LUKS type
#1
Anyone familiar with LUKS type?

It seems that neither hashcat nor bruteforce-luks are working.

I am testing bruteforcing a USB Stick password known 'a12345' /dev/sdg1 with LUKS:

# sudo hexdump -C -n 2000 /dev/sdg1
00000000  4c 55 4b 53 ba be 00 02  00 00 00 00 00 00 40 00  |LUKS..........@.|
00000010  00 00 00 00 00 00 00 03  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000040  00 00 00 00 00 00 00 00  73 68 61 32 35 36 00 00  |........sha256..|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000060  00 00 00 00 00 00 00 00  25 fd 5c b4 a5 43 20 73  |........%.\..C s|
00000070  03 57 e5 21 ea c8 c4 d4  fb ac 80 89 5f 83 29 85  |.W.!........_.).|
00000080  67 ea 4e 61 d7 dd 10 cf  13 83 72 7b 77 5e 6b 63  |g.Na......r{w^kc|
00000090  ef 01 7a 5b 98 e2 d5 64  99 e3 b6 09 80 9d 49 d4  |..z[...d......I.|
000000a0  e4 e8 22 27 d8 d6 44 a3  33 33 65 63 66 34 34 33  |.."'..D.33ecf443|
000000b0  2d 30 66 64 66 2d 34 34  63 37 2d 61 62 63 35 2d  |-0fdf-44c7-abc5-|
000000c0  30 33 34 66 38 36 63 39  62 33 30 66 00 00 00 00  |034f86c9b30f....|
000000d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|


I imaged the Stick and extracted the headers with dd:

# sudo dd if=/dev/sdg1 count=1 bs=16777216 > luks_header.img

# hexdump -C -n 1024 luks_header.img
00000000  4c 55 4b 53 ba be 00 02  00 00 00 00 00 00 40 00  |LUKS..........@.|
00000010  00 00 00 00 00 00 00 03  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000040  00 00 00 00 00 00 00 00  73 68 61 32 35 36 00 00  |........sha256..|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000060  00 00 00 00 00 00 00 00  25 fd 5c b4 a5 43 20 73  |........%.\..C s|
00000070  03 57 e5 21 ea c8 c4 d4  fb ac 80 89 5f 83 29 85  |.W.!........_.).|
00000080  67 ea 4e 61 d7 dd 10 cf  13 83 72 7b 77 5e 6b 63  |g.Na......r{w^kc|
00000090  ef 01 7a 5b 98 e2 d5 64  99 e3 b6 09 80 9d 49 d4  |..z[...d......I.|
000000a0  e4 e8 22 27 d8 d6 44 a3  33 33 65 63 66 34 34 33  |.."'..D.33ecf443|
000000b0  2d 30 66 64 66 2d 34 34  63 37 2d 61 62 63 35 2d  |-0fdf-44c7-abc5-|
000000c0  30 33 34 66 38 36 63 39  62 33 30 66 00 00 00 00  |034f86c9b30f....|
000000d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*





When trying to bruteforce the device or image:

sudo /opt/hashcat-6.1.1/hashcat.bin -a 0 -m 14600 /dev/sdg1 Dictionary.txt
hashcat (v6.1.1) starting...

Hashfile '/dev/sdg1': Invalid LUKS version



Testing the password with

#echo "a12345" | sudo cryptsetup --test-passphrase open luks_header.img

works just fine.
Reply
#2
i think hashcat wants the first 2 Megab/Mebi not 16 ...

see examples
https://hashcat.net/misc/example_hashes/...stfiles.7z
Reply
#3
After the first 6 bytes there is a short with the version of LUKS. Here it is version 2. As far as I know there is still no gpu worker for LUKS2 and it is not supported by hashcat, That's why it's telling you "Invalid LUKS version".

The current version of bruteforce-luks should be able to handle it on a current system -- bruteforce-luks only use the cryptsetup library. Why do you think it is not working?
Reply
#4
(03-13-2021, 12:19 AM)BotPass Wrote: After the first 6 bytes there is a short with the version of LUKS. Here it is version 2. As far as I know there is still no gpu worker for LUKS2 and it is not supported by hashcat, That's why it's telling you "Invalid LUKS version".

The current version of bruteforce-luks should be able to handle it on a current system -- bruteforce-luks only use the cryptsetup library. Why do you think it is not working?

Oh yes that explains the error!! thanks for mentioning the 6B. bruteforce-luks did the job.
Reply