Method for Extracting Data from LUKS Encrypted Partitions
/ 3 min read
Quick take - A recent blog post outlines a method for extracting data from LUKS encrypted partitions in Virtual Machines, detailing the steps involved in the process, including memory dumping, re-mounting disk images, and establishing network connections for data exfiltration.
Fast Facts
- A new method for extracting data from LUKS encrypted partitions in Virtual Machines (VMs) is outlined, focusing on users not recovering keys from non-bootable systems.
- The process involves unmounting the disk image, booting the VM, and dumping the memory to locate AES-256 key schedules for decryption.
- Specific parameters are required to create dmcrypt devices after re-mounting the disk image, including volume size and cipher details.
- The author emphasizes the importance of modifying boot configurations and establishing a network connection for data exfiltration once the encrypted disk is mounted.
- The final outcome allows for the exfiltration of a LUKS encrypted filesystem, which can be reverse-engineered to crack the license key.
Method for Extracting Data from LUKS Encrypted Partitions in Virtual Machines
A new method for extracting data from LUKS encrypted partitions within Virtual Machines (VMs) has been outlined by an author in a recent blog post. This method is specifically targeted at users who are not attempting to recover LUKS keys from non-bootable systems.
Decryption and Memory Dumping
The author notes that some VMs may automatically decrypt LUKS partitions, a feature that can be implemented for compliance or security purposes. They report encountering issues related to accessing LUKS encrypted partitions approximately one to two times annually. For personal projects, the author prefers using VirtualBox, which allows for mounting disk image files in read/write mode.
The extraction process includes unmounting the disk image and booting the VM, which may take an extended period if decryption is involved. During the decryption phase, the author recommends dumping the memory of the running VM to a file. This memory dump can be analyzed with a tool from SourceForge to locate AES-256 key schedules. The author emphasizes the significance of identifying contiguous key schedules within the dump.
Re-Mounting and Boot Configuration
After re-mounting the disk image, specific parameters must be entered to create dmcrypt devices. These parameters include volume size, cipher name/mode/hash, and payload offset. The author expresses frustration with the obscure errors that often accompany full disk encryption. They suggest that automating the key recovery process through brute force methods could be beneficial.
In instances where the VM boots into a restricted shell, the author advises checking the boot order and parameters to regain control. The process of re-mounting the VMDK disk image is described in detail. Potential modifications may be needed for the GRUB configuration to boot into a shell instead of the default kernel. Booting the VM may lead to a busybox shell, which provides only a basic command line interface.
The author highlights the importance of triggering the part of the boot process responsible for mounting and decrypting the volume. A specific binary located in the root of the filesystem is identified as crucial for this operation.
Data Exfiltration
Upon successfully mounting the encrypted disk, the author discusses establishing a network connection to facilitate data exfiltration. This can be achieved using init scripts that allow the VM to obtain a DHCP lease. Once networking is in place, the author can utilize common tools for data exfiltration.
One suggested method for data exfiltration involves setting up a listener on a target machine. The directory from which to export data on the VM must be specified. Ultimately, this detailed process results in a fully exfiltrated LUKS encrypted filesystem. The author indicates that this filesystem can be reverse-engineered to crack the license key.
Original Source: Read the Full Article Here
