cracking an encrypted hard drive

[b3r00tb4ck]

im having a little trouble with this "challenge" my buddy gave me, he uses red hat (2.6 kernel) and the whole hard drive is encrypted except /boot/, which i could find out with backtrack by opening up the hard drive.. my question is what are the steps one would go through to get root on this machine, or some kind of trick to decrypt the hard drive, and view its files...total noob here on encryption but i thought i could find an experienced user here in the specialist section

[Barry]

Do you know what kind of encryption he's using? Sounds like luks, but could be something else. Most likely you're SOL.

[lakiw]

Step 1: Install a keystroke logger
Step 2: Wait for you friend to log on
Step 3: Profit

Full hard drive encryption is tough to deal with. Technically it is also vulnerable to password cracking attacks, but most encryption packages make it very expensive, (time consuming), to make a guess, and there just aren't many good tools out there to even try simple password guesses.

[b3r00tb4ck]

thats what i was thinking, when you guess passwords at the login screen, it takes about 5 seconds, so brute forcing would be time consuming even i could get a dictionary to automatically be typed in...

what im going toward is fighting the boot loader, he uses grub, and i can freely edit the grub config file, so would there be some kind of argument that gets me a shell right at boot time?

[Barry]

thats what i was thinking, when you guess passwords at the login screen, it takes about 5 seconds, so brute forcing would be time consuming even i could get a dictionary to automatically be typed in...

what im going toward is fighting the boot loader, he uses grub, and i can freely edit the grub config file, so would there be some kind of argument that gets me a shell right at boot time?

You'll get the grub shell, but that's not going to help you. The way the system works is the /boot partition is formatted ext3 or 4. The / partition is an encrypted container, which inside that container is a normally formatted system. Unless you know the encryption key, you're not going to see anything in there. The only thing in /boot is the kernel and the boot loader.

[Thorn]

If he's using Truecrypt, you can use Evil Maid. It hooks the Trucrypt function that asks user for the passphrase, so that the hook records whatever passphrase is provided to this function.

Game. Set. Match

[b3r00tb4ck]

i'm just gonna say SOLVED, i gave it back lol no use starting out with entire hard drive encryption if i'm gonna learn cryptography

thanks for the help!

[hhmatt]

If your interested in cryptography might I suggest Bruce Schneier's Applied Cryptography.

[floyd]

thats what i was thinking, when you guess passwords at the login screen, it takes about 5 seconds, so brute forcing would be time consuming even i could get a dictionary to automatically be typed in...

what im going toward is fighting the boot loader, he uses grub, and i can freely edit the grub config file, so would there be some kind of argument that gets me a shell right at boot time?

start a live cd and you will have the same access to the encrypted drive.

Or you could just install coreboot with Grub Invaders and tell him that you wiped his hard disc . No, just kidding, don't mess with his bios

[Archangel-Amael]

If your interested in cryptography might I suggest Bruce Schneier's Applied Cryptography.

Excellent book indeed.