[dm-crypt] Recovering/Cracking passphrase

[dm-crypt] Recovering/Cracking passphrase

[Justin Brown]

[-- Attachment #1: Type: text/plain, Size: 1618 bytes --]

Hello,

I'm in a really bad situation. Basically, I've lost my passphrase, and I'm
trying to find a way to recover it. I know what the passphrase should be
(it's a really good 20 character passphrase), but I must have mistyped it
when configuring cryptsetup or added some complexity which I failed to write
down. I've tried about every combination of all the passwords and
passphrases that I use, and I can't come up with anymore, so I'm going to
try to build a cracker. I'd like to get some feedback before I put a lot of
time into writing the code.

I'm going to build a brute-force cracker using libcryptsetup.

I'd like it to go fast, so I plan to use posix threads to create four
threads (I have a non-HT quad-core) that will:
     1) increment the current passphrase
     2) use crypt_activate_by_passphrase() to try to open the volume.
I don't think that the the passphrase could be longer than 75 characters,
which is still very long, so I understand how horribly long this will take.

My original question was posted to the cryptsetup "issues" page about thread
safeness. Would this pesudo-code be safe or do I need to fork()?
crypt_init(&cd, "/dev/md1");
crypt_load(cd, NULL, NULL);
pthread_create(...);
   generate_passphrase(); //Does #1 from above
   crack(); //Does #2 from above

Will doing crypt_init and crypt_load before creating threads cause problems?
struct crypt_device* cd is global.
Would I be better off forking to avoid race conditions?

Is this approach my best chance to recover my data? Should I be trying to
attack the master key instead?


Thanks,
Justin Brown
justin.brown1.1@gmail.com

[-- Attachment #2: Type: text/html, Size: 2048 bytes --]

Re: [dm-crypt] Recovering/Cracking passphrase

[Christoph Anton Mitterer]

[-- Attachment #1: Type: text/plain, Size: 527 bytes --]

On Thu, 2010-06-10 at 15:28 -0500, Justin Brown wrote:
> so I'm going to try to build a cracker.
There are already tools like this out there,... at least for gpg...
You'd "just" need to adapt one of them to cryptsetup.


> Is this approach my best chance to recover my data? Should I be trying
> to attack the master key instead?
If you had a reasonable good password, and a reasonable iteration time
you're data is gone...
And attacking the master key,... should be practically impossible...


Cheers,
Chris.


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3387 bytes --]

Re: [dm-crypt] Recovering/Cracking passphrase

[Arno Wagner]

On Thu, Jun 10, 2010 at 03:28:03PM -0500, Justin Brown wrote:
> Hello,
> 
> I'm in a really bad situation. Basically, I've lost my passphrase, and I'm
> trying to find a way to recover it. I know what the passphrase should be
> (it's a really good 20 character passphrase), but I must have mistyped it
> when configuring cryptsetup or added some complexity which I failed to write
> down. I've tried about every combination of all the passwords and
> passphrases that I use, and I can't come up with anymore, so I'm going to
> try to build a cracker. I'd like to get some feedback before I put a lot of
> time into writing the code.
> 
> I'm going to build a brute-force cracker using libcryptsetup.

That only has a chance if you can heavily rely on known characteristics
of the passphrase. Otherwise you get something like 80 bit for a good
20 char passphrase, which takes, given that you have to go through PKBF2,
something like 10^15 years.

> I'd like it to go fast, so I plan to use posix threads to create four
> threads (I have a non-HT quad-core) that will:
>      1) increment the current passphrase
>      2) use crypt_activate_by_passphrase() to try to open the volume.
> I don't think that the the passphrase could be longer than 75 characters,
> which is still very long, so I understand how horribly long this will take.

I thought you said "20 Characters"? 75 is a bit different from that.
With 75 and the average 1.5 bit/char, you get something like like
1-^25 years.
 
> My original question was posted to the cryptsetup "issues" page about thread
> safeness. Would this pesudo-code be safe or do I need to fork()?
> crypt_init(&cd, "/dev/md1");
> crypt_load(cd, NULL, NULL);
> pthread_create(...);
>    generate_passphrase(); //Does #1 from above
>    crack(); //Does #2 from above
> 
> Will doing crypt_init and crypt_load before creating threads cause problems?
> struct crypt_device* cd is global.
> Would I be better off forking to avoid race conditions?
> 
> Is this approach my best chance to recover my data? 

This approach has no chance at all to recover your data. You can do 
something like 1 PKBF2/sec, so you need to bring the uncertainity 
in the passphrase down to something like 25 bit to finish within 
1 CPU year.

> Should I be trying to
> attack the master key instead?

Forget that as well, no chance.

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] Recovering/Cracking passphrase

[tesla1]

        Am Donnerstag, den 10.06.2010, 15:28 -0500 schrieb Justin Brown:
        > Hello,
        > 
        > 
        > I'm in a really bad situation. Basically, I've lost my passphrase, and
        > I'm trying to find a way to recover it. I know what the passphrase
        > should be (it's a really good 20 character passphrase), but I must
        > have mistyped it when configuring cryptsetup or added some complexity
        > which I failed to write down. I've tried about every combination of
        > all the passwords and passphrases that I use, and I can't come up with
        > anymore, so I'm going to try to build a cracker. I'd like to get some
        > feedback before I put a lot of time into writing the code. 
        
        I'm in a similar situation. Luckily, the Password is only 5 characters
        long.
        
        I try a different approach. I want to use John the ripper for cracking
        the password.
        
        Therefore I want to extract the sha1 key and salt from the luks Header.
        I don't know if this is possible somehow. Next I want to create a file
        from that data that is understood by JTR. 
        
        To test this approach I created sha1sums with sha1sum and libssl from a
        3 letter word and put them in a password file. However I wasn't able to
        crack that password, even with sha1 support compiled into JTR. I guess I
        don't have the correct information in the password file and/or it is
        wrong formatted. 
        
        Any help and suggestions on this approach is welcome!
        
        
        
-- 
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01

Re: [dm-crypt] Recovering/Cracking passphrase

[Roscoe]

On Thu, Jul 1, 2010 at 10:34 PM,  <tesla1@gmx.net> wrote:
>        I'm in a similar situation. Luckily, the Password is only 5 characters
>        long.
>
>        I try a different approach. I want to use John the ripper for cracking
>        the password.
>
>        Therefore I want to extract the sha1 key and salt from the luks Header.
>        I don't know if this is possible somehow. Next I want to create a file
>        from that data that is understood by JTR.
>
>        To test this approach I created sha1sums with sha1sum and libssl from a
>        3 letter word and put them in a password file. However I wasn't able to
>        crack that password, even with sha1 support compiled into JTR. I guess I
>        don't have the correct information in the password file and/or it is
>        wrong formatted.
>
>        Any help and suggestions on this approach is welcome!
>

The key is derived with PBKDF2, which is a bit more involved than a
simple salted SHA-1 password hash.

You could use JTR to generate your password list (-stdout), but would
need something else to do the PBKDF2 and checking (which is involved).
You could use cryptsetup for that, either with or without modification
depending on how slow you mind it being.

80^5 is still quite a few combinations to try, especially when you
have to do at least tens of thousands of iterations for each
combination.

Do you know much about your password? Is it all lower case? or only
alphanumeric?
Any information that cuts down your search space is valuable.

-- Roscoe

Re: [dm-crypt] Recovering/Cracking passphrase

[comicinker]

Am Donnerstag, den 01.07.2010, 23:02 +1000 schrieb Roscoe:

> You could use JTR to generate your password list (-stdout), but would
> need something else to do the PBKDF2 and checking (which is involved).
> You could use cryptsetup for that, either with or without modification
> depending on how slow you mind it being.
> 
> 80^5 is still quite a few combinations to try, especially when you
> have to do at least tens of thousands of iterations for each
> combination.
> 
> Do you know much about your password? Is it all lower case? or only
> alphanumeric?

The number of characters is limited, yes. All are just lower case and
one is known.