A mono-GPU password cracking tool

BitLocker is a full disk encryption feature included with Windows Vista and later.

It is designed to protect data by providing encryption for entire volumes, using by default AES encryption algorithm in cipher block chaining(CBC) or XTS mode with a 128-bit or 256-bit key.

BitLocker can use three authentication mechanisms in order to implement encryption:

  • Transparent operation mode: This mode uses the capabilities of TPM 1.2 hardware to provide for a transparent user experience: the key used for disk encryption is encrypted by the TPM chip and will only be released to the OS loader code if the early boot files appear to be unmodified.
  • User authentication mode: This mode requires that the user provide some authentication to the pre-boot environment in the form of a pre-boot PIN or password.
  • USB Key Mode: The user must insert a USB device that contains a startup key into the computer to be able to boot the protected OS.

BitCracker is a mono-GPU password cracking tool developed only for volumes encrypted with the password authentication mode.

Our attack has been tested on several memory units encrypted with BitLocker running on Windows 7, Window 8.1 and Windows 10 (both compatible and non-compatible mode).


How to build BitCracker

From Github page:

Use the build.sh script to build 3 executables:

  • hash extractor
  • BitCracker CUDA version
  • BitCracker OpenCL version

The executables are stored in the build directory.
Before starting the attack, you need to run bitcracker_hash to extract the hash from the encrypted memory unit.

> ./build/bitcracker_hash -h
Usage: ./build/bitcracker_hash -i <Encrypted memory unit> -o <output file>
Options:
  -h, --help     Show this help
  -i, --image       Path of memory unit encrypted with BitLocker
  -o, --outfile     Output file

The extracted hash is fully compatible with the John The Ripper format.

Then you can use the output hash file to run the BitCracker attack.

> ./build/bitcracker_cuda -h
Usage: ./build/bitcracker_cuda -f <hash_file> -d <dictionary_file>
Options:
  -h, --help     Show this help
  -f, --hashfile    Path to your input hash file (HashExtractor output)
  -s, --strict      Strict check (use only in case of false positives)
  -d, --dictionary  Path to dictionary or alphabet file
  -g, --gpu         GPU device number
  -t, --passthread  Set the number of password per thread threads
  -b, --blocks      Set the number of blocks

In the the run_test.sh script there are several attack examples using the encrypted images provided in this repo:

  • imgWin7: memory unit encrypted with BitLocker using Windows 7 Enteprise edition OS
  • imgWin8: memory unit encrypted with BitLocker using Windows 8 Enteprise edition OS
  • imgWin10Compatible.vhd: memory unit encrypted with BitLocker (compatible mode) using Windows 10 Enteprise edition OS,
  • imgWin10NonCompatible.vhd: memory unit encrypted with BitLocker (NON compatible mode) using Windows 10 Enteprise edition OS,
  • imgWin10CompatibleLong27.vhd: memory unit encrypted with BitLocker (compatible mode) using Windows 10 Enteprise edition OS using the longest possible password (27 characters)

Currently, BitCracker is able to evaluate passwords having length between 8 (minimum password length) and 27 characters (implementation reasons).

BitCracker doesn’t provide any mask attack, cache mechanism or smart dictionary creation; therefore you need to provide your own input dictionary.


More information and downloads

[embed]https://github.com/e-ago/bitcracker[/embed]

References