mangled with rules etc, but it still needs to be one of the passwords hashcat tries).