Crack LUKS volume with Hashcat

Install hashcat

apt install hashcat

Find LUKS Volume

bob@localhost:~/$ dmesg
...
[ 1057.776074] sd 0:0:0:0: [sda] Write Protect is off
[ 1057.776074] sd 0:0:0:0: [sda] Mode Sense: 43 00 00 00
[ 1057.776593] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[ 1057.780234]  sda: sda1
[ 1057.783346] sd 0:0:0:0: [sda] Attached SCSI removable disk
bob@localhost:~/$

From the above we see that the drive we just pluGged into the system is “sda” so our path and partition is “/dev/sda1”

Run hashcat

The following command will run hashcat against “/dev/sda1”, change if the encrypted partition is different. Mode is to brute force every 8 numeric character combination. Refer to the following link to learn more about mask attacks.
https://hashcat.net/wiki/doku.php?id=mask_attack

Note: You should be able to dump the header and work off of that as well.

sudo hashcat -a 3 -m 14600 /dev/sda1 ?d?d?d?d?d?d?d?d

Create LUKS Encrypted Thumb Drive

Find the thumb drive with lsblk, dmesg, or sudo fdisk -l. In the following examples we are using /dev/sdc1, replace as needed.

sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sdc1
sudo cryptsetup luksOpen /dev/sdc1 encrypted_usb
sudo mkfs.ext4 /dev/mapper/encrypted_usb

Now we can mount the drive. We are mounting it to /mnt change if needed.

sudo mount /dev/mapper/encrypted_usb /mnt

Or go ahead and close the channel and remove the drive

sudo cryptsetup luksClose /dev/mapper/encrypted_usb

Command Explanation

sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sdc1

Wipe /dev/sdc1 and set the password when prompted for it.

sudo cryptsetup luksOpen /dev/sdc1 encrypted_usb

Open up a secure channel to the drive, and decrypt it so we can access it

sudo mkfs.ext4 /dev/mapper/encrypted_usb

Using the channel we created in the previous command, we can now format the drive.

sudo cryptsetup luksClose /dev/mapper/encrypted_usb

We can now close the channel for the drive and remove it.

Extract encrypted Signal backup

https://github.com/xeals/signal-back
More information at the above link

Installation of precompiled binary for Signal-Back

wget https://github.com/xeals/signal-back/releases/download/v0.1.7-alpha.2/signal-back_linux_amd64
chmod +x signal-back_linux_amd64
./signal-back_linux_amd64

Help info

Usage: signal-back_linux_amd64 COMMAND [OPTION…] BACKUPFILE
   --help, -h     show help
   --version, -v  print the version
 Commands: 
   format   Read and format the backup file
   analyse  Information about the backup file
   extract  Retrieve attachments from the backup
   check    Verify that a backup is readable
   help     Shows a list of commands or help for one command

Extract attachments from backup

Replace ~/Desktop/signal…backup with the path to your Signal backup.

./signal-back_linux_amd64 extract ~/Desktop/signal-2019-09-30-01-43-21.backup

It’ll ask for the password and then start pulling out the attachments and putting them in the current directory.

Export messages to CSV file

Default option is XML. CSV will let you open it up in Excel.

./signal-back_linux_amd64 format -f CSV --output signal-output.csv ~/Desktop/signal-2019-09-30-01-43-21.backup

Specify password to use

You can use the -p option to specify the password. It does not matter if there are spaces every 5 numbers or not. Also the -P option is suppose to let you use a file.

./signal-back_linux_amd64 extract -p "48294 55709 09123 94563 74662 12800" ~/Desktop/signal-2019-09-30-01-43-21.backup

Other help options

bob@localhost:~/Downloads/signal-back$ ./signal-back_linux_amd64 help
 Usage: signal-back_linux_amd64 COMMAND [OPTION…] BACKUPFILE
 --help, -h     show help
   --version, -v  print the version
 Commands:
   format   Read and format the backup file
   analyse  Information about the backup file
   extract  Retrieve attachments from the backup
   check    Verify that a backup is readable
   help     Shows a list of commands or help for one command
bob@localhost:~/Downloads/signal-back$ ./signal-back_linux_amd64 help format
 Usage: signal-back_linux_amd64 format [OPTION…] BACKUPFILE
 Parse and transform the backup file into other formats.
 Valid formats include: CSV, XML, RAW.
 --format FORMAT, -f FORMAT  output the backup as FORMAT (default: "xml")
   --message TYPE, -m TYPE     format TYPE messages (default: "sms")
   --output FILE, -o FILE      write decrypted format to FILE
   --password PASS, -p PASS    use PASS as password for backup file
   --pwdfile FILE, -P FILE     read password from FILE
   --verbose, -v               enable verbose logging output
bob@localhost:~/Downloads/signal-back$ ./signal-back_linux_amd64 help extract
 Usage: signal-back_linux_amd64 extract [OPTION…] BACKUPFILE
 Decrypt files embedded in the backup.
 --outdir DIRECTORY, -o DIRECTORY  output attachments to DIRECTORY
   --password PASS, -p PASS          use PASS as password for backup file
   --pwdfile FILE, -P FILE           read password from FILE
   --verbose, -v                     enable verbose logging output
bob@localhost:~/Downloads/signal-back$ 

Convert Kismet NetXML capture to CSV

First download the following python script which we’ll use to convert the Kismet NetXML file.

https://github.com/MichaelCaraccio/NetXML-to-CSV

wget https://raw.githubusercontent.com/MichaelCaraccio/NetXML-to-CSV/master/main.py

You should now be able to run the script with.

python main.py 

Help output for NetXML to CSV

bob@localhost:~$ python main.py  
Usage: main.py <NetXML File> <oUTPUT File Name> <Filter> (Filter is optional)
bob@localhost:~$

Usage

python main.py Kismet-file-input.netxml Kismet-csv-output.csv

Example of converting file.

bob@localhost:~$ python main.py Kismet-20191023-12-50-42.netxml Kismet-20191023-12-50-42.csv

You can now import the csv into Google Earth.

OpenVas set password for user

After installing OpenVAS you may need to setup a user. Running the following command will create the user admin and will print the password for the user below.

openvasmd --create-user admin

Example output.

User created with password 'b4539967-c521-fe41-d255-aeb53e735h9a'.

If needed you can delete a user with the following command

openvasmd --delete-user=USERNAME

Secure Erase Hard Drive using DD

The following commands are dangerous! Proceed with caution!

Change /dev/sdX to your drive. Make sure you get the correct drive, or you could wipe you main system.

dd if=/dev/zero of=/dev/sdX bs=1M status=progress

The status=progress part shows how much dd has writen. Helpful to gauge how far along it is.

If you want a more secure way to erase the drive, change zero to random. Makes it slower, but should be more secure.

dd if=/dev/random of=/dev/sdX bs=1M status=progres

Side note, these commands should work in macOS, but you may need to drop the status=progress option.