bitlocker

APTI

APTI

Well-Known Member
Joined
Dec 20, 2022
Messages
391
Reaction score
253
Credits
3,369
I have been exploring Kali. I have two goals, the first one is to be able to hack a physical drive that is encrypted with bitlocker. For this we will assume that the client does not have the password or key to decrypt, lets say the computer was encrypted by an employee that they fired and now they can't access the pc data or boot into it. I have explored bitcracker but it is 8 years old, out of date and I can't get it to build without errors.
Is there something else out there not to mount bitlocker encrypted drives but to get the key or password or just direct access the data for the client.
 


You don't provide critical information, which is, whether that drive was encrypted with TPM or with plain password?
 
CaffeineAddict said:
You don't provide critical information, which is, whether that drive was encrypted with TPM or with plain password?
Click to expand...
since this is hypothetical using some past experience, let us say there are 2 one with each. The idea here is next time I do not want to tell the client "tough luck, next time do not encrypt". I have run into people that lose a password so they can't access the PC but the drive was encrypted so I can't use chntpw because I can't access the drive. I must take the step of getting past bitlocker, then fix the password issue.
Client will have no idea if they used plain password or TPM because they are not technical they just saw the option to encrypt the drive and said "Hey that sounds like a great idea, let me hit that." famous last words like "Hold my beer and watch this". They would have stored the key file on the drive or on a lost drive and since they do not have password to get into windows they are stuck.
 
Kali has PowerShell integrated, and there is PS cmdlet that let's you unlock a drive with the command:
learn.microsoft.com

Unlock-BitLocker (BitLocker)

Use this topic to help manage Windows and Windows Server technologies with Windows PowerShell.
learn.microsoft.com

Perl: 
Unlock-BitLocker -MountPoint "E:" -Password $SecureString

What I would do is write a loop in PS that would iterate this same cmdlet over and over again by pulling passwords out of a wordlist.

Kali has some default wordlists and also tools to generate your own.

One problem I can think of is that I'm not sure how to mount bitlocker encrypted drive in Kali, and even if you could this commandlet won't work in Linux, it's Windows only, likely no such method exists by default in Kali, but there are methods to launch powershell in WinRE for ex:
superuser.com

Can PowerShell be used within the Windows Recovery Environment?

I have tried to access PowerShell from the Command Prompt in Windows Recovery Environment with no success. I am able to run VBScripts there without a problem, and I am now wondering if there is som...
superuser.com superuser.com

And then run the script with parameter to wordlist which loops over it attempting to unlock.

Another problem is that this will be bruteforcing which can take long time.
 
I hate windoze so I will not use it to hack, and in these cases you have the PC in hand but can't boot it for whatever reason, most likely lost password to log in so windows out of the mix for both reasons. Or possibly the motherboard is blown.
I can mount the encrypted drive in linux using dislocker but that requires the key or password. I do not mind a brute force because the system will be in shop until finished and people understand that can take time.
 
APTI said:
I can mount the encrypted drive in linux using dislocker but that requires the key or password.
Click to expand...
I see, it should be as easy as to run a loop that reads a wordlist and runs dislocker until success.
Any scripting language should do.
 
1) make sure "dislocker" is installed
2) Next, we are going to create a Folder so we can mount the Drive.
sudo mkdir /media/bitlocker
sudo mkdir /media/mount
Click to expand...
3) find your disk - sudo fdisk -l
4) Now we are going to use Dislocker to Decrypt the Drive. Make sure to replace -uYourPassword with your password and sde1 with your drive description! But leave the -u in front of it. So if your password is Horseradish the command should call: -uHorseradish . Alternatively, just leave it at -u and you will get prompted for the password.

sudo dislocker -r -V /dev/sde1 -uYourPassword – /media/bitlocker
Click to expand...

5) Mount your drive
sudo mount -r -o loop /media/bitlocker/dislocker-file /media/mount
Click to expand...
You should be able to open it

You can also make a script file to open it
need to create a new file in our /usr/local/bin path, so you can access the script from everywhere.

sudo gedit /usr/local/bin/unlock.sh
Click to expand...
Go ahead and paste the script into your Text File. Make sure you adjust it to your own Drive Letters etc.

#!/bin/bash
sudo dislocker -r -V /dev/sde1 -u – /media/bitlocker
sudo mount -r -o loop /media/bitlocker/dislocker-file /media/mount
Code language: JavaScript (javascript)
Click to expand...

Save the File by hitting CTRL+S. Adjust the permission to make the File executable:

sudo chmod +x /usr/local/bin/unlock.sh
Click to expand...

So the next time you restart and need to access your USB Drive again, simply open a Terminal and type:

sudo unlock.sh
Code language: CSS (css)
Click to expand...

And you will need to enter your Sudo Password and your Bitlocker Password and your Drive will be unlocked and automatically mounted.
 
GatorsFan said:
1) make sure "dislocker" is installed
2) Next, we are going to create a Folder so we can mount the Drive.

3) find your disk - sudo fdisk -l
4) Now we are going to use Dislocker to Decrypt the Drive. Make sure to replace -uYourPassword with your password and sde1 with your drive description! But leave the -u in front of it. So if your password is Horseradish the command should call: -uHorseradish . Alternatively, just leave it at -u and you will get prompted for the password.



5) Mount your drive

You should be able to open it

You can also make a script file to open it
need to create a new file in our /usr/local/bin path, so you can access the script from everywhere.


Go ahead and paste the script into your Text File. Make sure you adjust it to your own Drive Letters etc.



Save the File by hitting CTRL+S. Adjust the permission to make the File executable:



So the next time you restart and need to access your USB Drive again, simply open a Terminal and type:



And you will need to enter your Sudo Password and your Bitlocker Password and your Drive will be unlocked and automatically mounted.
Click to expand...
You completely missed the point. Don't be sad I do it too if I do not read something fully.
I do not need to know how to mount a bitlocker drive, I can do that with the password or key, This is the case we do not have the key or password, motherboard is burned out and we can't access the drive now. This post was about how we can crack bitlocker so we can get to the steps you mentioned.
 
APTI said:
but that requires the key or password
Click to expand...
Note that you don't need a *.BEK file, only password will do:

Bash: 
Usage: dislocker [-hqrsv] [-l LOG_FILE] [-O OFFSET] [-V VOLUME DECRYPTMETHOD -F[N]] [-- ARGS...]
    with DECRYPTMETHOD = -p[RECOVERY_PASSWORD]|-f BEK_FILE|-u[USER_PASSWORD]|-k FVEK_FILE|-K VMK_FILE|-c


DECRYPTMETHOD can be password only, for which all what you need is wordlists.
A simple PS script or bash script will work in Kali just fine.

To make bruteforcing as fast as possible I'd suggest to use rainbow tables.

EDIT:

CaffeineAddict said:
To make bruteforcing as fast as possible I'd suggest to use rainbow tables.
Click to expand...
See this:
github.com

GitHub - e-ago/bitcracker: BitCracker is the first open source password cracking tool for memory units encrypted with BitLocker

BitCracker is the first open source password cracking tool for memory units encrypted with BitLocker - e-ago/bitcracker
github.com github.com
 
Last edited:
CaffeineAddict said:
I see, it should be as easy as to run a loop that reads a wordlist and runs dislocker until success.
Any scripting language should do.
Click to expand...
sounds like the biggest scurge on the planet (MS and bitlocker) has nothing to hack it? can't we rip it off one of the government offices that hacks them?
GatorsFan said:
Might want to look at this video -
Click to expand...
I saw that and it is great for that kind of laptop. The pin outs are not the same from system to system and even the chipset is not always easy to find. So I would have to make something in hardware to hack each pinout. Not feasible. however that only works if you have the pinouts, the right pinouts, a piece of hardware to fit each kind of pinout and the motherboard has to be functional which I said in the assumptions that the motherboard was blown. that would mean we can't access info in the TPM if it is still there.

I was interested in the video when I saw it and went checking other systems to see and found what I just mentioned.
 
CaffeineAddict said:
Note that you don't need a *.BEK file, only password will do:

Bash: 
Usage: dislocker [-hqrsv] [-l LOG_FILE] [-O OFFSET] [-V VOLUME DECRYPTMETHOD -F[N]] [-- ARGS...]
    with DECRYPTMETHOD = -p[RECOVERY_PASSWORD]|-f BEK_FILE|-u[USER_PASSWORD]|-k FVEK_FILE|-K VMK_FILE|-c


DECRYPTMETHOD can be password only, for which all what you need is wordlists.
A simple PS script or bash script will work in Kali just fine.

To make bruteforcing as fast as possible I'd suggest to use rainbow tables.

EDIT:


See this:
github.com

GitHub - e-ago/bitcracker: BitCracker is the first open source password cracking tool for memory units encrypted with BitLocker

BitCracker is the first open source password cracking tool for memory units encrypted with BitLocker - e-ago/bitcracker
github.com github.com
Click to expand...
the bitcracker is what I originally mentioned. If you look at the github it is 6 or 7 years old which is very obsolete, plus I can't get it to build.
 
APTI said:
the bitcracker is what I originally mentioned. If you look at the github it is 6 or 7 years old which is very obsolete, plus I can't get it to build.
Click to expand...
Ah sorry, I saw you mentioned something but I forgot what it was.

What kind of build errors do you get?
Do you have CUDA capable Nvidia?
 
I've never used it although I've known a few who have and lost the usb key and was unable to get onto their laptop computer.

I wound up changing the HDD with a new HDD and then reinstalled the Windows OS which is what they wanted to do.
 
Screenshot_2024-05-09_15_48_51.png

this is what happens when I try to build bitcracker, this is on a VM so no GPU really. At moment I do not have a convenient system to install so I do testing on VM
 
The Duck said:
I've never used it although I've known a few who have and lost the usb key and was unable to get onto their laptop computer.

I wound up changing the HDD with a new HDD and then reinstalled the Windows OS which is what they wanted to do.
Click to expand...
I run a shop and I do not want to tell people they made a stupid choice and lost it all, even if that is the truth. I'd rather tell them they made a stupid choice but I was able to get their stuff anyway and next time do not be stupid. Besides, it is something else I can offer clients and make money on.
 
CaffeineAddict said:
@APTI
Have you tried any of the workarounds?
Like this one:
github.com

Installation errors · Issue #34 · e-ago/bitcracker

I get 2 errors when trying to install ====== Build BitCracker Hash Extractor ====== rm -rf *.o rm -rf ../build/bitcracker_hash gcc bitcracker_hash.c -o bitcracker_hash ====== Build BitCracker Recov...
github.com github.com
Click to expand...
I just went through that and it didn't help much. I was able to make a change that showed me more errors which I then fixed but still now getting tons of syntax errors in the build. I will continue looking at this when I come back to work on monday
 
APTI said:
I run a shop and I do not want to tell people they made a stupid choice and lost it all, even if that is the truth. I'd rather tell them they made a stupid choice but I was able to get their stuff anyway and next time do not be stupid. Besides, it is something else I can offer clients and make money on.
Click to expand...
I don't think bitlocker is a stupid choice in this day and age for laptop and mobile devices as long as the bitlocker user has provided for themselves a backup replacement key / device.
 
You must log in or register to reply here.

Members online

Total: 729 (members: 5, guests: 724)

Latest posts

Top