need help with Permission denied
#1
I am trying to find my 48 digits recovery key for a drive after reinstalling windows to fix some issues and discovered that I bitlockered my drive and forgot about it a long time ago....  This drive is all my data for school and stuff so I really need to get it back.
And this is what I saw when I tried to run crack the hash I got after using Jumbo john and FTK imager  


 hashcat (v6.1.1) starting...

./hashcat.pid: Permission denied

./hashcat.induct: Permission denied



how can I get hashcat to run in this case? (I did't find any info on this issue anywhere)
Reply
#2
this is what i put in the TXT file is there anything wrong with it? (i have no clue other than some info I found on YouTube.

John --format=bitlocker-opencl -mask=?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d $bitlocker$2$6e0972bf956c01ea3f224b2fe753a6b2ca99a5fecabcf3661122e1a5e171a976e1e02c90eb37384a036fed83
Reply
#3
this is the full thing from cmd, did I enter something worng?



C:\Program Files (x86)\hashcat-6.1.1>hashcat.exe -m 22100 bitlocker.txt rockyou.txt
hashcat (v6.1.1) starting...

./hashcat.pid: Permission denied

./hashcat.induct: Permission denied

Started: Sat Mar 13 16:34:10 2021
Stopped: Sat Mar 13 16:34:10 2021
Reply
#4
please help me, I have no idea what I am doing (even when I have been trying and researching this for half a month now)
Reply
#5
(03-13-2021, 11:50 PM)Shadow of space Wrote: please help me, I have no idea what I am doing (even when I have been trying and researching this for half a month now)

for a month? really?

first copy your hashcat to another partition like d:\ or to another folder , mostly this solves the permission problem (windows sometimes doesnt like working on c: ) ^^

second, example give by you
hashcat-6.1.1>hashcat.exe -m 22100 bitlocker.txt rockyou.txt
would mean to try your bitlocker recovery 48 digits? cracking with a WORDlist -> will not work

sry its late maybe tomorrow a litte more on this

EDIT:
you are mixing up here so much things, i dont knwo where to start, your textfile is john the ripper relate,not hashcat

maybe this thread can help you,
https://hashcat.net/forum/thread-9691.html
for short, do some research with another encypted drive you know the password (like preparing an usb stick or something like that) get the hash with john or anything else and then try to attack it with hahscat and your known password, im not sure that is possible to attack the recovery key, if you managed it to crack the usb with your known pw you can switch to your drive. best approach would be a list with passwords you use and maybe rules to begin with
Reply
#6
thank you so much! the permission denied things is now gone and hashcat runs on my drive E now but this is what it says now: 


E:\hashcat-6.1.1>hashcat.exe -m 22100 bitlocker.txt
hashcat (v6.1.1) starting...

* Device #1: WARNING! Kernel exec timeout is not disabled.
            This may cause "CL_OUT_OF_RESOURCES" or related errors.
            To disable the timeout, see: https://hashcat.net/q/timeoutpatch
* Device #2: WARNING! Kernel exec timeout is not disabled.
            This may cause "CL_OUT_OF_RESOURCES" or related errors.
            To disable the timeout, see: https://hashcat.net/q/timeoutpatch
* Device #3: Unstable OpenCL driver detected!

This OpenCL driver has been marked as likely to fail kernel compilation or to produce false negatives.
You can use --force to override this, but do not report related errors.

nvmlDeviceGetFanSpeed(): Not Supported

CUDA API (CUDA 11.2)
====================
* Device #1: GeForce GTX 1650 Ti, 3325/4096 MB, 16MCU

OpenCL API (OpenCL 1.2 CUDA 11.2.152) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: GeForce GTX 1650 Ti, skipped

OpenCL API (OpenCL 3.0 ) - Platform #2 [Intel(R) Corporation]
=============================================================
* Device #3: Intel(R) UHD Graphics, skipped

Minimum password length supported by kernel: 4
Maximum password length supported by kernel: 256

Hashfile 'bitlocker.txt' on line 1 (John -...e171a976e1e02c90eb37384a036fed83): Separator unmatched
No hashes loaded.

Started: Mon Mar 15 03:16:06 2021
Stopped: Mon Mar 15 03:16:08 2021
Reply
#7
Make sure that the hash in bitlocker.txt is formatted exactly as stated here https://hashcat.net/wiki/doku.php?id=example_hashes, and it will work.

Note that you copy-pasted a complete JtR-command in the txt. Only the hash is needed.
Note that Hashcat is only compatible with $bitlocker$1$, and your hash mentions $bitlocker$2$.
Reply
#8
for your interest

poc/pow
encrypted a 1 gb usb-drive with bitlocker in compatibility mode (old mode, pre win 10 1511)
imaged ftk/dd
bitlocker2john gives 4 hashes, 2 password ( $0, $1, same), 2 recovery ( $2,$3, same)

attacking password with known plain password length and style (10 digits bruteforce attack)
not working an a cracking rig but i think you will get the point
Time.Estimated...: Fri Sep 10 21:41:43 2021 (178 days, 10 hours)
attacking password hash with known password -> success

attacking recovery key hash with known recovery key not working on hashcat (i edited the recovery hash with $1 and used known recovery key with and without (-) as password resulting in not found

maybe i will also try the new bitlocker version but not now

conclusion for short
hashcat is able to crack the password $0 $1 (same hash) from bitlocker2john
hahscat is not able to attack the recovery key $2 $3 even when knowing the recovery key

if you have no clue about your own password, then you will crack till our universe collapse

edit:
for fun purpose only:
Integer overflow detected in keyspace of mask: ?d?d?d?d?d?d-?d?d?d?d?d?d-?d?d?d?d?d?d-?d?d?d?d?d?d-?d?d?d?d?d?d-?d?d?d?d?d?d-?d?d?d?d?d?d-?d?d?d?d?d?d

edit2:
john seems to be able to attack with mask but yeah gone with the blastwave
Reply