Extracting hashes bitlocker
#1
Question, I am trying to extract the hash of a Bitlocker encrypted drive and I get this output bitlockerjohn.  

Signature found at 0x71bbc000
Version: 2 (Windows 7 or later)
VMK entry found at 0x71bbf907
VMK encrypted with TPM...not supported! (0x71bbf928) 

Then continues, a very long process.

VMK entry found at 0xb5ff5a39
VMK entry found at 0x23b2bad33
VMK entry found at 0x504bb4baa
VMK entry found at 0x511a7f22f


It continues on is that mean that I should wait until it finishes to get the 4 hashes or the fact VMK encrypted with TPM is game over.
Reply
#2
Read rhe log:

..
VMK encrypted with TPM...not supported! (0x71bbf928)
..
Reply
#3
Yeah!!  That was NOT the response I was waiting for.....  But after 20 Hours it provided the hashes to get Hashcat to crack it.  Good thing that I ignored it and did not listen to you.

Signature found at 0x00010003
Version: 8
Invalid version, looking for a signature with valid version...

Signature found at 0x02110000
Version: 2 (Windows 7 or later)


VMK entry found at 0x021101b2
VMK encrypted with Recovery key found!
VMK encrypted with AES-CCM
Reply
#4
Notice that you finally found the hash of a RecoveryKey, which is not supported by Hashcat.
Reply
#5
(08-30-2021, 10:25 AM)Karamba Wrote: Notice that you finally found the hash of a RecoveryKey, which is not supported by Hashcat.

Live and learn!  I saw this video that claimed otherwise.

OK..
Reply
#6
Hi
I need help recovering my bitlocker key for windows 10 on lenovo p1 workstation laptop. It has a tpm 2.0 chip.

I did forensic on the ram leak for the hash but I cant get the hash from the bitlocker drive with with the forensic tool i am using.

im a newb.

would be great to figure this out. I have everything in place to start
Reply
#7
I recommend buying some nvidia a100 cards (80gb)
Reply