Crack LUKS volume with Hashcat

Install hashcat

apt install hashcat

Find LUKS Volume

bob@localhost:~/$ dmesg
...
[ 1057.776074] sd 0:0:0:0: [sda] Write Protect is off
[ 1057.776074] sd 0:0:0:0: [sda] Mode Sense: 43 00 00 00
[ 1057.776593] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[ 1057.780234]  sda: sda1
[ 1057.783346] sd 0:0:0:0: [sda] Attached SCSI removable disk
bob@localhost:~/$

From the above we see that the drive we just pluGged into the system is “sda” so our path and partition is “/dev/sda1”

Run hashcat

The following command will run hashcat against “/dev/sda1”, change if the encrypted partition is different. Mode is to brute force every 8 numeric character combination. Refer to the following link to learn more about mask attacks.
https://hashcat.net/wiki/doku.php?id=mask_attack

Note: You should be able to dump the header and work off of that as well.

sudo hashcat -a 3 -m 14600 /dev/sda1 ?d?d?d?d?d?d?d?d

Create LUKS Encrypted Thumb Drive

Find the thumb drive with lsblk, dmesg, or sudo fdisk -l. In the following examples we are using /dev/sdc1, replace as needed.

sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sdc1
sudo cryptsetup luksOpen /dev/sdc1 encrypted_usb
sudo mkfs.ext4 /dev/mapper/encrypted_usb

Now we can mount the drive. We are mounting it to /mnt change if needed.

sudo mount /dev/mapper/encrypted_usb /mnt

Or go ahead and close the channel and remove the drive

sudo cryptsetup luksClose /dev/mapper/encrypted_usb

Command Explanation

sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sdc1

Wipe /dev/sdc1 and set the password when prompted for it.

sudo cryptsetup luksOpen /dev/sdc1 encrypted_usb

Open up a secure channel to the drive, and decrypt it so we can access it

sudo mkfs.ext4 /dev/mapper/encrypted_usb

Using the channel we created in the previous command, we can now format the drive.

sudo cryptsetup luksClose /dev/mapper/encrypted_usb

We can now close the channel for the drive and remove it.