Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 21 Jan 2009 16:31:52 +0300
From: Solar Designer <>
Subject: Re: cracking dm-crypt

On Fri, Jan 16, 2009 at 04:11:15PM +0100, Stefan X wrote:
> I forgot my password of an encryption Linux partition (dm-crypt without
> LUKS) and would like to use JtR to crack it. I am new to JtR and am
> happy about some guiding by you experts.
> Because it is a partition I don't have any hash available which could be
> used easily with JtR. Thus I see two ways:
> 1) Extract a kind of hash from the partition; but I don't know how. Is
> there any kernel hacker who could give me input on how to do this?

When you're encrypting data, there's normally no hash of your passphrase
stored anywhere, although such a hash may be produced temporarily in
order to generate a fixed size encryption key out of your passphrase.

However, you obviously don't have to be in possession of this
intermediary hash in order to try candidate passphrases against your
encrypted partition.  Instead, you may have a program attempt decryption
of a block of data with each candidate passphrase (generating the
intermediary hash and encryption key from that passphrase in the
process), then have it try to make sense of the decrypted data (e.g.,
see if it looks like a valid filesystem superblock or garbage).

I am not aware of anyone having implemented this as a JtR "format" yet,
although that is quite possible to do (indeed, a separate implementation
would be needed for every encrypted partition solution out there, etc.)
As it relates to having JtR crack encryption keys and analyze the
decrypted data (albeit in a trivial way), this concept can be seen
implemented in KRB5_fmt.c in the jumbo patch.

Alternatively, this can be implemented in a standalone program, and that
program may be fed the output of "john ... --stdout" via a pipe.

> 2) Instead I would need to try to mount the partition with each
> potential password. Unfortunately this would be quite slow.

Yes.  That way, you don't limit the amount of data decrypted each time
to the necessary minimum, you have the kernel verify the decrypted data,
you incur overhead (syscalls, etc.), and you don't optimize the key
setup code for trying many candidate passphrases repeatedly.  Indeed,
this will be slower than the approach I described above, but it might be
easier for you to implement.

> For my
> understanding the "external mode" of JtR is exactly for such purpose.

No, it has nothing to do with that.  It is a way for you to "externally"
program JtR for trying specific kinds of candidate passwords.

> I could define a few commands to mount the partition and handle the
> result (success or failure).

You'll need to do this in your own program, perhaps written in some
scripting language such as Perl.  If you like to have JtR generate the
candidate passwords for you, then you may feed the output of
"john ... --stdout" into your script.

> Unfortunately I did not found much information
> about such approach. Is there any more documentation about it than the
> official docs?

No.  The "--stdout" option is documented.  "External mode" is just not
it.  I'm not sure how the documentation can be improved in this respect -
it would be unreasonable to list all things that "external mode" does not
do, just to state that it does not do those.

> Please let me know if my assumptions are correct and which advice you
> have for me.

Speaking of advice, unless you know/recall something about your
forgotten password or passphrase, or it was a weak one, you're most
likely out of luck cracking it.  So you absolutely need to use whatever
knowledge you have in order to limit the search space and/or try more
likely guesses first.

Also, there's a small chance/risk of your passphrase or the encryption
key having been stored somewhere on your system - it could be on disk or
in your DRAM chips maybe.  It is generally quite costly to check for
this as it requires time of someone experienced to do it.

Good luck!


To unsubscribe, e-mail and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.