hashcat
advanced password recovery

Zarhi · 11-02-2023, 01:23 PM

Hello,

I have old PC with Fedora 16 (Verne) with forgotten LUKS password.

I try to recover it with hashcat 6.2.6 but there is a problem:

On fedora 16:
# dd if=/dev/zero of=test_luks bs=32M count=1
# cryptsetup luksFormat test_luks
with password 'abcdefg_22!'

Then transfer test_luks to my work PC, RockyLinux 9.2, NVIDIA Corporation TU104GL [Quadro RTX 4000] (rev a1)

Result from hashcat:

Quote:# cat a.dict
abcdefg
# ./hashcat -m 14600 test_luks -1 '~!_#2' -a 6 a.dict ?1?1?1?1
hashcat (v6.2.6) starting

CUDA API (CUDA 12.3)
====================
* Device #1: Quadro RTX 4000, 7877/7974 MB, 36MCU

OpenCL API (OpenCL 3.0 CUDA 12.3.68) - Platform #1 [NVIDIA Corporation]
=======================================================================
* Device #2: Quadro RTX 4000, skipped

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP

ATTENTION! Potfile storage is disabled for this hash mode.
Passwords cracked during this session will NOT be stored to the potfile.
Consider using -o to save cracked passwords.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1412 MB

Dictionary cache hit:
* Filename..: a.dict
* Passwords.: 1
* Bytes.....: 8
* Keyspace..: 625

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

test_luks:abcdefg2222

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 14600 (LUKS v1 (legacy))
Hash.Target......: test_luks
Time.Started.....: Thu Nov 2 11:01:18 2023 (1 sec)
Time.Estimated...: Thu Nov 2 11:01:19 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (a.dict), Left Side
Guess.Mod........: Mask (?1?1?1?1) [4], Right Side
Guess.Charset....: -1 ~!_#2, -2 Undefined, -3 Undefined, -4 Undefined
Speed.#1.........: 1 H/s (0.33ms) @ Accel:8 Loops:128 Thr:512 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1/625 (0.16%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:186880-186999
Candidate.Engine.: Device Generator
Candidates.#1....: abcdefg2222 -> abcdefg2222
Hardware.Mon.#1..: Temp: 60c Fan: 30% Util: 62% Core:1920MHz Mem:6500MHz Bus:16

Started: Thu Nov 2 11:00:35 2023
Stopped: Thu Nov 2 11:01:20 2023

Runnig with -d 2 (OpenCL) print same result.

Testing on Rocky 9:
# echo 'abcdefg_22!' | cryptsetup luksOpen --test-passphrase test_luks test
# echo 'abcdefg2222' | cryptsetup luksOpen --test-passphrase test_luks test
No key available with this passphrase.

Do I make some mistake?

v71221 · 11-03-2023, 09:34 PM

To simplify, I would try wordlist attack mode (not hybrid).
Create wordlist with these words
abcdefg_!_!
abcdefg2222
abcdefg_22!
Run the attack and post the results here, please

Zarhi · (This post was last modified: 11-06-2023, 10:17 AM by Zarhi.)

Quote:# cat t.dict
abcdefg_!_!
abcdefg2222
abcdefg_22!

# ./hashcat -m 14600 test_luks -a 3 t.dict
hashcat (v6.2.6) starting

CUDA API (CUDA 12.3)
====================
* Device #1: Quadro RTX 4000, 7877/7974 MB, 36MCU

OpenCL API (OpenCL 3.0 CUDA 12.3.68) - Platform #1 [NVIDIA Corporation]
=======================================================================
* Device #2: Quadro RTX 4000, skipped

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
* Slow-Hash-SIMD-LOOP

ATTENTION! Potfile storage is disabled for this hash mode.
Passwords cracked during this session will NOT be stored to the potfile.
Consider using -o to save cracked passwords.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1412 MB

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

test_luks:abcdefg_!_!

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 14600 (LUKS v1 (legacy))
Hash.Target......: test_luks
Time.Started.....: Mon Nov 6 08:04:34 2023 (1 sec)
Time.Estimated...: Mon Nov 6 08:04:35 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: abcdefg_!_! [11]
Guess.Queue......: 1/3 (33.33%)
Speed.#1.........: 1 H/s (0.04ms) @ Accel:64 Loops:16 Thr:512 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:186992-186999
Candidate.Engine.: Device Generator
Candidates.#1....: abcdefg_!_! -> abcdefg_!_!
Hardware.Mon.#1..: Temp: 61c Fan: 30% Util: 54% Core:1920MHz Mem:6500MHz Bus:16

Started: Mon Nov 6 08:04:32 2023
Stopped: Mon Nov 6 08:04:36 2023

Same result with -a 0:

Quote:./hashcat -m 14600 test_luks -a 0 t.dict
Approaching final keyspace - workload adjusted.

test_luks:abcdefg_!_!

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 14600 (LUKS v1 (legacy))
Hash.Target......: test_luks
Time.Started.....: Mon Nov 6 08:18:18 2023 (1 sec)
Time.Estimated...: Mon Nov 6 08:18:19 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (t.dict)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 4 H/s (0.16ms) @ Accel:128 Loops:64 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 4/4 (100.00%)
Rejected.........: 0/4 (0.00%)
Restore.Point....: 0/4 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:186944-186999
Candidate.Engine.: Device Generator
Candidates.#1....: abcdefg_!_! ->
Hardware.Mon.#1..: Temp: 60c Fan: 30% Util: 54% Core:1920MHz Mem:6500MHz Bus:16

Snoopy · (This post was last modified: 11-06-2023, 08:04 PM by Snoopy.)

well thats strange, i cannot even crack my testsetup, tried mode 14600 and the newer one 29521, dict and bruteforce no hit

can you please upload your test_luks file anywhere? i feel it kinda strange that none of my setups produces a cracked pass

Zarhi · (This post was last modified: 11-08-2023, 10:17 AM by Zarhi.)

https://cloud.zarhi.com/s/EGoWSJWKPxnrqHG

Same results are with 5.1.0 and 4.2.1. Lower versions does not compile on my system.

Snoopy · 11-10-2023, 02:06 PM

well now thats a strange behavior,
setup: hahscat 6.2.6 (and beta) bruteforce, mode 14600, mask abcdefg?s?d?d?s, --keep-guessing

test_luks:abcdefg#96!
test_luks:abcdefg{30#
test_luks:abcdefg;36~
test_luks:abcdefg=08}
test_luks:abcdefg%72

then i extracted the hash using the python-tool, same setup, mode 25911
abcdefg?26-
abcdefg;86)
abcdefg-00\
abcdefg~64<
abcdefg^48[

rerun this on different systems and using different backends CPU, GPU, opencl, cuda resulting in multiple similar outputs

maybe some of the devs can exlpain why this happen?

b8vr · 11-11-2023, 10:49 AM

(11-10-2023, 02:06 PM)Snoopy Wrote: well now thats a strange behavior,
setup: hahscat 6.2.6 (and beta) bruteforce, mode 14600, mask abcdefg?s?d?d?s, --keep-guessing

test_luks:abcdefg#96!
test_luks:abcdefg{30#
test_luks:abcdefg;36~
test_luks:abcdefg=08}
test_luks:abcdefg%72

then i extracted the hash using the python-tool, same setup, mode 25911
abcdefg?26-
abcdefg;86)
abcdefg-00\
abcdefg~64<
abcdefg^48[

rerun this on different systems and using different backends CPU, GPU, opencl, cuda resulting in multiple similar outputs

maybe some of the devs can exlpain why this happen?

This could maybe be a keyboard layout issue.
When creating a bootable LUKS partition, LUKS is changing the layout to english/US, meaning that if you have a different keyboard, you think you are supplying some specific characters, but if those characters are placed differently from an english/US keyboard, the password will actually contain the characters of the english/US layout.

Zarhi · 11-11-2023, 12:52 PM

Result are not consistent:

./hashcat -m 14600 test_luks -a 0 example.dict --keep-guessing

First run:

Quote:test_luks:1024ens
test_luks:jack1e
test_luks:joao2309
test_luks:kalaska
test_luks:kineee
test_luks:kurono
test_luks:letlove2
test_luks:lovebaby
test_luks:makaay05
test_luks:max1412
test_luks:milburn
test_luks:mozx246
test_luks:ncic142
test_luks:norte06
test_luks:orian70
test_luks:pavli090
test_luks:plokplok
test_luks:pvt1003
test_luks:randori44
test_luks:roberts
test_luks:sachiko
test_luks:seanptc
test_luks:simonsays
test_luks:spargel
test_luks:suriya
test_luks:temnaya
test_luks:tobidog
test_luks:tyke
test_luks:verano
test_luks:wearecor
test_luks:x1gfj
test_luks:yql-123456
test_luks:zzz666bc

Second run:

Quote:test_luks:051304
test_luks:41353109
test_luks:Klausi
test_luks:c6jbower
test_luks:futurebird
test_luks:ma0schel
test_luks:p7101309
test_luks:suca3000

Third run:

Quote:test_luks:06081961
test_luks:12bienen
test_luks:1e3654
test_luks:2832328110
test_luks:410186c3
test_luks:601902638
test_luks:86338633
test_luks:9bqj4
test_luks:PieriePierie
test_luks:a6pack4u
test_luks:atakan2121
test_luks:benutzen3
test_luks:calgon
test_luks:cpu80mhz
test_luks:dumcu113
test_luks:euro8469
test_luks:fw041679
test_luks:halloula
test_luks:intensecs
test_luks:k14589
test_luks:l1a2r3s4
test_luks:lunita
test_luks:mfgmikel
test_luks:nesquick
test_luks:penny
test_luks:qx24av12
test_luks:rockstar
test_luks:sfnasty
test_luks:superk
test_luks:tommi2005
test_luks:vvrzr
test_luks:xyzpq13

And so on. adding -w3, -S, -D2 ( Intel OpenCL on Xeon CPU) gives same random results.

Snoopy · 11-13-2023, 01:15 PM

after reporting this issue atom came up with the reason/explanation why this happen

please see

https://github.com/hashcat/hashcat/issues/3903
and
https://hashcat.net/forum/thread-6225.html

the problem seems, that the luks drive has to be a valid filesystem, see the 6225 thread on this why/how atom worked out the attackvector for luks, i was unaware on this one

this is also the problem why i cant crack my own setup, because i followed your setup without formatting the luksdrive

Banaanhangwagen · 11-14-2023, 03:53 PM

FYI, the tool "luks2hashcat.py" mentions the fact that there is a initialization error...

Login
Username/Email:
Password:	Lost Password?
	Remember me

hashcat advanced password recovery

hashcat
advanced password recovery