INTRO
If I remember correctly, last time, when we hit the topic of Encfs, we were talking about how we can encrypt multiple files at the same time. we encrypted multiple files with Encfs tool which worked very well. and we saw that one can’t even read the titles of encrypted files. it shows how secure your files are. But is it that secure for real? we tried to be sure about it by inputting the wrong password to decrypt files. And it worked very well. but what if we try to input password until we hit the right password. yes, a brute-force attack. because we don’t have any restriction. we are allowed to enter password many times.
Today, that’s what we are going to do. we are going to perform a brute-force attack on Encfs encrypted files. well, not on files but you know what I am talking about. but before reading this article further, you will have to know about Encfs tool. if you have no idea what I am going to do here, you should take a look at my previous post on Encfs. I have described everything about Encfs which will clear your concept.
ATTACK
Now, to crack Encfs encryption, we need some Encfs encrypted files. I have described how can you encrypt files with Encfs in my previous article. but let’s just do it together.
First of all, install Encfs with this command:
apt install encfs
Screenshot:
Your output must be different if you haven’t installed it already.
After installation, make two directories. you can name them whatever you want. let’s say call them “.encrypted and “.decrypted”. note that I have used “.” before the dir name because I want to hide it.
you can use this command to create both directories:
mkdir ~/.encrypted ~/.decrypted
now, run Encfs on these directories. but always specify the Path from / in Encfs. Type this command:
encfs ~/.encrypted ~/.decrypted
Screenshot:
Type “p” press enter. and now it should ask you for a password. well, provide it one.
Screenshot:
Now you can move your files or directories into .decrytped dir. then you can unmount it. and that’s how you can encrypt those files and dirs.
But we need to decrypt it, right? so, let’s take a look at .encrypted file again. open a terminal there and look for hidden files:
cd ~/.encypted && ls -la
Screenshot:
and that looks interesting. we have and hidden XML file. it seems that the user never supposes to find it because it was hidden. type this command to see what does it have:
cat .encfs.xml
Now, we will use a very famous tool John The Ripper to get the real password from this file. but first, we will need to change it into hashes so that John may able to understand it. To do so, we have a python script. you can download it with this command:
wget https://raw.githubusercontent.com/truongkma/ctf-tools/master/John/run/encfs2john.py
Now type this command to extract hashes:
python encfs2john.py ~/.encrypted
Screenshot:
Remember to specify encrypted dir where we have .encfs.xml file.
pipe the output to some file or save it in some file. and Type this command:
john --wordlist=/usr/share/wordlists/rockyou.txt pass_hash
Screenshot:
the --wordlist flag is to specify wordlist and pass_hash is the hash output of the previous command. you can use you won custom wordlist. this can take your whole to decrypt if the password is too complex but this is the only way that I know of.
Thanks For Visiting.
This would only work for weak passwords