cracking_luks

2017/05/13

So recently I found an old harddisk I used years ago which is encrypted with LUKS. Bad enough I knew that LUKS is pretty hard to crack, but worse when you don’t remember the passphrase (or password) and you suspect some valuable gems on this disk.

How does LUKS work

What makes LUKS so hard to crack is that PBKDF2 is used to process the passphrase. This means that the passphrase gets hashed over and over again (iteration) to slow down any bruteforcing. On my Fedora 25 workstation I found that my main disk uses over 400'000 iterations. Now let’s see how fast this roughly is.

$ cryptsetup benchmark
PBKDF2-sha1       663655 iterations per second for 256-bit key
PBKDF2-sha256     905506 iterations per second for 256-bit key
PBKDF2-sha512     699983 iterations per second for 256-bit key
PBKDF2-ripemd160  402061 iterations per second for 256-bit key
PBKDF2-whirlpool  295207 iterations per second for 256-bit key

So we will never get to millions of hashes per second on a CPU. That is good for security and bad for my terrible memory.

How to get hashcat running

I have a NVIDIA GTX 980 running with the xorg-x11-drv-nvidia and xorg-x11-drv-nvidia-cuda installed.

First we need an image of the disk to crack:

sudo dd if=/dev/sdx of=image.dd bs=4M status=progress

(The status=progress flag is purely to show you the remaining time. And how many cups of coffee you can drink.)

Since I’m lazy I choose kpartx to do the nasty work of finding the offsets and mounting the image as loopdevice. However, fear not, this will NOT mount the partitions it will only create the device nodes.

sudo kpartx -v -a image.dd

Now we can investigate the LUKS settings of the partition we are interested in.

$ sudo cryptsetup luksDump /dev/mapper/loop0p2
LUKS header information for /dev/mapper/loop0p2

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha1
Payload offset: 4096
MK bits:        512
MK digest:      5d 07 88 [...]
MK salt:        aa b1 c5 [...]
MK iterations:  43750
UUID:           10c96981-[...]

Key Slot 0: ENABLED
        Iterations:             175314
        Salt:                   43 2b d0 [...]
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

As we see here this older installation of Fedora used a lot fewer iterations (43750) which will obviously be a lot faster than if I had to crack my current installation.

Hashcat received the ability to crack LUKS in 2017. Lucky me I wasn’t interested beforehand in this drive. Also good thing is that Hashcat doesn’t need the whole partition but just its header.

sudo dd if=/dev/mapper/loop0p2 of=luks.header bs=512 count=4097

This header then we can feed to hashcat and in my lack of better options run a full bruteforce attack.

hashcat -a 3 -m 14600 header.luks

[...]

[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit => s

Session..........: hashcat
Status...........: Running
Hash.Type........: LUKS
Hash.Target......: header.luks
Time.Started.....: Sat May 13 10:48:33 2017 (55 mins, 56 secs)
Time.Estimated...: Sat May 13 17:18:28 2017 (5 hours, 33 mins)
Guess.Mask.......: ?1?2?2?2?2 [5]
Guess.Charset....: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined
Guess.Queue......: 5/15 (33.33%)
Speed.Dev.#1.....:     2258 H/s (4.71ms)
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 58884096/104136192 (56.55%)
Rejected.........: 0/58884096 (0.00%)
Restore.Point....: 942080/1679616 (56.09%)
Candidates.#1....: Yf86p -> Y58a0
HWMon.Dev.#1.....: Temp: 80c Fan: 83% Util: 97% Core:1316MHz Mem:3004MHz Bus:16

Conclusion

To be honest the time is not really correct since I stopped the processing, rebooted the computer and resumed the processing.

But what we see here is that even though a GTX 980 is crunching the numbers we barely are over 2000 hashes per second. So LUKS should be safe, at least from home cracking and other usual suspects that could steal your harddrive and be interested in getting to your data.

The only thing is of course: The length of the passphrase matters a lot. The longer the more impossible it becomes to crack it provided the algorithm is not broken, the implementation not flawed etc.

My personal highlight though is that I now have a cozy warm place because the GPU is fully blowing out a steady 80°C warm breeze.