Bruteforcing LUKS Volumes Explained

Some weeks back, we were forced to reboot one of our server machines because it stopped responding. When the machine came back up, we were greeted with a password prompt to decrypt the partition. No problem, since we always used a password combination (ok, permutation) that consisted of a few words, something along the lines of “john”, “doe”, “1954”, and the server’s serial number. Except that it didn’t work, and we forgot the permutation rules AND whether we used “john” “doe” or “jack” “daniels”.

All the search results for bruteforcing LUKS are largely the same — “use cryptsetup luksOpen --test-passphrase“. In my case, the physical server is in the server room, and I don’t want to stand in front of the rack trying to figure all this out. My question is, can I do this offline on another machine? None of those blog entries were helpful in this regard.

The LUKS Header

To answer this question, I took a look at the LUKS header. This header is what provides multiple “key slots”, allowing you to specify up to 8 passwords or key files that can decrypt the volume. cryptsetup is the standard userspace tool (and library) to manipulate and mount LUKS volumes. Since LUKS was designed based on TKS1, the TKS1 document referenced by the cryptsetup project was very helpful. After consulting the documentation & code, I came up with the following diagram that describes the LUKS key verification process:

LUKS encryption flowchart

Continue reading

Advertisements

Creating Minimal Throw-away CentOS 6 VMs

Whether you are using CentOS for a build server or simply testing out a new configuration, you can quickly create a VM (virtual machine) that is under 1GB. You can do this without downloading any special tools or ISO files — just the CentOS installation DVD and VirtualBox (or VMware if you prefer).

I like the text-based console, so you won’t be getting a GUI or fancy Linux desktop with this one. Given its small size, you could also archive the entire environment (or even several of them) for future use without having to waste gigabytes of free space. These environments also serve as a base which can be upgraded or added onto to provide more functionality later.

Continue reading

Encrypt All the Drives

I have always been an advocate on storage security (all types of security, actually). I like how iOS devices keep all files encrypted, even if you do not set a passcode on the device. They do this to facilitate quick erasure of files on the device — to erase all the data, they simply wipe the master key.

Erasing magnetic storage media isn’t difficult, but it is time-consuming. For solid state media such as SSDs and flash drives, the wear-leveling makes it difficult to ensure that all flash blocks have been securely overwritten. The answer to this is to encrypt everything.

Encrypt all the drives!! (meme)

Recently I have been busy building a Linux-based NAS and I decided to put this to practice.

Continue reading

Implementing EAP-SIM at Home

What is EAP-SIM?

EAP-SIM is one of the authentication methods that can be used in an 802.1x or WPA Enterprise network. Specifically, it relies on the user’s SIM card to process a presented challenge. This has been used by some telcos to provide WiFi service without having to maintain a separate set of credentials. However, not all phones support EAP-SIM.

Phone displaying EAP-SIM as a WiFi authentication method

Since I’m already using a RADIUS setup at home, the use of EAP-SIM will eliminate the need to install my CA certs onto each device. But of course, there is still a fair bit of work to do…

Continue reading

Hacking Functionality into ASUSWRT Routers

This weekend, I spent some time to replace my aged Linksys WRT54G wireless router, which is running DD-WRT. The WRT54G is slow by today’s wireless standards and since I sync my iOS devices wirelessly, the speed was getting quite unbearable. When I bought my Macbook Pro in 2007, it already has draft 802.11n support and fast-forward to 2012, my iPad (1st generation) and iPhone 5 both support the 5GHz band.

The ASUS RT-N56U wireless router ranks up there on wireless performance, and the “feature” I was really after was a router that can run an alternative firmware such as Tomato or DD-WRT. The really good news is, I figured out how to get the functionality I wanted while still using the official ASUS firmware.

ASUS router photo

For proper reviews and better photos, you might want to check out these other reviews:

Read on to find my short review, as well as how you can run your own programs on the router without using a third-party firmware.

Continue reading