01-25-2024, 03:25 PM
I am sorry Snoopy, but b8vr is right.
In order to crack the recovery key, you'll need to use the mask ?d?d?d?d?d?d- and so on.
The - is included.
So that is 6 times 8 digits, seperated by 7 times a -. It gives a total of 55 characters to crack.
As the official Microsoft documentation states, each part of the recovery key needs to be dividable by 11. I believe someone on github made a script one day to optimise the mask for this, but the conclusion was that the keyspace at the end is still waaay too large.
You can easily test and validate it by yourself by creating a small VHD which is Bitlocker-protected.
Here's an example of my test-container, where I use a mask attack on a Bitlocker recovery-key hash.
In order to crack the recovery key, you'll need to use the mask ?d?d?d?d?d?d- and so on.
The - is included.
So that is 6 times 8 digits, seperated by 7 times a -. It gives a total of 55 characters to crack.
As the official Microsoft documentation states, each part of the recovery key needs to be dividable by 11. I believe someone on github made a script one day to optimise the mask for this, but the conclusion was that the keyspace at the end is still waaay too large.
You can easily test and validate it by yourself by creating a small VHD which is Bitlocker-protected.
Here's an example of my test-container, where I use a mask attack on a Bitlocker recovery-key hash.
Code:
$ ./run/john BITLOCKER.hash --format=Bitlocker-opencl --mask='023199-166826-414744-661628-228943-116941-315436-4617?d?d'
Device 1: NVIDIA GeForce GTX 1080
Note: This format may emit false positives, so it will keep trying even after finding a possible candidate.
Using default input encoding: UTF-8
Loaded 1 password hash (BitLocker-opencl, BitLocker [SHA256 AES OpenCL])
Cost 1 (iteration count) is 1048576 for all loaded hashes
Note: Minimum length forced to 8 by format
LWS=32 GWS=2560 (80 blocks)
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Warning: Only 100 candidates buffered, minimum 2560 needed for performance.
023199-166826-414744-661628-228943-116941-315436-461758 (?)