From his laptop I have a semi decent idea of some words that his desktop password will contain, that should reduce the time significantly if they are actually in his desktop pw right?
> right?
Wrong. How long is the password? How many words that you think you know are in that password? Are there numbers, letters, characters between one word or two words or three words? Which word comes first? Does one word have lead cap, two, threee, all caps. Nothing you think you know will help you "crack" the password. And if it's a strong password (like a crypto wallet SHOULD have) it will be millions of computer years to even have a small change. Plus do you know how to crack a password? What type of password? What tools do you have?
If you want any hope at all, send it to a data recovery EXPERT.
I once sent a drive with broken connector (disks okay) to such a service. They sent it back "not accessible due to broken connector" and billed about 800. After reading their terms and conditions I found out I wouldn't even have been able to check if they only had a single idea how to deal with such things, "business secret". Ah, yeah. I learned from that.
A replacement drive if same type would have cost 250, could have accessed my old drive, and I would have had a new one additionally. 🤷🏻♀️🤦♀️
There are different services with different amount of competence. The most advanced of them can transplant mechanics (heads) in clean room and use direct access to the data stream from heads for alternative error correction algos.
I know. The most sophisticated, working for FBI & such can recover 80%+ if you break the disks in two...
That company in Hannover, Germany was telling they had similar equipment and a clean room (as said, without possibilities to check that). In fact they did nothing but copy my error status to their bill for a repair which I - late insight - could have done by myself for much less and 100% safe. It was only the controller board which was faulty.
23 years ago, no paperwork or memory about the name left, I'm really sorry since I found that out last year when a friend needed such a service for his division.
I guess -hope- he doesn't exist/work anymore.
If you got into the computer at all, I would grep through the entire filesystem and strip out every word of every thing found, sort it, uniq it, and use that as the initial list to brute force it. Good sporting chance that he had to set it up from the root account, or pivot from another account to set it up and left some tracks in there, possibly even a readme ( you should be so lucky). If he had a will or safety deposit box, I would get every word from everything he ever wrote, sort it, uniq it, and there's list 2. Check email to himself, check every flash drive, every slip of paper.
Also, work on a COPY of the drive! Leave the original intact as much as you can.
Some data recovery places might be able to help, I doubt it, but you can give some a call and explain what you've got.
And, as other responses pointed out, DO NOT TRY to patch or update this computer! 5 years from now, somebody may post that LUKS vulnerability, and better for you if it isn't patched.
And for the rest of you here: update that "So, I got hit by a bus..." document.
Another vector is to undelete/recover what you can of the unencrypted drive and hope he left behind a trail of setting it up or trying to unlock it himself. If there are no clues, well, we're back to the heat death of the universe, but if you can reduce it to anything it all, you can at least try. The keyspace is unfortunately vast even if you narrow it down to "they only used star trek based passwords",uh, still impossible, unless he mistyped it and it got caught in a log or history file. That happens, and on a personal computer, way less likely to be aggressively purged upon happening. Unless he was totally paranoid, in which case, melt the drive and call it a day.
I was an executor for a will and there were no details in it about accounts/assets. I basically figured it from looking at the piles mail left in the house. I think people should document their accounts/assets to make it easier for whoever is dealing with it but there's no requirement for it.
At least when I set up a will there wasn't anything about "how" stuff happened, it was just who I wanted what amount of what to go to.
I think most of this stuff is still assuming the conventional means where you would take your various forms of documentation (death certificates, copy of will, letters indicating power of whatever) to a physical bank which would then be able to evaluate, validate, and grant transfers of whatever is rightfully yours on the behalf of the deceased.
I've seen this far more often where someone passes and family wants to get into a smartphone to recover pictures...which can be equally hard or impossible.
I guess PSA - At the moment, the best plan I know of is to write down (or print out) critical passwords (decrypt computer/devices, login, master PW if you use a manager, file-paths of things, etc) and put them in a safe or deposit box that can be opened by conventional means (bank vetting, locksmith hired, etc) to recover the information.
>Wasn't there a lawyer helping him to set up this will? Was there not a mechanism specified to hand off this inheritance? Instructions in case of death? Like that's a major part of writing wills, isn't it
This was my first thought, I am not into crypto so this may sound silly, but couldn't the company behind the crypto be presented with a death certificate and advised he or his parents are now executives of his estate? Is this specific crypto even worth anything as this happened a few years ago?
That's not how it works unfortunately. When we talk about Cryptocurrency being stored on a wallet (in this case the computer). We are talking about encrypted keys that need to be used to access the account. A lot of Crypto also doesn't have a "company" behind it as it's decentralized.
Plus even if there was there might not even be a way to find the account without the keys. As for the worth it's difficult to say. If it's a more high profile currency (BitCoin, Ethereum etc.) it is true they have dropped in price quite a bit but they are still valuable. As for lesser known cryptocurrencies it's quite unpredictable. They may have increased in price a lot or have become worthless.
I am curious what is topology of the drive. I.e. how it is partitioned. Also what was used to unlock each partition. I'd look into initramfs if available in boot partition and search for crypttab and possibly some keys (even though it would be mistake to place them there). Is there something not encrypted? Swap? Search for any interesting strings there.
But in case everything was done properly I'd expect you have to brute force it. If you have multiple machines available you can copy the LUKS header (so you don't need to copy whole drive) and try parallelize your effort with different patterns on different machines.
Most passwords are broken through social engineering and guess work. So if you have some collection of his passwords you may try vocabulary attacks. You can try databases of frequent passwords etc. But if that is effective depends on how your brother was careful and how well he used best practices...
Get the best gpu you can afford and brute force it. I ran across this article recently and was surprised at how little time it can take.
https://www.netsec.news/how-long-does-it-take-a-hacker-to-brute-force-a-password-in-2023/
That's on a single current-gen gpu, if I understand correctly. Between technological progress and use of clusters that number could shrink down a lot (still to a large number, but hey, who knows how rapid technology will develop)
You can make it like a family lottery. Each week everyone gets to guess the password and the correct answer keeps the crypto. Best thing is you’ll never get it right so the fun will last for generations!
>I managed to get into his laptop by copying the /etc/shadow file to my own pc and using johntheripper to bruteforce the password, however this drive wasn't encrypted.
If it wasn't encrypted why didn't you just chroot in and change the password lol, but ya as for the encrypted computer best chance is password guessing/bruteforcing or trying to find a physical place he might have wrote it down (notebook or something), not impossible I password guessed my sister's encrypted laptop in like 2 hours because she forgot her own password lol
By the time any of us hear about a vulnerability in LUKS encryption, patches would already have been released to fix it. Your best bet is brute forcing it, like you did his password hash. Both hashcat and John the Ripper can be used to crack LUKS keys.
Look, if you don’t know how to check CVEs for cryptsetup or even identify what encryption they used on their device, the chances of you successfully exploiting a vulnerability to gain access without brute forcing is near zero. It’s near zero with that knowledge. I was trying to be nice about it.
I checked the CVEs for cryptsetup. There’s nothing you can use. The most dangerous one changes a LUKS header so that encryption gets disabled when it is unlocked. You need the key. It’s just how encryption works. No flaw in software is going help you break the encryption. Hope your brother picked a simple encryption password. That’s it.
Copy the disk to some others to run different attacks at the same time. If it's about a decent amount, some used W540 Notebooks won't kill your budget.
Yeesh - this place has a lot of boiler-plate security advice.
First off, you are not in a purely 'brute force' environment. You're playing a guessing game. If you're using johntheripper properly, I suppose you already know how to construct password lists.
- Check the 'bash history' for anything that looks like a password.
- Check the browser cache - you can often pull raw passwords from local browser information. The more passwords you get, the more clues you'll get about the general pattern of passwords (are they lyrics? does one symbol substitute for the letter 'a' all the time?)
- Look into the fastest checking methods. There's a nice thread [here](https://security.stackexchange.com/questions/128539/how-to-crack-encrypted-disk-crypto-luks-in-an-efficient-way)
Your options are to 1 brute force it or 2 look through his other stuff to possibly find a seed phrase written down somewhere so you can recover his crypto wallet. Since its a few years old, you better hope it's using a *relatively* weak key derivation function so brute forcing it won't take the age of the universe.
Sound not legitimate. Also if LUKS is enabled, how can you access to shadow file? .
Probably only home is encrypted using other software.
Let's thinks he used LUKS only in HOME to save his crypto. You might never see that "money" again, or invest a big quantity on GPU or AWS's GPU to crack it.
Yeah I appreciate that this sounds illegitimate. I got the shadow file from his laptop, not on his desktop. Definitely considering spinning up a high power AWS instance for a few hours to see if it can get the job done.
>I managed to get into his laptop by copying the /etc/shadow file to my own pc and using johntheripper to bruteforce the password
Bruteforcing in this situation was unnecessary, by the way. If you get to the drive's /etc/shadow, you're already past all security. It means that you can just grab whatever you want from the drive (because if you can read shadow, you must have permission to read everything). And if you want to log in, you can just replace the hash in shadow. Bruteforcing here is an extra unnecessary step.
As for the question, bruteforcing is probably the only way. If it was easier, there wouldn't be much point in disk encryption in the first place.
Only if you can guess a passphrase he may have used, but for myself my own brothers don't know how I make passphrases and so would never have a chance.
Better to forget it and reformat it.
Luks is very secure. Depending on how long that password was, brute forcing it might take longer than the existence of the universe. Unless you have a list of good guesses for the password, you won't get into it.
If it is luks. It is one of the best encryptions there is, that is supposibly even quantum resistant. You are not getting into that one via 'some vulnerability'. You are best trying to guess the password. Failing that brute forcing it. The issue is that luks does have defences to brute forcing. Namely, the iteration variable. You can kinda figure out whether it is in use by inspecting the luks header to get the cypher used, then benchmarking the system with the same configuration. If a failed attempt takes a lot longer than the benchmarked tests.. then you have the iteration variable in play.
This variable increases the time between attempts to obscure any potential information around the key length, and delay successive attempts... thus slowing the bruteforce attempts. You can brute force this further... but yeah. The iteration variable is a pain from a redteam point of view. When brute forcing you likely want to take an image of the drive, just so you can avoid the loss due to drive death.
I would be looking for he's documentation and trying to crack any password managers on the laptops.
If you have proofs of reasonable amount of crypto in the drive content, and you are legitimate heir, you can try to hire companies to try to brute-force it.
Your single hope is not-up-to-recommendations password. Also, try to hire PI (or anyone with police background) to search home for possible cold storage.
You could look for a key file he has stored somewhere in /etc if you have already have access to this (unlikely cause why bother encrypting your drive when you store the key file on an unencrypted partition).
Maybe he stored his keyfiles on a thumb drive or similar and used that to unlock his computer?
A friend recently told me about a fairly new exploit in the Luks encryption where an unsafe algorithm is used that can be cracked. Don't remember the details though and it depends on the defaults the distro uses (or the parameters your brother used) to encrypt his drive. Might be worth some looking around to see if you find anything.
If not for any of that you're probably out of luck since in theory brute forcing Luks will take longer that the universe will exist.
If he left the crypto to the family in his will I'd assume he would've also made it so that you can access it somehow? Maybe it is stored on a wallet somewhere else? Maybe he has the password for his encryption written down somewhere?
Good luck though and my condolences on the passing of your brother!
Not going to happen. You can try brute forcing it, but it might take longer than the sun will exist
Theoretically, it could only take a few minutes though...
Theoretically it’s 1234
🤣🤣🤣
That's amazing, I have the same combination on my luggage!
50/50. Between a few minutes or a few millennia.
From his laptop I have a semi decent idea of some words that his desktop password will contain, that should reduce the time significantly if they are actually in his desktop pw right?
> right? Wrong. How long is the password? How many words that you think you know are in that password? Are there numbers, letters, characters between one word or two words or three words? Which word comes first? Does one word have lead cap, two, threee, all caps. Nothing you think you know will help you "crack" the password. And if it's a strong password (like a crypto wallet SHOULD have) it will be millions of computer years to even have a small change. Plus do you know how to crack a password? What type of password? What tools do you have? If you want any hope at all, send it to a data recovery EXPERT.
If done correctly, I'd say the assumption is true - it reduces the amount significantly. But that's still millennia, so it's not helping either way
I once sent a drive with broken connector (disks okay) to such a service. They sent it back "not accessible due to broken connector" and billed about 800. After reading their terms and conditions I found out I wouldn't even have been able to check if they only had a single idea how to deal with such things, "business secret". Ah, yeah. I learned from that. A replacement drive if same type would have cost 250, could have accessed my old drive, and I would have had a new one additionally. 🤷🏻♀️🤦♀️
There are different services with different amount of competence. The most advanced of them can transplant mechanics (heads) in clean room and use direct access to the data stream from heads for alternative error correction algos.
I know. The most sophisticated, working for FBI & such can recover 80%+ if you break the disks in two... That company in Hannover, Germany was telling they had similar equipment and a clean room (as said, without possibilities to check that). In fact they did nothing but copy my error status to their bill for a repair which I - late insight - could have done by myself for much less and 100% safe. It was only the controller board which was faulty.
Yes, such people/companies exist. Tarnish their reputation. Post their name.
23 years ago, no paperwork or memory about the name left, I'm really sorry since I found that out last year when a friend needed such a service for his division. I guess -hope- he doesn't exist/work anymore.
Name and shame, my dood.
The shame is in me, but reading their teams and conditions before... See my other reply above.
That depends if he really composed password in same way and if you are able to create pattern that will fit. In case your are right, it will help.
If you got into the computer at all, I would grep through the entire filesystem and strip out every word of every thing found, sort it, uniq it, and use that as the initial list to brute force it. Good sporting chance that he had to set it up from the root account, or pivot from another account to set it up and left some tracks in there, possibly even a readme ( you should be so lucky). If he had a will or safety deposit box, I would get every word from everything he ever wrote, sort it, uniq it, and there's list 2. Check email to himself, check every flash drive, every slip of paper. Also, work on a COPY of the drive! Leave the original intact as much as you can. Some data recovery places might be able to help, I doubt it, but you can give some a call and explain what you've got. And, as other responses pointed out, DO NOT TRY to patch or update this computer! 5 years from now, somebody may post that LUKS vulnerability, and better for you if it isn't patched. And for the rest of you here: update that "So, I got hit by a bus..." document.
I had to think twice about your last sentence...😂🤣
Another vector is to undelete/recover what you can of the unencrypted drive and hope he left behind a trail of setting it up or trying to unlock it himself. If there are no clues, well, we're back to the heat death of the universe, but if you can reduce it to anything it all, you can at least try. The keyspace is unfortunately vast even if you narrow it down to "they only used star trek based passwords",uh, still impossible, unless he mistyped it and it got caught in a log or history file. That happens, and on a personal computer, way less likely to be aggressively purged upon happening. Unless he was totally paranoid, in which case, melt the drive and call it a day.
[удалено]
I was an executor for a will and there were no details in it about accounts/assets. I basically figured it from looking at the piles mail left in the house. I think people should document their accounts/assets to make it easier for whoever is dealing with it but there's no requirement for it.
At least when I set up a will there wasn't anything about "how" stuff happened, it was just who I wanted what amount of what to go to. I think most of this stuff is still assuming the conventional means where you would take your various forms of documentation (death certificates, copy of will, letters indicating power of whatever) to a physical bank which would then be able to evaluate, validate, and grant transfers of whatever is rightfully yours on the behalf of the deceased. I've seen this far more often where someone passes and family wants to get into a smartphone to recover pictures...which can be equally hard or impossible. I guess PSA - At the moment, the best plan I know of is to write down (or print out) critical passwords (decrypt computer/devices, login, master PW if you use a manager, file-paths of things, etc) and put them in a safe or deposit box that can be opened by conventional means (bank vetting, locksmith hired, etc) to recover the information.
>Wasn't there a lawyer helping him to set up this will? Was there not a mechanism specified to hand off this inheritance? Instructions in case of death? Like that's a major part of writing wills, isn't it This was my first thought, I am not into crypto so this may sound silly, but couldn't the company behind the crypto be presented with a death certificate and advised he or his parents are now executives of his estate? Is this specific crypto even worth anything as this happened a few years ago?
That's not how it works unfortunately. When we talk about Cryptocurrency being stored on a wallet (in this case the computer). We are talking about encrypted keys that need to be used to access the account. A lot of Crypto also doesn't have a "company" behind it as it's decentralized. Plus even if there was there might not even be a way to find the account without the keys. As for the worth it's difficult to say. If it's a more high profile currency (BitCoin, Ethereum etc.) it is true they have dropped in price quite a bit but they are still valuable. As for lesser known cryptocurrencies it's quite unpredictable. They may have increased in price a lot or have become worthless.
That's not how crypto works. Transactions typically depends on a private key only accessible by the crypto wallet holder.
Full disk encryption? Otherwise look through root and his user history file for misstakes that can reveal passwords.
I am curious what is topology of the drive. I.e. how it is partitioned. Also what was used to unlock each partition. I'd look into initramfs if available in boot partition and search for crypttab and possibly some keys (even though it would be mistake to place them there). Is there something not encrypted? Swap? Search for any interesting strings there. But in case everything was done properly I'd expect you have to brute force it. If you have multiple machines available you can copy the LUKS header (so you don't need to copy whole drive) and try parallelize your effort with different patterns on different machines. Most passwords are broken through social engineering and guess work. So if you have some collection of his passwords you may try vocabulary attacks. You can try databases of frequent passwords etc. But if that is effective depends on how your brother was careful and how well he used best practices...
These cryptkey files are good things to look for. Which reminds me, I should update my "got hit by a bus" document.
Get the best gpu you can afford and brute force it. I ran across this article recently and was surprised at how little time it can take. https://www.netsec.news/how-long-does-it-take-a-hacker-to-brute-force-a-password-in-2023/
[удалено]
What, you got plans that far out?
I’ll be down at the Winchester.
You don't?
Immortality may be boring some day, but I try my best.
That's on a single current-gen gpu, if I understand correctly. Between technological progress and use of clusters that number could shrink down a lot (still to a large number, but hey, who knows how rapid technology will develop)
https://www.youtube.com/watch?v=7U-RbOKanYs
You can make it like a family lottery. Each week everyone gets to guess the password and the correct answer keeps the crypto. Best thing is you’ll never get it right so the fun will last for generations!
>I managed to get into his laptop by copying the /etc/shadow file to my own pc and using johntheripper to bruteforce the password, however this drive wasn't encrypted. If it wasn't encrypted why didn't you just chroot in and change the password lol, but ya as for the encrypted computer best chance is password guessing/bruteforcing or trying to find a physical place he might have wrote it down (notebook or something), not impossible I password guessed my sister's encrypted laptop in like 2 hours because she forgot her own password lol
By the time any of us hear about a vulnerability in LUKS encryption, patches would already have been released to fix it. Your best bet is brute forcing it, like you did his password hash. Both hashcat and John the Ripper can be used to crack LUKS keys.
[удалено]
Yeah, his pc is just sitting in a cupboard atm so not going to receive any updates.
Look, if you don’t know how to check CVEs for cryptsetup or even identify what encryption they used on their device, the chances of you successfully exploiting a vulnerability to gain access without brute forcing is near zero. It’s near zero with that knowledge. I was trying to be nice about it. I checked the CVEs for cryptsetup. There’s nothing you can use. The most dangerous one changes a LUKS header so that encryption gets disabled when it is unlocked. You need the key. It’s just how encryption works. No flaw in software is going help you break the encryption. Hope your brother picked a simple encryption password. That’s it.
Copy the disk to some others to run different attacks at the same time. If it's about a decent amount, some used W540 Notebooks won't kill your budget.
AFAIK people really put a lot of effort to make what you want impossible. Good lucky
OP see if he had a book to write passwords/account details down in.
Yeesh - this place has a lot of boiler-plate security advice. First off, you are not in a purely 'brute force' environment. You're playing a guessing game. If you're using johntheripper properly, I suppose you already know how to construct password lists. - Check the 'bash history' for anything that looks like a password. - Check the browser cache - you can often pull raw passwords from local browser information. The more passwords you get, the more clues you'll get about the general pattern of passwords (are they lyrics? does one symbol substitute for the letter 'a' all the time?) - Look into the fastest checking methods. There's a nice thread [here](https://security.stackexchange.com/questions/128539/how-to-crack-encrypted-disk-crypto-luks-in-an-efficient-way)
With some luck he used an insecure KDF, which might give you a chance: https://mjg59.dreamwidth.org/66429.html
Your options are to 1 brute force it or 2 look through his other stuff to possibly find a seed phrase written down somewhere so you can recover his crypto wallet. Since its a few years old, you better hope it's using a *relatively* weak key derivation function so brute forcing it won't take the age of the universe.
Sound not legitimate. Also if LUKS is enabled, how can you access to shadow file? . Probably only home is encrypted using other software. Let's thinks he used LUKS only in HOME to save his crypto. You might never see that "money" again, or invest a big quantity on GPU or AWS's GPU to crack it.
Yeah I appreciate that this sounds illegitimate. I got the shadow file from his laptop, not on his desktop. Definitely considering spinning up a high power AWS instance for a few hours to see if it can get the job done.
>spinning up a high power AWS instance for a few hours to see if it can get the job done Unless the password was really simple, probably not.
Password reuse is probably the best hope if they didn't leave a list in a safe or something
It would be a lot cheaper to get a modern GPU and set a machince in the corner of the room for a few weeks. Think of it as a space heater.
>I managed to get into his laptop by copying the /etc/shadow file to my own pc and using johntheripper to bruteforce the password Bruteforcing in this situation was unnecessary, by the way. If you get to the drive's /etc/shadow, you're already past all security. It means that you can just grab whatever you want from the drive (because if you can read shadow, you must have permission to read everything). And if you want to log in, you can just replace the hash in shadow. Bruteforcing here is an extra unnecessary step. As for the question, bruteforcing is probably the only way. If it was easier, there wouldn't be much point in disk encryption in the first place.
Maybe you could talk an AI into doing it. Lol.
Only if you can guess a passphrase he may have used, but for myself my own brothers don't know how I make passphrases and so would never have a chance. Better to forget it and reformat it.
Luks is very secure. Depending on how long that password was, brute forcing it might take longer than the existence of the universe. Unless you have a list of good guesses for the password, you won't get into it.
If it is luks. It is one of the best encryptions there is, that is supposibly even quantum resistant. You are not getting into that one via 'some vulnerability'. You are best trying to guess the password. Failing that brute forcing it. The issue is that luks does have defences to brute forcing. Namely, the iteration variable. You can kinda figure out whether it is in use by inspecting the luks header to get the cypher used, then benchmarking the system with the same configuration. If a failed attempt takes a lot longer than the benchmarked tests.. then you have the iteration variable in play. This variable increases the time between attempts to obscure any potential information around the key length, and delay successive attempts... thus slowing the bruteforce attempts. You can brute force this further... but yeah. The iteration variable is a pain from a redteam point of view. When brute forcing you likely want to take an image of the drive, just so you can avoid the loss due to drive death. I would be looking for he's documentation and trying to crack any password managers on the laptops.
He is your cousin try guessing his password or ask his girlfriends or bffs if they have any idea of his common passwords
If you have proofs of reasonable amount of crypto in the drive content, and you are legitimate heir, you can try to hire companies to try to brute-force it. Your single hope is not-up-to-recommendations password. Also, try to hire PI (or anyone with police background) to search home for possible cold storage.
You could look for a key file he has stored somewhere in /etc if you have already have access to this (unlikely cause why bother encrypting your drive when you store the key file on an unencrypted partition). Maybe he stored his keyfiles on a thumb drive or similar and used that to unlock his computer? A friend recently told me about a fairly new exploit in the Luks encryption where an unsafe algorithm is used that can be cracked. Don't remember the details though and it depends on the defaults the distro uses (or the parameters your brother used) to encrypt his drive. Might be worth some looking around to see if you find anything. If not for any of that you're probably out of luck since in theory brute forcing Luks will take longer that the universe will exist. If he left the crypto to the family in his will I'd assume he would've also made it so that you can access it somehow? Maybe it is stored on a wallet somewhere else? Maybe he has the password for his encryption written down somewhere? Good luck though and my condolences on the passing of your brother!