Drive Badger: open source platform for covert data exfiltration operations, ranging from small computers to big servers.

contact@drivebadger.com

Drive Badger is able to automatically detect and decrypt LUKS-encrypted partitions, but only using passwords (which is the most popular method anyway). It doesn't support keyfiles.

How to provide decryption keys?

See keys-luks-demo repository. It contains a sample luks.keys file.

You can configure multiple such repositories - each such repository should:

  • be cloned to /opt/drivebadger/config/keys-luks-yourchosenname local directory on your Drive Badger persistent partition
  • contain luks.keys file with proper contents (see below)

Local directory doesn't need to contain .git subdirectory, in fact it can be just "floating" directory (created by hand or script, without repository). However if it does, then you can update it automatically using /opt/drivebadger/update.sh (in just 1 step for all repositories).

Do you have more information about these keys?

If you have decryption keys associated (directly or indirectly) with particular drive serial numbers, you can save such keys in keys directory.

If you have any additional useful information about particular keys, allowing you to split them in some way (eg. into cities, buildings, floors, company departments, employee specialties) into smaller groups, you can try:

  • split them into separate repositories
  • configure these repositories across many Drive Badger devices, according to your attack plan

luks.keys file format

luks.keys file can contain:

  • LUKS passwords, one per line
  • comments starting from # sign (without leading spaces)
  • empty lines

Example luks.keys file:

# laptop password
MyFancyPassword

# laptop alternative password (for another key slot)
R3c0ve4y_p@sSw0rd-f0r-my-1@pt0p

# desktop password
MyLUKSBootPassword123

How the keys are matched to encrypted partitions

Similar to other partition types (except only Bitlocker), LUKS-encrypted partitions are detected by systemd/udevd during system boot phase. Drive Badger relies on that, and just iterates over all detected partition UUIDs, trying to mount and exfiltrate them one by one.

Particularly for crypto_LUKS partition type, Drive Badger checks all passwords from luks.keys files against all 8 key slots, and when a matching key is found, it's saved in keys directory - so it can be easily reused.