hashcat
advanced password recovery

dekao · 03-12-2021, 02:44 PM

Anyone familiar with LUKS type?

It seems that neither hashcat nor bruteforce-luks are working.

I am testing bruteforcing a USB Stick password known 'a12345' /dev/sdg1 with LUKS:

# sudo hexdump -C -n 2000 /dev/sdg1
00000000 4c 55 4b 53 ba be 00 02 00 00 00 00 00 00 40 00 |LUKS..........@.|
00000010 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 00 |................|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000040 00 00 00 00 00 00 00 00 73 68 61 32 35 36 00 00 |........sha256..|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 25 fd 5c b4 a5 43 20 73 |........%.\..C s|
00000070 03 57 e5 21 ea c8 c4 d4 fb ac 80 89 5f 83 29 85 |.W.!........_.).|
00000080 67 ea 4e 61 d7 dd 10 cf 13 83 72 7b 77 5e 6b 63 |g.Na......r{w^kc|
00000090 ef 01 7a 5b 98 e2 d5 64 99 e3 b6 09 80 9d 49 d4 |..z[...d......I.|
000000a0 e4 e8 22 27 d8 d6 44 a3 33 33 65 63 66 34 34 33 |.."'..D.33ecf443|
000000b0 2d 30 66 64 66 2d 34 34 63 37 2d 61 62 63 35 2d |-0fdf-44c7-abc5-|
000000c0 30 33 34 66 38 36 63 39 62 33 30 66 00 00 00 00 |034f86c9b30f....|
000000d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|

I imaged the Stick and extracted the headers with dd:

# sudo dd if=/dev/sdg1 count=1 bs=16777216 > luks_header.img

# hexdump -C -n 1024 luks_header.img
00000000 4c 55 4b 53 ba be 00 02 00 00 00 00 00 00 40 00 |LUKS..........@.|
00000010 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 00 |................|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000040 00 00 00 00 00 00 00 00 73 68 61 32 35 36 00 00 |........sha256..|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 25 fd 5c b4 a5 43 20 73 |........%.\..C s|
00000070 03 57 e5 21 ea c8 c4 d4 fb ac 80 89 5f 83 29 85 |.W.!........_.).|
00000080 67 ea 4e 61 d7 dd 10 cf 13 83 72 7b 77 5e 6b 63 |g.Na......r{w^kc|
00000090 ef 01 7a 5b 98 e2 d5 64 99 e3 b6 09 80 9d 49 d4 |..z[...d......I.|
000000a0 e4 e8 22 27 d8 d6 44 a3 33 33 65 63 66 34 34 33 |.."'..D.33ecf443|
000000b0 2d 30 66 64 66 2d 34 34 63 37 2d 61 62 63 35 2d |-0fdf-44c7-abc5-|
000000c0 30 33 34 66 38 36 63 39 62 33 30 66 00 00 00 00 |034f86c9b30f....|
000000d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*

When trying to bruteforce the device or image:

sudo /opt/hashcat-6.1.1/hashcat.bin -a 0 -m 14600 /dev/sdg1 Dictionary.txt
hashcat (v6.1.1) starting...

Hashfile '/dev/sdg1': Invalid LUKS version

Testing the password with

#echo "a12345" | sudo cryptsetup --test-passphrase open luks_header.img

works just fine.

Snoopy · (This post was last modified: 03-12-2021, 03:16 PM by Snoopy.)

i think hashcat wants the first 2 Megab/Mebi not 16 ...

see examples
https://hashcat.net/misc/example_hashes/...stfiles.7z

BotPass · 03-13-2021, 12:19 AM

After the first 6 bytes there is a short with the version of LUKS. Here it is version 2. As far as I know there is still no gpu worker for LUKS2 and it is not supported by hashcat, That's why it's telling you "Invalid LUKS version".

The current version of bruteforce-luks should be able to handle it on a current system -- bruteforce-luks only use the cryptsetup library. Why do you think it is not working?

dekao · 03-15-2021, 02:26 PM

(03-13-2021, 12:19 AM)BotPass Wrote: After the first 6 bytes there is a short with the version of LUKS. Here it is version 2. As far as I know there is still no gpu worker for LUKS2 and it is not supported by hashcat, That's why it's telling you "Invalid LUKS version".

The current version of bruteforce-luks should be able to handle it on a current system -- bruteforce-luks only use the cryptsetup library. Why do you think it is not working?

Oh yes that explains the error!! thanks for mentioning the 6B. bruteforce-luks did the job.

Login
Username/Email:
Password:	Lost Password?
	Remember me

hashcat advanced password recovery

hashcat
advanced password recovery