Full Disk Encryption Targets

## LUKS (Linux Unified Key System) ### STEP 1: Grab the header file from the partition or drive ```bash dd if=<luks_partition> of=luks-header.dd bs=512 count=4097 ``` ### STEP 2: Perform Hashcat dictionary or other relevant attacks. ```bash hashcat -a 0 -m 14600 luks-header.dd dict.txt ``` ## TrueCrypt & VeraCrypt Hashcat needs the correct binary data extracted from your TrueCrypt or VeraCrypt volumes which you will then treat as a normal hash passed to Hashcat. The same procedure below works for TrueCrypt and VeraCrypt. https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#how_do_i_extract_the_hashes_from_truecrypt_volumes ### TrueCrypt/VeraCrypt Boot Volume #### STEP 1: Extract 512 bytes starting with offset 31744 (62 • 512 bytes): ```bash dd if=truecrypt_boot.raw of=truecrypt_boot.dd bs=l skip=31744 count=512 ``` #### STEP 2: Select the appropriate TrueCrypt/VeraCrypt mode in Hashcat based on settings: ```bash hashcat -a 0 -m xxxx truecrypt_boot.dd dict.txt ``` ### TrueCrypt/VeraCrypt Hidden Partition #### STEP 1: Use dd skip the first 64K bytes (65536) and extract the next 512 bytes: ```bash dd if=truecrypt_hidden.raw of=truecrypt_hidden.dd bs=l skip=65536 count=512 ``` #### STEP 2: Select the appropriate TrueCrypt mode in Hashcat based on settings: ```bash hashcat -a 0 -m xxxx truecrypt_hidden.dd dict.txt ``` ### TrueCrypt/VeraCrypt File #### STEP 1: Extract the first 512 bytes of the file: ```bash dd if=truecrypt_file.raw of=truecrypt_file.dd bs=512 count=l ``` #### STEP 2: Select the appropriate TrueCrypt mode in Hashcat based on settings: ```bash hashcat -a 0 -m xxxx truecrypt_file.dd dict.txt ``` | type | type | type | | | ---- | ---- | ------------------------------------------------------- | --- | | 62XY | | TrueCrypt | | | X | 1 | PBKDF2-HMAC-RipeMD160 | | | X | 2 | PBKDF2-HMAC-SHAS12 | | | X | 3 | PBKDF2-HMAC-Whirlpool | | | X | 4 | PBKDF2-HMAC-RipeMD160 + boot-mode | | | y | 1 | XTS 512 bit pure AES | | | y | 1 | XTS 512 bit pure Serpent | | | y | 1 | XTS 512 bit pure Twofish | | | y | 2 | XTS 1024 bit pure AES | | | |y |2 |XTS 1024 bit pure Serpent | |y |2 |XTS 1024 bit pure Twofish | |y |2 |XTS 1024 bit cascaded AES-Twofish | |y |2 |XTS 1024 bit cascaded Serpent-AES | |y |2 |XTS 1024 bit cascaded Twofish-Serpent | |y |3 |XTS 1536 bit all |137XY| |VeraCrypt | |X |1 |PBKDF2-HMAC-RipeMD160 | |X |2 |PBKDF2-HMAC-SHA512 | |X |3 |PBKDF2-HMAC-Whirlpool | |X |4 |PBKDF2-HMAC-RipeMD160 + boot-mode | |X |s |PBKDF2-HMAC-SHA256 | |X |6 |PBKDF2-HMAC-SHA256 + boot-mode | |X |7 |PBKDF2-HMAC-Streebog-512 | |y |1 |XTS 512 bit pure AES | |y |1 |XTS 512 bit pure Serpent | |y |1 |XTS 512 bit pure Twofish | |y |2 |XTS 1024 bit pure AES | |y |2 |XTS 1024 bit pure Serpent | |y |2 |XTS 1024 bit pure Twofish | |y |2 |XTS 1024 bit cascaded AES-Twofish| |y |2 |XTS 1024 bit cascaded Serpent-AES | |y |2| XTS 1024 bit cascaded Twofish-Serpent | |y |3 |XTS 1536 bit all | ## Windows Bitlocker https://openwall.info/wiki/john/OpenCL-BitLocker https://github.com/e-ago/bitcracker developed by Elenago ### STEP 1: Use dd to extract image of your Bitlocker encrypted device: ```bash sudo dd if=/dev/disk2 of=/path/to/bitlockerimage conv=noerror,sync ``` ### STEP 2: Extract the hash using bitlocker2john: ```bash bitlocker2john -i /path/to/bitlockerimage ``` ### STEP 3: Copy output hash into a file hash.txt ### STEP 4: Use JTR to crack the bitlocker hash: ```bash john --format=bitlocker-opencl --wordlist=dict.txt hash.txt ``` Sample Bitlocker Recovery Password: ```bash 236808-089419-192665-495704-618299-073414-538373-542366 ``` Mask for BitLocker Recovery Password: ```bash mask=?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d ``` ## Apple FileVault2 Disk Encryption ### STEP 1: Use dd to extract image of your FileVault2 encrypted disk: ```bash sudo dd if=/dev/disk2 of=/path/to/filevault_image.dd conv=noerror,sync ``` ### STEP 2: Install fvde2john from https://github.com/kholia/fvde2john ### STEP 3: Use hdiutil to attach to dd image: ```bash hdiutil attach -imagekey diskimage-class=CRawDiskimage -nomount /Volumes/path/to/filevault_image.dd ``` ### STEP 4: Obtain the EncryptedRoot.plist.wipekey from "Recovery HD" partition https://github.com/libyal/libfvde/wiki/Mounting#obtainingencryptedrootplistwipekey ```bash mmls /Volumes/path/to/filevault_image.dd fls -r -o 50480752 /Volumes/path/to/filevault_image.dd I grep -i EncryptedRoot +++++ r/r 130: EncryptedRoot.plist.wipekey icat -o 50480752 image.raw 130 > EncryptedRoot.plist.wipekey ``` ### STEP 5: Verify and note the disk mount point for Apple_Corestorage: ```bash diskutil list .../dev/disk3s2 Apple_Corestorage ``` ### STEP 6: Use EncryptedRoot:plist.wipekey with fvdeinfo to retrieve the hash: ```bash sudo fvdetools/fvdeinfo -e EncryptedRoot.plist.wipekey -p blahblah /dev/disk3s2$fvde$1$16$96836044060108438487434858307513$41000$e9acbb4bc6dafb74aadb72c576fecf69c2ad45ccd4776d76 ``` ### STEP 7: Load this hash into JTR or Hashcat to crack ```bash john --format=FVDE-opencl --wordlist=dict.txt hash.txt hashcat -a 0 -m 16700 hash.txt dict.txt ``` ## Apple File System MacOS up to 10.13 ### STEP 1: Install apfs2john per the.github instructions located at: https://github.com/kholia/apfs2john ### STEP 2: Point 'apfs2john' at the your device or disk image: ```bash sudo ./bin/apfs-dump-quick /dev/sdcl outfile.txt sudo ./bin/apfs-dump-quick image.raw outfile.txt ``` !!Consider using 'kpartx' for handling disk images per Kholia recommendations!! https://github.com/kholia/fvde2john [[Home]]