This shows you the differences between two versions of the page.
|
john:OpenCL-BitLocker [2017/02/21 23:53] elenago [Command line and parameters] |
john:OpenCL-BitLocker [2022/07/15 21:49] (current) solar [Step 3: Attack!] mention that there's no chance to find a fully lost Recovery Password |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ===== OpenCL BitLocker ===== | ===== OpenCL BitLocker ===== | ||
| - | John The Ripper BitLocker format. BitLocker is a full-disk encryption feature available in recent Windows versions (Vista, 7, 8.1 and 10) Pro and Enterprise.\\ | + | BitLocker is a full-disk encryption feature available in recent Windows versions (Vista, 7, 8.1 and 10) Ultimate, Pro and Enterprise.\\ |
| - | We released the OpenCL version of our crack as a plugin for John The Ripper Jumbo version.\\ | + | BitLocker-OpenCL format attacks memory units encrypted using the User Password (see the following picture) or the Recovery Password authentication methods.\\ |
| - | BitLocker-OpenCL format attacks memory units encrypted with the password authentication mode of BitLocker (see the following picture).\\ | + | Our attack has been tested on several memory devices encrypted with BitLocker on Windows 7, 8.1 and 10 (both compatible and not compatible mode).\\ |
| + | You can find the standalone CUDA implementation here: https://github.com/e-ago/bitcracker\\ | ||
| + | |||
| + | ===== User Password authentication method ===== | ||
| + | |||
| + | With this authentication method, the user can choose to encrypt a memory device by means of a password. | ||
| {{:john:bitcracker_img1.png?direct&400|}} | {{:john:bitcracker_img1.png?direct&400|}} | ||
| - | Our attack has been tested on several USB pendrives encrypted with BitLocker running on Windows 7, Window 8.1 and Windows 10 (both compatible and non-compatible mode). | + | To find the password used during the encryption, see [[#Step 2: Extract the hash|Step 2: Extract the hash]] |
| - | ===== How To ===== | + | ===== Recovery Password authentication method ===== |
| - | In order to use the BitLocker-OpenCL format, you must follow two steps: | + | During the encryption of a memory device, (regardless the authentication method) BitLocker asks the user to store somewhere a Recovery Password that can be used to restore the access to the encrypted memory unit in the event that she/he can't unlock the drive normally. Thus the Recovery Password is a common factor for all the authentication methods and it consists of a 48-digit key like this: |
| - | 1- Use the bitlocker2john utility, which takes as input the target encrypted memory unit and returns a bitlocker-opencl hash format describing the unit. Using the -o <file_name> option, you can write this hash on a file: | + | <code> |
| - | <code C> | + | 236808-089419-192665-495704-618299-073414-538373-542366 |
| - | ./bitlocker2john [-o <output_file>] <BitLocker Encrypted Memory Image> | + | |
| </code> | </code> | ||
| - | 2- Start John BitLocker-OpenCL format, specifying the previous hash: | + | To find the correct Recovery Password, see [[#Step 2: Extract the hash|Step 2: Extract the hash]]. |
| - | <code C> | + | For further details, see also [[https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-recovery-guide-plan|Microsoft docs]]. |
| - | ./john --format=bitlocker-opencl --wordlist=wordlist.txt target_hash.txt | + | |
| + | ===== Step 1: Get the image of your encrypted memory device ===== | ||
| + | |||
| + | In order to start the attack, you need to extract the image of your memory device encrypted with BitLocker. | ||
| + | For example, you can use the dd command: | ||
| + | |||
| + | <code bash> | ||
| + | sudo dd if=/dev/disk2 of=/path/to/imageEncrypted conv=noerror,sync | ||
| + | 4030464+0 records in | ||
| + | 4030464+0 records out | ||
| + | 2063597568 bytes transferred in 292.749849 secs (7049013 bytes/sec) | ||
| </code> | </code> | ||
| - | For the moment, passwords will be evaluated only if their length is between 8 (that's the minimum password length) and 16 characters (for implementation reasons). We will increase the max passwords size in the next releases. | + | ===== Step 2: Extract the hash ===== |
| - | ===== Output ===== | + | |
| - | We tested our final OpenCL solution on a GeForce Titan X, Maxwell architecture (Openwall). An output example is: | + | In order to use the BitLocker-OpenCL format, you must produce a well-formatted hash of your encrypted image. |
| + | Use the //bitlocker2john// tool (john repo) to extract the hash from the password protected BitLocker encrypted volumes. | ||
| <code> | <code> | ||
| + | $ ../run/bitlocker2john -i /path/to/imageEncrypted | ||
| + | Opening file /path/to/imageEncrypted | ||
| - | Device 6: GeForce GTX TITAN X | + | Signature found at 0x00010003 |
| - | Using default input encoding: UTF-8 | + | Version: 8 |
| - | Loaded 1 password | + | Invalid version, looking for a signature with valid version... |
| - | donaldduck (?) | + | |
| - | 1g 0:00:03:07 DONE (2017-02-15 19:47) 0.005324g/s 915.9p/s 915.9c/s 915.9C/s GPU:79°C aaaaaaaa..abdbedff | + | Signature found at 0x02110000 |
| - | Session completed | + | Version: 2 (Windows 7 or later) |
| + | |||
| + | VMK entry found at 0x021100d2 | ||
| + | VMK encrypted with user password found! | ||
| + | VMK encrypted with AES-CCM | ||
| + | |||
| + | VMK entry found at 0x021101b2 | ||
| + | VMK encrypted with Recovery key found! | ||
| + | VMK encrypted with AES-CCM | ||
| + | |||
| + | $bitlocker$0$16$a149a1c91be871e9783f51b59fd9db88$1048576$12$b0adb333606cd30103000000$60$c1633c8f7eb721ff42e3c29c3daea6da0189198af15161975f8d00b8933681d93edc7e63f36b917cdb73285f889b9bb37462a40c1f8c7857eddf2f0e | ||
| + | $bitlocker$1$16$a149a1c91be871e9783f51b59fd9db88$1048576$12$b0adb333606cd30103000000$60$c1633c8f7eb721ff42e3c29c3daea6da0189198af15161975f8d00b8933681d93edc7e63f36b917cdb73285f889b9bb37462a40c1f8c7857eddf2f0e | ||
| + | $bitlocker$2$16$2f8c9fbd1ed2c1f4f034824f418f270b$1048576$12$b0adb333606cd30106000000$60$8323c561e4ef83609aa9aa409ec5af460d784ce3f836e06cec26eed1413667c94a2f6d4f93d860575498aa7ccdc43a964f47077239998feb0303105d | ||
| + | $bitlocker$3$16$2f8c9fbd1ed2c1f4f034824f418f270b$1048576$12$b0adb333606cd30106000000$60$8323c561e4ef83609aa9aa409ec5af460d784ce3f836e06cec26eed1413667c94a2f6d4f93d860575498aa7ccdc43a964f47077239998feb0303105d | ||
| </code> | </code> | ||
| - | ===== Customize the run ===== | + | As shown in the example, it returns 4 output hashes with different prefix: |
| + | * If the device was encrypted using the User Password authentication method, bitlocker2john prints those 2 hashes: | ||
| + | * $bitlocker$0$... : it starts the User Password fast attack mode (see [[#User Password authentication method|User Password Section]]) | ||
| + | * $bitlocker$1$... : it starts the User Password attack mode with MAC verification (slower execution, no false positives) | ||
| + | * In any case, bitlocker2john prints those 2 hashes: | ||
| + | * $bitlocker$2$... : it starts the Recovery Password fast attack mode (see [[#Recovery Password authentication method|Recovery Password Section]]) | ||
| + | * $bitlocker$3$... : it starts the Recovery Password attack mode with MAC verification (slower execution, no false positives) | ||
| + | |||
| + | Samples BitLocker images for testing are available here: | ||
| + | * https://github.com/e-ago/bitcracker/tree/master/Images | ||
| + | * https://github.com/kholia/libbde/tree/bitlocker2john/samples | ||
| + | |||
| + | ===== Step 3: Attack! ===== | ||
| - | Local and global work sizes are autotuned, but you can specify the maximum number of password for each thread modifying the value of this macro (opencl_bicracker_fmt_plug.c): | + | Use the BitLocker-OpenCL format specifying the hash file: |
| <code> | <code> | ||
| - | #define MAX_PASSWORD_THREAD 8 | + | ./john --format=bitlocker-opencl --wordlist=wordlist target_hash |
| </code> | </code> | ||
| - | With the following macro you can enable some additional debug print: | + | Currently, this format is able to evaluate passwords having length between 8 (minimum password length) and 55 characters (implementation reasons). |
| + | We will increase the max passwords size in the next release. | ||
| + | |||
| + | The mask you can use to generate Recovery Password is: | ||
| <code> | <code> | ||
| - | #define BITLOCKER_ENABLE_DEBUG 1 | + | -mask=?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d |
| </code> | </code> | ||
| + | Please note that the number of possible Recovery Passwords is **way** too large, so there's effectively **no chance** that this will find yours unless you recall almost all of it (except for just a handful of digits) and replace most of the "?d" above with the known digits. | ||
| + | |||
| + | Samples of User Password/Recovery Passwords dictionaries you can user are available here: https://github.com/e-ago/bitcracker/tree/master/Dictionary | ||
| + | ===== Output ===== | ||
| + | |||
| + | An output example is: | ||
| + | |||
| + | <code> | ||
| + | |||
| + | ./john --format=bitlocker-opencl --wordlist=wordlist hash | ||
| + | Device 0: Tesla K80 | ||
| + | Using default input encoding: UTF-8 | ||
| + | Loaded 1 password hash (bitlocker-opencl [SHA-256 AES OpenCL]) | ||
| + | Note: minimum length forced to 8 | ||
| + | Press 'q' or Ctrl-C to abort, almost any other key for status | ||
| + | password@123 (?) | ||
| + | |||
| + | </code> | ||
| + | |||
| + | This OpenCL implementation has been tested on a GPU NVIDIA GeForce Titan X (Openwall), GPU AMD Radeon HD 7990 Malta and an Intel Core i7 CPU. | ||
| + | For additional information about performance, see https://github.com/e-ago/bitcracker#performance | ||
| + | |||
| + | ===== Updates and changelog ===== | ||
| + | |||
| + | 12/19/2017 | ||
| + | * Now BitLocker-OpenCL supports 4 different attack modes: User Password fast attack, User Password with MAC verification (performance decreased), Recovery Password, Recovery Password with MAC verification (performance decreased) | ||
| + | * Max password length increased to 55 | ||
| + | |||
| + | Next Update: | ||
| + | * Provide a Recovery Password dictionary | ||
| ===== References, license and contacts ===== | ===== References, license and contacts ===== | ||
| Line 57: | Line 131: | ||
| Copyright (c) 2015-2017 Elenago and Massimo Bernaschi (National Research Council of Italy), <massimo dot bernaschi at gmail dot com>\\ | Copyright (c) 2015-2017 Elenago and Massimo Bernaschi (National Research Council of Italy), <massimo dot bernaschi at gmail dot com>\\ | ||
| Licensed under GPLv2\\ | Licensed under GPLv2\\ | ||
| - | This is a research project, therefore please contact or cite if you want to use this source code or start any type of collaboration.\\ | + | |
| - | Please report any bug to <elena dot ago at gmail dot com> | + | You can find the standalone CUDA implementation here: https://github.com/e-ago/bitcracker\\ |
| + | This is a research project; for any additional info or to report any bug please contact <elena dot ago at gmail dot com> | ||