Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Trouble using bitlocker2john.py #5644

Open
exaghost opened this issue Dec 30, 2024 · 7 comments
Open

Trouble using bitlocker2john.py #5644

exaghost opened this issue Dec 30, 2024 · 7 comments
Labels

Comments

@exaghost
Copy link

exaghost commented Dec 30, 2024

Hello,
I'm experimenting with a 500 GB full DD image (the whole disc, not only the bitlocker partition) with Bitlocker enabled. That's a TPM only setup, what as far I know unsupported/impossible to recover. Okay, I accept, but a warning/error message would be useful in this case. Tried bitlocker2john.py and bitlocker2john.exe. Latest git versions. Observations:

  • The command bitlocker2john.exe -i e:\XXX\YYY.img runs okay, found 34 occurances of
    Signature found at 0x5f4202 Version: 79 Invalid version, looking for a signature with valid version... till Signature found at 0x27400003 Version: 8 Invalid version, looking for a signature with valid version... Then found 3 occurances of
    ** Signature found at 0x315de000 Version: 2 (Windows 7 or later)
    ** Signature found at 0x6cf4c000 Version: 2 (Windows 7 or later)
    ** Signature found at 0xae28f000 Version: 2 (Windows 7 or later)
    In the end Error while extracting data: No signature found! In the meantime I tried bitlocker2john.py.

  • First bitlocker2john.py command was: bitlocker2john.py e:\XXX\YYY.img -o 828235776 (DEC of 0x315de000)
    [!] Supplied image path is not a BitLocker partition. Try specifiying the offset of the BitLocker partition with -o

Tried inc./decreasing offset, and voilà:
bitlocker2john.py e:\XXX\YYY.img -o 828235773
[+] BitLocker signature found: -FVE-FS-
[+] Identified volume GUID: 65124796-AA2D-2B6D-1F49-65C44EEEB3A7 = None
[+] FVE metadata info found at offsets ['0x49b683ab5a80b8aa', '0x9ef49ce942710b33', '0x20007007974a835']

Parsing FVE block...

Parsing FVE metadata header...
Traceback (most recent call last):
File "C:\ [...] bitlocker2john.py", line 240, in
main()
File "C:\ [...] bitlocker2john.py", line 225, in main
parse_fve_metadata_block(FVE_metadata_block)
File "C:\ [...] bitlocker2john.py", line 136, in parse_fve_metadata_block
metadata_size = parse_fve_metadata_header(fve_metadata_header)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\ [...] bitlocker2john.py", line 174, in parse_fve_metadata_header
metadata_size = uint_to_int(block[0:4])
^^^^^^^^^^^^^^^
File "C:\ [...] bitlocker2john.py", line 56, in uint_to_int
return int(b[::-1].hex(), 16)
^^^^^^^^^^^^^
ValueError: invalid literal for int() with base 16: ''

Strange behavior with the offsets.. All 3 off by 3 (828235776 vs 828235773). Also a HEX support for -o offsets would be great.
I don't consider this as a serious bug, but undefined behavior. Hope I can help improving the bitlocker2john tools.

@exaghost exaghost changed the title Trouble using bitlocker2john-py Trouble using bitlocker2john.py Dec 30, 2024
@solardiz solardiz added the bug label Dec 31, 2024
@solardiz solardiz added this to the Potentially 2.0.0 milestone Dec 31, 2024
@solardiz
Copy link
Member

Thank you @exaghost!

@holly-o Please take a look at the issues reported in here. Thank you!

@holly-o
Copy link
Contributor

holly-o commented Dec 31, 2024

Thank you - some things for me to look at!

It is off by 3 compared with bitlocker2john.exe since bitlocker2john.exe looks to match the signature "-FVE-FS-" whereas bitlocker2john.py will take the offset to the start of the volume, and the boot entry point (0xeb5890) is the first three bytes before the signature.

Since bitlocker2john.exe takes the approach just to search for the string "-FVE-FS-", I would suggest that maybe this is not an indication of the start of a BitLocker volume, but some other occurrence of that string. The volume GUID 65124796-AA2D-2B6D-1F49-65C44EEEB3A7 is not indicative of any particular volume type, in fact I can find no reference to it anywhere, and the offsets to FVE metadata exceed the bounds of the 500GB image. This suggests that at this point the script is not in fact reading the start of a BitLocker volume.

My approach to find the BitLocker volume within the image is to use mmls to see the partitions or open the image in something like FTK imager to find the exact offset to use.

I will take a look at adding the option to read the offset as hex, and also to make sure that it is not trying to seek out of bounds of the size of the image, so that the script does not error in the way you have seen here. I may also add a check that the GUID is one of the recognised GUIDs before proceeding.

@exaghost
Copy link
Author

exaghost commented Jan 2, 2025

Hello, @holly-o !
Thank you for the fast replay. I made some progress, and interesting findings! With the new version of your script, I reexamined result of bitlocker2john.exe. Neither of the three "valid" offsets worked, BUT the last "invalid" did worked.

Signature found at 0x27400003
Version: 8
Invalid version, looking for a signature with valid version...

c:[..]\bitlocker2john.py g:\XXX\YYY.img -o 0x27400003 (Yes I tweaked script to accept offset as is, by subtracting 3.)
[+] BitLocker signature found: -FVE-FS-
[+] Identified volume GUID: 4967D63B-2E29-4AD8-8399-F6A339E3D001 = BitLocker
[+] FVE metadata info found at offsets ['0x315de000', '0x6cf4c000', '0xae28f000']

Parsing FVE block...

Parsing FVE metadata header...
Metadata size: 16830
Volume GUID: 5DE525AB-1170-4ED9-AF92-F41A46839E73
Encryption method: 0x8004

Parsing FVE metadata entry...
Entry size: 80
Entry type: 0xb = FVEK backup
Value type: 0x5 = AES-CCM encrypted key
Parsing AES CCM key...

Parsing FVEK...
Mac: d22308002ae2672d728f5de21d247c67
Nonce: 50d9d8ff118ed90102000000
Encrypted data: bc9674708ccce72ee3065816622daa6d2b1f4965c44eeeb3a7add82229ab83b649362b1311e99cf49e38c816

Parsing FVE metadata entry...
Entry size: 72
Entry type: 0x7 = Computer description
Value type: 0x2 = UTF-16 string

Parsing description...
Info: OMITTED but it was the actual hostname.

Parsing FVE metadata entry...
Entry size: 80
Entry type: 0x3 = FVEK
Value type: 0x5 = AES-CCM encrypted key
Parsing AES CCM key...

Parsing FVEK...
Mac: 8053efd490bb4a98fa999e9cf258c751
Nonce: 90ab9a08128ed90109000000
Encrypted data: 48ceb3fc4bcafa5328b7e32f83e9d00e4b3de33b4857476d8d0de7e37bbfde0aac6cee2bc6556b4d6d02956a

Parsing FVE metadata entry...
Entry size: 7568
Entry type: 0x4 = Validation
Value type: 0x7 = Validation

No hashes associated with the user password or recovery password found. Exiting...

Observation:
Seems like bitlocker2john.exe is buggy, does not recognize valid bitlocker offset, but bitlocker2john.py does. I'm going to further investigate on partition scheme of image.

@exaghost
Copy link
Author

exaghost commented Jan 5, 2025

A quick look on image partition scheme:

$ mmls XXX.img
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors

  Slot      Start        End          Length       Description

000: Meta 0000000000 0000000000 0000000001 Safety Table
001: ------- 0000000000 0000002047 0000002048 Unallocated
002: Meta 0000000001 0000000001 0000000001 GPT Header
003: Meta 0000000002 0000000033 0000000032 Partition Table
004: 000 0000002048 0001023999 0001021952 EFI system partition
005: 001 0001024000 0001286143 0000262144 Microsoft reserved partition
006: 002 0001286144 0967014399 0965728256 Basic data partition
007: 003 0967014400 0976773119 0009758720 Basic data partition
008: ------- 0976773120 0976773375 0000000256 Unallocated

@holly-o
Copy link
Contributor

holly-o commented Jan 6, 2025

That offset seems ok then for partition 006, since 512 * 1286144 = 658,505,728 = 0x27400000

@solardiz
Copy link
Member

I think this issue was taken care of by a commit in #5623 (even though it should have been a separate PR). Please confirm. Thank you @holly-o and @exaghost!

@holly-o
Copy link
Contributor

holly-o commented Jan 21, 2025 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants