Bitlocker Error(s)
#1
So i'm fairly new to trying hashcat, john the ripper, anything but learning is key.

I have a bitlocker encrypted HD that is also locked via just TPM since i'm sure knowing that will add
I managed to get HD into a VHD file with winimage
I ran john the ripper against it and got to bitlocker hashes

Saved them both separate text files and was trying to run hashcat against either but i'm getting an error
salt-value exception and no hashes loaded
I confirmed the $bitlocker has saved out of cmd into txt file with the 22210 in help

The code i'm using is "hashcat -m 2210 -a 3 hash.txt" in cmd
Now i kept researching and took one of the bitlocker hashes and converted into md5 via generator and in the mist of running that, seems to be working that way although queue is currently 10/15 with this one being 4days estimated

If it helps i'm using windows 10 to run the cmd stuff, i couldnt get kail linux to load or boot on main pc with gpu but it likely doesn't help i'm trying a sata to usb cable and likely need a sata to usb with an actual power cable for the hd

i do have a second pc if i need to run things to test / try and/or get errors

Thank you
Reply
#2
The Bitlocker-hash begins with what number? $bitlocker$0$... or $bitlocker$1$... or 2 or 3 ?
Hashcat supports only 0 and 1.

Please note that the mode for Bitlocker is -m 22100 (and not 2210), and that k.a.l.i. is not Hashcat-friendly.

Finally, can you copy/paste the typed command here?
Reply
#3
Hello

I got two bitlockers from john the ripper, $bitlocker$2$ and $bitlocker$3$ and i typed hashcat -m 2210 - a 3 hash.txt through cmd.

Wasn't aware I had even typed 22100 wrong or hashcat didn't support 2 or 3, dang TPM. Never had bitlocker on before, I read an update can sometimes turn it on

Are you aware if bitcracker or bitlocker do/dont for 2 or 3 of bitlocker? I mainly just want to unlock the drive
Reply
#4
Im sorry to disappoint you, but I dont think it is not possible to crack this, because one of the hashes is for the recovery key and the other one for the TPM key. The structure of these keys makes it infeasible to crack them.

EDIT: This is probably also the reason why they are not implemented in hashcat.
Reply
#5
Two easy options you can explore...

Since you say you don't remember having it on, it might be clear-key protected. The quickest way to check is to just mount an image of your drive on another computer running Windows 10 using Arsenal Image Mounter (https://github.com/ArsenalRecon/Arsenal-Image-Mounter). If it is clear-key protected, it will just mount and unlock automatically. If it isn't clear-key encrypted, you will get a Windows prompt for a recovery key.

If the above doesn't work, log into your Microsoft account and see if the recovery key is stored there (even if you don't remember saving it there, it's a quick and easy place to check).
Reply