No Hashes Loaded - BitLocker
#1
Somehow I can't crack my BitLocker protected USB flash drive.
I have tried so many things and have followed so many instructions.
Can someone help me?

This is what I did:
- Use AccessData FTK Imager v4.3.1 to get the image.
- After that, I used john 1.9.0 jumbo 1 win64 to get the hash.
- Now I am trying to get the hash cracked using hashcat v6.1.1

But unfortunately I get the error:
Hashfile 'bitlocker.hash' on line 1 ($bitlo...b309141d9529c7dbf51c57bb02132e23): Salt-value exception
No hashes loaded.

Can someone explain what I am doing wrong?


Attached Files
.png   0010.png (Size: 64.37 KB / Downloads: 14)
Reply
#2
Make sure your hash is formatted as found here: https://hashcat.net/wiki/doku.php?id=example_hashes

Note also that Hashcat only supports $bitlocker$1$...
Reply
#3
(02-06-2021, 08:41 PM)Karamba Wrote: Make sure your hash is formatted as found here: https://hashcat.net/wiki/doku.php?id=example_hashes

Note also that Hashcat only supports $bitlocker$1$...

This is my hash...

User Password hash:
$bitlocker$0$16$96cf3660aafc2ff58ba49f635e00da88$1048576$12$205a6873de0cd60106000000$60$826bdcf2fdf54d73bdc2b4ff41ba02640ef4032f1e07e73152dc238b05ff287dc707b4267b4df4e6039d6755317f4f4f48f510c498ca48aa18855780
Hash type: User Password with MAC verification (slower solution, no false positives)
$bitlocker$1$16$96cf3660aafc2ff58ba49f635e00da88$1048576$12$205a6873de0cd60106000000$60$826bdcf2fdf54d73bdc2b4ff41ba02640ef4032f1e07e73152dc238b05ff287dc707b4267b4df4e6039d6755317f4f4f48f510c498ca48aa18855780
Hash type: Recovery Password fast attack
$bitlocker$2$16$d139a7f457abe99cddeb3a656fa99cba$1048576$12$205a6873de0cd60104000000$60$7ca55a7511b2c4a2b0d8c81959bc0188063d698d51125aae4ffa959049bc4ccae762c2488fd4e557c1e5a7ecb309141d9529c7dbf51c57bb02132e23
Hash type: Recovery Password with MAC verification (slower solution, no false positives)
$bitlocker$3$16$d139a7f457abe99cddeb3a656fa99cba$1048576$12$205a6873de0cd60104000000$60$7ca55a7511b2c4a2b0d8c81959bc0188063d698d51125aae4ffa959049bc4ccae762c2488fd4e557c1e5a7ecb309141d9529c7dbf51c57bb02132e23

I was trying to crack the recovery key cuz I know that the password is not in the directory.
What should I do next?
I don't have much experience with these kinds of thing.
Reply
#4
"Hashcat only supports $bitlocker$1$"

"User Password hash:
$bitlocker$0$"

Well it seems your hash is not compatible with hashcat.
Reply
#5
Your screenshot tells me that you picked $bitlocker$2 (or $bitlocker$3).
As mentioned higher, Hashcat only supports $bitlocker$1. Try giving this hash as input, and it should work.
Reply
#6
(02-08-2021, 05:12 PM)Karamba Wrote: Your screenshot tells me that you picked $bitlocker$2 (or $bitlocker$3).
As mentioned higher, Hashcat only supports $bitlocker$1. Try giving this hash as input, and it should work.

If I try $bitlocker$1... I get no message if the hash is successfully cracked or not.
All I see is that the process is on 100% and nothing else.
But that method is a directory attack. I remember that I put a pretty difficult password on it so a directory attack would do nothing.

The attack on the recovery key would be much more effective.

I have seen something using a VM (Virtual Machine) to crack running Linux and BitCracker. But I don't know how that all works.
So is HashCat going to support $3 any time soon?
Reply
#7
So you are getting "exhausted" as status? That means that the password is not in your dictionary.

JohnTheRipper supports $2 and $3.
Take a moment to do some calculations. The recovery key is 8 times 6 digits, separated by a "-".
This mask is way too large. Even if you reduce each chunk because it has to be dividable by 11, you'll have 90.910 possibilities per chunk.
90910^8 = too much
Reply
#8
(02-12-2021, 03:28 PM)Karamba Wrote: So you are getting "exhausted" as status? That means that the password is not in your dictionary.

JohnTheRipper supports $2 and $3.
Take a moment to do some calculations. The recovery key is 8 times 6 digits, separated by a "-".
This mask is way too large. Even if you reduce each chunk because it has to be dividable by 11, you'll have 90.910 possibilities per chunk.
90910^8 = too much

Okay, I don't want to sound rude or something but I really don't care. I rather crack the password that I forgot than take my valuable time and waste it on some calculations.
If I use a powerful GPU/computer than the 90910^8 seems nothing and easy to crack open.

Anyway, would you mind sharing the info on how to crack using John?
Reply
#9
The sun will stopped burning by the time you finish the job.

Let Google be your friend here on how using JtR with bitlocker. Litteraly the first article.
Reply
#10
(02-13-2021, 12:11 PM)Karamba Wrote: The sun will stopped burning by the time you finish the job.

Let Google be your friend here on how using JtR with bitlocker. Litteraly the first article.

Thanks for sharing the article.
So I will try 
Code:
John --format=bitlocker-opencl -mask=?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d target_hash
and make update after that.
Reply