Bitlocker
#1
I am a total newbie.
I want to decrypt a bitlocker encrypted 32GB usb drive.
Following this video https://www.youtube.com/watch?v=gue6suh7...WL&index=3 i managed to
1) create an image of the drive with FTK imager and
2) extract 4 hashes with bitlocker2john ($bitlocker$0..., $bitlocker$1... ,$bitlocker$2... , $bitlocker$3...)
3) run hashcat with hashcat.exe -m 22100 bitlocker.txt (with$bitlocker$0... hash in there) rockyou.txt
unfortunately after running 4 days it ended exhausted.     https://gyazo.com/635fa0b1afe71675792b99f62ac17d6c

now i was trying to attack the bitlocker recovery key with a mask or word lists but i just read that $bitlocker$2... and $bitlocker$3... hashes are to difficult to crack. is this correct?

what should be my next approach?

ty for ur  help
Reply
#2
First, if you have the luxury of validating your methodology against an identically-configured target but with a known plaintext, do so. (This isn't always possible, but definitely worth the trouble if basic attacks fail, so that you know that you're not "barking up the wrong tree")

Second, if you know that your methodology is good, running through the early part of a list like RockYou is good (because they are sorted by how common they are). But there's a long tail of RockYou at the other end that's less likely than other options. In other words: there are lots of common PINs and passwords that don't appear in RockYou.

Once you've working from that baseline, all you can really do is keep trying likely candidates.
~
Reply
#3
ur basically saying i should encrypt a file with bitlocker -> create image -> extract hashes -> try to run hashcat (with a wordlist that contains the password?) or (a mask that fits the password?) and see if that works?

can bitlocker recovery keys be cracked in a reasonable timeframe? (i have i5 4460 and radeon r9series)
how would a mask for the recovery key look like?
Reply
#4
Yep, just practice seeing if you can crack *any* similarly provisioned Bitlocker hash.

For your real target, if you have no idea what the constraints on the creation of the original plaintext were, then all you can do is play the odds. "What kind of mask should I use?" is like asking "how long is a piece of string?" Big Grin - it totally depends on what the plaintext might be.
~
Reply
#5
unfortunately i cant remember the length or the syntax of my password. i was sure i know it until i plugged the usb in aftter years ;(.

i meant the mask for the bitlocker recovery key. there are certain rules for the syntax and length of a bitlocker recovery key and i wanted to know if a hashcat mask for that specific key already exists somewhere. so i dont have to figure it out myself and probably make a mistake somewhere.
Reply
#6
and i have another question. i made a wordlist for hashcat with all my usual passwords. it didnt work. is it possible in hashcat to run this words in all possible combinations and not just the exact word that i put in the wordlist?
Reply
#7
I know this is an old thread, but I didn't see any relevant answers. Known plaintext is good, but with BitLocker, you'd have to find where the corresponding ciphertext is without any list of files to go off of.

Correct mask for cracking recovery key: ?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d
Reply
#8
(01-23-2024, 04:35 PM)DramaKing Wrote: I know this is an old thread, but I didn't see any relevant answers. Known plaintext is good, but with BitLocker, you'd have to find where the corresponding ciphertext is without any list of files to go off of.

Correct mask for cracking recovery key: ?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d

this will definitly result in an bufferoverflow, you wont be able to attack with that mask
Reply
#9
(01-23-2024, 04:35 PM)DramaKing Wrote: I know this is an old thread, but I didn't see any relevant answers. Known plaintext is good, but with BitLocker, you'd have to find where the corresponding ciphertext is without any list of files to go off of.

Correct mask for cracking recovery key: ?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d

No, not correct.
First of all, it's ?d?d?d?d?d?d-?d?d?d?d?d?d-?d?d?d?d?d?d-?d?d?d?d?d?d-?d?d?d?d?d?d-?d?d?d?d?d?d-?d?d?d?d?d?d-?d?d?d?d?d?d
And then each set of ?d?d?d?d?d?d has to be divideble by 11 and no bigger than 720896, same as 11 x 65536.

It is actually possible with John the Ripper, but practically impossible to find the correct key.
Reply
#10
what?

its 48 digits, the - doesnt matter, it is still all possibilities from

0000000000000000000000000000000000000000000000
to
9999999999999999999999999999999999999999999999

you dont crack each part on their own, whether it fits all or nothing
Reply