whats needed before hashcat attacks
#1
Hi everyone.

Very new to code cracking but I've received an SSD from a client that got Bitlocker locked because someone ells installed parts in a Dell laptop without disabling Bitlocker, they couldn't rectify the issue.

So I am trying to take on the challange.

So far I have made an image with FTK imager, extracted hashes with Bitlocker2John, but now I'm stuck with Hashcat.

John only gave me 2x Bitlocker hashes instead of 4, is that normal?

How will I know what mask to use and how to use a word list?

Do I need any info from the client like a password or anything ells?

They do not have a Microsoft Account.

Also just a bit of extra limitations, in my country of South Africa the retarded government has stolen the national energy provided into such a state that they are unable to provide the country with constant electricity, so as a result we have 4 hour outages twice a day with 4 hour to 12 hour power in between every day. We do not have backup power that will last long enough for a GPU carcking to continue as I only have a mobile power station for laptops and low power machines.

My GPU is a GTX 1070, is it even worth perusing this venture?

Will a password attack even help with getting a Bitlocker key?

Kind regards.
Ian.
Reply
#2
(02-25-2023, 11:51 AM)Ian Marais Wrote: Hi everyone.

Very new to code cracking but I've received an SSD from a client that got Bitlocker locked because someone ells installed parts in a Dell laptop without disabling Bitlocker, they couldn't rectify the issue.

So I am trying to take on the challange.

So far I have made an image with FTK imager, extracted hashes with Bitlocker2John, but now I'm stuck with Hashcat.

John only gave me 2x Bitlocker hashes instead of 4, is that normal?

How will I know what mask to use and how to use a word list?

Do I need any info from the client like a password or anything ells?

They do not have a Microsoft Account.

Also just a bit of extra limitations, in my country of South Africa the retarded government has stolen the national energy provided into such a state that they are unable to provide the country with constant electricity, so as a result we have 4 hour outages twice a day with 4 hour to 12 hour power in between every day. We do not have backup power that will last long enough for a GPU carcking to continue as I only have a mobile power station for laptops and low power machines.

My GPU is a GTX 1070, is it even worth perusing this venture?

Will a password attack even help with getting a Bitlocker key?

Kind regards.
Ian.

Firstly, you need to check what kind of hash you've got.

If your hashes starts with $bitlocker$0$ or $bitlocker$1$, then you can use hashcat to try and crack them.

But if they start with $bitlocker$3$ or $bitlocker$4$, then it's a recovery password consisting of 8 groups of 6 digits in each group. Each group has a hyphen as delimiter. These can't be cracked with hashcat. You need John the Ripper for those. But it's literally impossible as the amount of candidates is enormous.

If bitlocker2john only gave 2 hashes, they are most likely recovery hashes.
Reply
#3
Thank you for replying,

Yes unfortunately the hashes are $bitlocker$3$ &  $bitlocker$4$, do you have any steps to follow with john or should I rather check other sources?

If I'm able to get the recovery password from john, will this help getting the Bitlocker key itself? I have the Recovery key ID as well. Will the User password be of any help?

Thank you again.

(02-26-2023, 05:23 PM)b8vr Wrote:
(02-25-2023, 11:51 AM)Ian Marais Wrote: Hi everyone.

Very new to code cracking but I've received an SSD from a client that got Bitlocker locked because someone ells installed parts in a Dell laptop without disabling Bitlocker, they couldn't rectify the issue.

So I am trying to take on the challange.

So far I have made an image with FTK imager, extracted hashes with Bitlocker2John, but now I'm stuck with Hashcat.

John only gave me 2x Bitlocker hashes instead of 4, is that normal?

How will I know what mask to use and how to use a word list?

Do I need any info from the client like a password or anything ells?

They do not have a Microsoft Account.

Also just a bit of extra limitations, in my country of South Africa the retarded government has stolen the national energy provided into such a state that they are unable to provide the country with constant electricity, so as a result we have 4 hour outages twice a day with 4 hour to 12 hour power in between every day. We do not have backup power that will last long enough for a GPU carcking to continue as I only have a mobile power station for laptops and low power machines.

My GPU is a GTX 1070, is it even worth perusing this venture?

Will a password attack even help with getting a Bitlocker key?

Kind regards.
Ian.

Firstly, you need to check what kind of hash you've got.

If your hashes starts with $bitlocker$0$ or $bitlocker$1$, then you can use hashcat to try and crack them.

But if they start with $bitlocker$3$ or $bitlocker$4$, then it's a recovery password consisting of 8 groups of 6 digits in each group. Each group has a hyphen as delimiter. These can't be cracked with hashcat. You need John the Ripper for those. But it's literally impossible as the amount of candidates is enormous.

If bitlocker2john only gave 2 hashes, they are most likely recovery hashes.
Reply
#4
(Extension to my reply to your message) Correction my mistake,

it's actually  $bitlocker$2$ & $bitlocker$3$, can those even be used together?

(03-01-2023, 12:18 PM)Ian Marais Wrote: Thank you for replying,

Yes unfortunately the hashes are $bitlocker$3$ &  $bitlocker$4$, do you have any steps to follow with john or should I rather check other sources?

If I'm able to get the recovery password from john, will this help getting the Bitlocker key itself? I have the Recovery key ID as well. Will the User password be of any help?

Thank you again.

(02-26-2023, 05:23 PM)b8vr Wrote:
(02-25-2023, 11:51 AM)Ian Marais Wrote: Hi everyone.

Very new to code cracking but I've received an SSD from a client that got Bitlocker locked because someone ells installed parts in a Dell laptop without disabling Bitlocker, they couldn't rectify the issue.

So I am trying to take on the challange.

So far I have made an image with FTK imager, extracted hashes with Bitlocker2John, but now I'm stuck with Hashcat.

John only gave me 2x Bitlocker hashes instead of 4, is that normal?

How will I know what mask to use and how to use a word list?

Do I need any info from the client like a password or anything ells?

They do not have a Microsoft Account.

Also just a bit of extra limitations, in my country of South Africa the retarded government has stolen the national energy provided into such a state that they are unable to provide the country with constant electricity, so as a result we have 4 hour outages twice a day with 4 hour to 12 hour power in between every day. We do not have backup power that will last long enough for a GPU carcking to continue as I only have a mobile power station for laptops and low power machines.

My GPU is a GTX 1070, is it even worth perusing this venture?

Will a password attack even help with getting a Bitlocker key?

Kind regards.
Ian.

Firstly, you need to check what kind of hash you've got.

If your hashes starts with $bitlocker$0$ or $bitlocker$1$, then you can use hashcat to try and crack them.

But if they start with $bitlocker$3$ or $bitlocker$4$, then it's a recovery password consisting of 8 groups of 6 digits in each group. Each group has a hyphen as delimiter. These can't be cracked with hashcat. You need John the Ripper for those. But it's literally impossible as the amount of candidates is enormous.

If bitlocker2john only gave 2 hashes, they are most likely recovery hashes.
Reply
#5
I'm not sure what you mean by used together....
But the $bitlocker$2$ is supposed to be a bit faster than $bitlocker$3$, but it comes with the prize if possible false positives. That said, the chance of getting any hit is almost non-existing.

Getting the recovery password does not provide the bitlocker key (again, not entirely sure what you mean). Bitlocker makes use of 2 keys, a Volume Master Key, VMK, which is used to encrypt a Full Volume Encryption Key, FVEK. The VMK is encrypted by a Key Protector, KP, like fx. a TPM.
When we crack the user password or the recovery password, we don't get the keys.
Also, if we crack the recovery password, we don't get access to the user password. But if we crack the user password, we can get access to the recovery password using manage-bde.exe.
Reply
#6
Oh no that's just my ignosance speaking when refering to using together. I realy don't actually know what I'm talking about as I'm only learning about this now.

I saw VMKs in the john hash extraction process of I can call it that, would you be able to point out which VMK to use?

So I should try using $bitlocker$2$ for the best chances?

Sorry I know I'm asking a lot of dumb questions.

So I'm using $bitlocker$2$, VMK, wordlist, mask and manage bde.exe?

(03-01-2023, 02:26 PM)b8vr Wrote: I'm not sure what you mean by used together....
But the $bitlocker$2$ is supposed to be a bit faster than $bitlocker$3$, but it comes with the prize if possible false positives. That said, the chance of getting any hit is almost non-existing.

Getting the recovery password does not provide the bitlocker key (again, not entirely sure what you mean). Bitlocker makes use of 2 keys, a Volume Master Key, VMK, which is used to encrypt a Full Volume Encryption Key, FVEK. The VMK is encrypted by a Key Protector, KP, like fx. a TPM.
When we crack the user password or the recovery password, we don't get the keys.
Also, if we crack the recovery password, we don't get access to the user password. But if we crack the user password, we can get access to the recovery password using manage-bde.exe.
Reply
#7
If you really want to try with $bitlocker$2$, you need John the Ripper. And you need to create wordlists containing recovery keys..... A recovery key is 48 digits long with a hyphen after every 6 digits, like fx:
050028-820402-156838-etc. until you have 8 groups of 6 digits in each. A little known fact is, that each group of 6 digits has to be divideble by 11. This is a keyspace of 90909^8 = 4,6650364816375391696510582173827e+39 possible combinations...... Good luck.

The VMK is useless without the FVEK and manage-bde.exe requires you are already logged in.

In my opinion you're out of luck.
Reply
#8
Thanks for explaining this, I'm going to just try and see what can be done and if I'm even able to get the process started atleast.

Thanx again for explaining all this stuff.
Reply
#9
Did you find a way to get passed Bitlocker or are you refering to FVEK account thing?
Reply