This shows you the differences between two versions of the page.
|
john:OpenCL-BitLocker [2017/10/24 14:05] elenago |
john:OpenCL-BitLocker [2024/11/09 04:35] (current) solar [Step 3: Attack!] Sync with today's README.BitLocker update |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ===== OpenCL BitLocker ===== | ===== OpenCL BitLocker ===== | ||
| - | BitLocker is a full-disk encryption feature available in recent Windows versions (Vista, 7, 8.1 and 10) Pro and Enterprise.\\ | + | BitLocker is a full-disk encryption feature available in recent Windows versions (Vista, 7, 8.1 and 10) Ultimate, Pro and Enterprise.\\ |
| - | BitLocker-OpenCL format attacks memory units encrypted with the password authentication mode of BitLocker (see the following picture).\\ | + | BitLocker-OpenCL format attacks memory units encrypted using the User Password (see the following picture) or the Recovery Password authentication methods.\\ |
| + | Our attack has been tested on several memory devices encrypted with BitLocker on Windows 7, 8.1 and 10 (both compatible and not compatible mode).\\ | ||
| + | You can find the standalone CUDA implementation here: https://github.com/e-ago/bitcracker\\ | ||
| + | |||
| + | ===== User Password authentication method ===== | ||
| + | |||
| + | With this authentication method, the user can choose to encrypt a memory device by means of a password. | ||
| {{:john:bitcracker_img1.png?direct&400|}} | {{:john:bitcracker_img1.png?direct&400|}} | ||
| - | Our attack has been tested on several memory devices encrypted with BitLocker on Windows 7, 8.1 and 10 (both compatible and not compatible mode).\\ | + | To find the password used during the encryption, see [[#Step 2: Extract the hash|Step 2: Extract the hash]] |
| - | You can find the standalone CUDA implementation here: https://github.com/e-ago/bitcracker\\ | + | |
| - | ===== How To ===== | + | ===== Recovery Password authentication method ===== |
| - | In order to use the BitLocker-OpenCL format, you must produce a well-formatted hash of your encrypted image. | + | During the encryption of a memory device, (regardless the authentication method) BitLocker asks the user to store somewhere a Recovery Password that can be used to restore the access to the encrypted memory unit in the event that she/he can't unlock the drive normally. Thus the Recovery Password is a common factor for all the authentication methods and it consists of a 48-digit key like this: |
| - | Samples BitLocker images for testing are available at https://github.com/kholia/libbde/tree/bitlocker2john/samples and here: https://github.com/e-ago/bitcracker/tree/master/Images | + | |
| - | ==== Method 1 ==== | + | <code> |
| + | 236808-089419-192665-495704-618299-073414-538373-542366 | ||
| + | </code> | ||
| + | To find the correct Recovery Password, see [[#Step 2: Extract the hash|Step 2: Extract the hash]]. | ||
| + | For further details, see also [[https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-recovery-guide-plan|Microsoft docs]]. | ||
| + | |||
| + | ===== Step 1: Get the image of your encrypted memory device ===== | ||
| + | |||
| + | In order to start the attack, you need to extract the image of your memory device encrypted with BitLocker. | ||
| + | For example, you can use the dd command: | ||
| + | |||
| + | <code bash> | ||
| + | sudo dd if=/dev/disk2 of=/path/to/imageEncrypted conv=noerror,sync | ||
| + | 4030464+0 records in | ||
| + | 4030464+0 records out | ||
| + | 2063597568 bytes transferred in 292.749849 secs (7049013 bytes/sec) | ||
| + | </code> | ||
| + | |||
| + | ===== Step 2: Extract the hash ===== | ||
| + | |||
| + | In order to use the BitLocker-OpenCL format, you must produce a well-formatted hash of your encrypted image. | ||
| Use the //bitlocker2john// tool (john repo) to extract the hash from the password protected BitLocker encrypted volumes. | Use the //bitlocker2john// tool (john repo) to extract the hash from the password protected BitLocker encrypted volumes. | ||
| <code> | <code> | ||
| - | $ ../run/bitlocker2john minimalistic.raw | + | $ ../run/bitlocker2john -i /path/to/imageEncrypted |
| + | Opening file /path/to/imageEncrypted | ||
| Signature found at 0x00010003 | Signature found at 0x00010003 | ||
| Version: 8 | Version: 8 | ||
| Invalid version, looking for a signature with valid version... | Invalid version, looking for a signature with valid version... | ||
| + | |||
| Signature found at 0x02110000 | Signature found at 0x02110000 | ||
| Version: 2 (Windows 7 or later) | Version: 2 (Windows 7 or later) | ||
| - | VMK entry found at 0x021100b6 | ||
| - | Key protector with user password found | ||
| - | minimalistic.raw:$bitlocker$0$16$e221443f32c419b74504ed51b0d66dbf$1048576$12$704e12c6c319d00103000000$60$000000000000000000000000000000002d135e69646c157c15b4c273ad85b86513a1672ae3f531ce121889178c669d37f8e5e0100d331ce78484844c | ||
| - | </code> | ||
| - | ==== Method 2 ==== | + | VMK entry found at 0x021100d2 |
| + | VMK encrypted with user password found! | ||
| + | VMK encrypted with AES-CCM | ||
| - | First, build the "bitlocker2john" (external repo: https://github.com/kholia/bitlocker2john) project from source. See https://github.com/libyal/libbde/wiki/Building for help. | + | VMK entry found at 0x021101b2 |
| - | Second, use the built bitlocker2john project to extract hash(es) from the encrypted BitLocker volume. | + | VMK encrypted with Recovery key found! |
| + | VMK encrypted with AES-CCM | ||
| - | <code> | + | $bitlocker$0$16$a149a1c91be871e9783f51b59fd9db88$1048576$12$b0adb333606cd30103000000$60$c1633c8f7eb721ff42e3c29c3daea6da0189198af15161975f8d00b8933681d93edc7e63f36b917cdb73285f889b9bb37462a40c1f8c7857eddf2f0e |
| - | $ fdisk -l bitlocker-1.raw | + | $bitlocker$1$16$a149a1c91be871e9783f51b59fd9db88$1048576$12$b0adb333606cd30103000000$60$c1633c8f7eb721ff42e3c29c3daea6da0189198af15161975f8d00b8933681d93edc7e63f36b917cdb73285f889b9bb37462a40c1f8c7857eddf2f0e |
| - | Disk bitlocker-1.raw: 256 MiB, 268435456 bytes, 524288 sectors | + | $bitlocker$2$16$2f8c9fbd1ed2c1f4f034824f418f270b$1048576$12$b0adb333606cd30106000000$60$8323c561e4ef83609aa9aa409ec5af460d784ce3f836e06cec26eed1413667c94a2f6d4f93d860575498aa7ccdc43a964f47077239998feb0303105d |
| - | Units: sectors of 1 * 512 = 512 bytes | + | $bitlocker$3$16$2f8c9fbd1ed2c1f4f034824f418f270b$1048576$12$b0adb333606cd30106000000$60$8323c561e4ef83609aa9aa409ec5af460d784ce3f836e06cec26eed1413667c94a2f6d4f93d860575498aa7ccdc43a964f47077239998feb0303105d |
| - | Sector size (logical/physical): 512 bytes / 512 bytes | + | |
| - | I/O size (minimum/optimal): 512 bytes / 512 bytes | + | |
| - | Disklabel type: dos | + | |
| - | Disk identifier: 0xfd0b8218 | + | |
| - | Device Boot Start End Sectors Size Id Type | + | </code> |
| - | bitlocker-1.raw1 128 518271 518144 253M 7 HPFS/NTFS/exFAT | + | |
| - | 128 (Start) * 512 (Sector size) => 65536 => volume offset | + | As shown in the example, it returns 4 output hashes with different prefix: |
| + | * If the device was encrypted using the User Password authentication method, bitlocker2john prints those 2 hashes: | ||
| + | * $bitlocker$0$... : it starts the User Password fast attack mode (see [[#User Password authentication method|User Password Section]]) | ||
| + | * $bitlocker$1$... : it starts the User Password attack mode with MAC verification (slower execution, no false positives) | ||
| + | * In any case, bitlocker2john prints those 2 hashes: | ||
| + | * $bitlocker$2$... : it starts the Recovery Password fast attack mode (see [[#Recovery Password authentication method|Recovery Password Section]]) | ||
| + | * $bitlocker$3$... : it starts the Recovery Password attack mode with MAC verification (slower execution, no false positives) | ||
| - | $ ./bdetools/bdeinfo -o 65536 bitlocker-1.raw -p dummy | + | Samples BitLocker images for testing are available here: |
| - | bdeinfo 20170204 | + | * https://github.com/e-ago/bitcracker/tree/master/Images |
| + | * https://github.com/kholia/libbde/tree/bitlocker2john/samples | ||
| - | $bitlocker$0$16$73926f843bbb41ea2a89a28b114a1a24$1048576$12$30a81ef90c9dd20103000000$60$942f852f2dc4ba8a589f35e750f33a5838d3bdc1ed77893e02ae1ac866f396f8635301f36010e0fcef0949078338f549ddb70e15c9a598e80c905baa | + | ===== Step 3: Attack! ===== |
| + | |||
| + | Use the BitLocker-OpenCL format specifying the hash file: | ||
| + | <code> | ||
| + | ./john --format=bitlocker-opencl --wordlist=wordlist target_hash | ||
| </code> | </code> | ||
| - | For more help with bitlocker2john, see the following URLs, | + | Currently, this format is able to evaluate passwords having length between 8 (minimum password length) and 55 characters (implementation reasons). |
| - | https://github.com/libyal/libbde/wiki | + | To avoid wasting compute resources, choose just one hash for this attack - either $bitlocker$0$... or $bitlocker$1$... |
| - | https://github.com/libyal/libbde/wiki/Troubleshooting | + | |
| - | ==== Cracking Process ==== | + | ===== Recovery Passwords (but you're out of luck cracking these, so just don't) ===== |
| - | Use the BitLocker-OpenCL format specifying the previous hash: | + | The mask you can use to generate Recovery Passwords is: |
| <code> | <code> | ||
| - | ./john --format=bitlocker-opencl --wordlist=wordlist target_hash | + | --mask=?d?d?d?d?d?d-?d?d?d?d?d?d-?d?d?d?d?d?d-?d?d?d?d?d?d-?d?d?d?d?d?d-?d?d?d?d?d?d-?d?d?d?d?d?d-?d?d?d?d?d?d |
| </code> | </code> | ||
| - | Currently, this format is able to evaluate passwords having length between 8 (minimum password length) and 27 characters (implementation reasons). | + | Please note that the number of possible Recovery Passwords is **way** too large, so there's effectively **no chance** that this will find yours unless you recall almost all of it (except for just a handful of digits) and replace most of the "?d" above with the known digits. |
| - | We will increase the max passwords size in the next release. | + | |
| + | Recovery Passwords are currently only supported by the BitLocker-OpenCL format (for use on GPUs), not by the corresponding BitLocker CPU format, but like the above paragraph says it's a controversial feature anyhow, which is unlikely to ever help. | ||
| + | |||
| + | To avoid wasting compute resources, choose just one hash for this attack - either $bitlocker$2$... or $bitlocker$3$... | ||
| + | Samples of User Password/Recovery Passwords dictionaries you can user are available here: https://github.com/e-ago/bitcracker/tree/master/Dictionary | ||
| ===== Output ===== | ===== Output ===== | ||
| - | We tested our final OpenCL solution on a GeForce Titan X, Maxwell architecture (Openwall). An output example is: | + | An output example is: |
| <code> | <code> | ||
| Line 85: | Line 120: | ||
| </code> | </code> | ||
| + | |||
| + | This OpenCL implementation has been tested on a GPU NVIDIA GeForce Titan X (Openwall), GPU AMD Radeon HD 7990 Malta and an Intel Core i7 CPU. | ||
| + | For additional information about performance, see https://github.com/e-ago/bitcracker#performance | ||
| + | |||
| + | ===== Updates and changelog ===== | ||
| + | |||
| + | 12/19/2017 | ||
| + | * Now BitLocker-OpenCL supports 4 different attack modes: User Password fast attack, User Password with MAC verification (performance decreased), Recovery Password, Recovery Password with MAC verification (performance decreased) | ||
| + | * Max password length increased to 55 | ||
| + | |||
| + | Next Update: | ||
| + | * Provide a Recovery Password dictionary | ||
| + | |||
| ===== References, license and contacts ===== | ===== References, license and contacts ===== | ||