Pretty much the title, this has consumed basically all of my free time the last week. I’m to the point now where it’s getting difficult to find answers on google, and thought maybe someone here has used hashcat before.
I used cryptsetup luksDump on the volume,
based on that hashcat -m 29251 for LUKS v1 SHA-256 + AES should work.
Then I used dd if=/dev/sdb3 of=header.luks bs=512 count=4079
Which I used in hashcat -m 29521 -a 0 header.luks list.txt
Which returns:
Hashfile 'header.luks' on line 1 (LUKS║╛): Separator unmatched
For 19 lines then finally
Hashfile 'header.luks' on line 20 (J¿╬``≥▼‼*╗2Y%=&&): Token length exception
And basically repeats all the way down to line 8088, before finishing with
Token length exception: 541/541 hashes
This error happens if the wrong hash type is specified, if the hashes are
malformed, or if input is otherwise not as expected (for example, if the
--username option is used but no username is present)
No hashes loaded.
I appreciate any help and will happily answer any questions I can.
I have used hashcat in the past, but not specifically with LUKS.
The “line 1” error looks like the LUKS magic number parsed as text, so I think HC is probably expecting a text file full of hashes rather than the entire header (this is how other hashcat modules I’ve used have operated as well).
I notice there is a script called “luks2hashcat.py” in the hashcat tools directory, maybe try running that against the header file and see if it dumps out just the hashes.
EDIT:
Also, it’s probably a typo, but your dd command has 4079 instead of 4097
This worked!
I ended up pointing it at the container itself rather than the header, but it spit out a hash that hashcat liked. Currently running the dictionary attack.
I tried this too just for the sake of trying it and it gave me this.
