How to: Crack Bitlocker encrypted drives

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all right what's up today we'll be cracking bitlocker encrypted drives using john the ripper hashcat and ftk imager so the first thing you want to do is install hashcat and john the river if you don't already have those i'll link a video up here and you guys can go download that right now but once you've done that we're going to now download ftk imager so if you go to access data ftk imager uh you're gonna have to enter in some information and they'll email you a download link and then you can download it for free i'll put the link to this in the video description so you guys can just click on that and go straight there once you have ftk imager installed let's make sure we have our bitlocker drive so my bitlocker drive is local disk l it's 300 gigs and it is encrypted with bitlocker as seen by the little prompt right here if i enter in the password it'll unlock it and i can see the text file so let's go into the bitlocker settings and see how we did that you can go into manage bitlocker and you can see that my c drive is bitlockered and it's different from my l drive which is also a bit locker in both a different password so if you have a drive and you want to bitlocker turn on bitlocker enter in your key save your password recovery key to either your microsoft account or a text file you can't save the text file to a already bitlocker drive because if you lose a password then your recovery file is obsolete so make sure that is bit lockered and then we're going to image the drive and that is how we're going to extract the hash so if we head on over to ftk imager this is a forensics tool used by industry professionals but it's free because it's just the imager portion there's also ftk which goes into more the forensics so we're going to file and we're going to create a disk image click that we're going to do a physical drive click next and then choose the drive you want so mine is the 300 gigabyte ide drive click finish and now we're going to add the image destination so we're going to choose raw that's the dd don't do smart e01 or aff this will not work click next type in some case numbers some notes click next and then give it uh a file name uh this will have to be on a drive that is larger than your bitlocker drive so i have new volume f this is a one terabyte drive that i have hit okay give it the file name so i did disk image dot image and then fragment size you want this all in one file so for e01 and raw you can just send set the fragment size to zero and this will make sure that it does not fragment it will be one large file do not use ad encryption and you're good to go hit finish and then start if you want to see progress you can hit this little check and it'll show you how long it's going to take and stuff like that i already have this done it does take a while so just keep that in mind we're going to hit cancel here because you guys are going to hit start though once we have our image we're going to go over to where it's stored so mine is new volumes and it's going to look like this and the disk image.image.001.txt no not txt that's the that's the file that tells you all the information about your image just the dot001 that is your image file we hit properties on this it is 279 gigabytes which is the usable space on my 300 gigabyte drive let's close this and we're going to run jumbo john on it so i'm going to open up a new file explorer not close my old one we're going to head over to my jumbo john go into the run file use our little trick we learned in our last video which i'll link up here type in cmd and we get our jumbo john so what we're going to do here is run bitwalker to john.exe put dash i for the interface we want to do the image file sorry and my image file is on drive f so we're going to type in drive f and it's disk image.001 and we're going to hit enter and it's going to take a while so it's going to look for signatures it's going to find a bunch of vmk entries at the different memory points and it's going to take a while it's going to keep finding them until it has all the ones that it needs and it's going to spit out a little hash let's go look at the hash that i have right now it's like bitlocker.txt it's going to spit out a hash it's actually spit out four of them um i can't actually bring this up for you right now all right so this is the uh documentation that i used to make this video i'll also put this down in the video description if you guys need a little bit extra help um but this is what it's going to end up looking like you're going to get these four hashes this is an older version of the bitlocker to john so it doesn't look exactly like this but you're going to have four hashes one is for password and then one is a password that's not going to give you any false positives and then another one is the recovery key and then another recover key that doesn't have any false positives the non-false positive ones are slower and they take a little bit longer to crack but you're not going to get any false positives so if you're worried about that run those instead of the originals we're going to be using a user password attack instead of the recovery key because my user password is very easy it's very simple it's gonna be cracked with a word list uh relatively quickly if we were doing if we're doing a drive we didn't know the password at all or if we knew that it had a really long and complex password we might do a recovery password fast attack this is because we know the mask so the mask is a bunch of digits a dash bunch of digits dash and it keeps on going on for a long time so that would take forever but it would be a lot faster than if we knew they had like a 20 or 30 character password with alphanumeric and some special characters so it's going to spit out that hash and what we're going to do with that hash is we're going to copy it and we're going to paste it into a text file in our hashcat folder now you can also crack this with john but i'm just much more comfortable with hash cat and i know that hash cat's going to crack it a lot faster than john is so we're going to open up a hashcat command prompt and we're going to run hashcat it's just hashcat now isn't it there's no um hashcat64 anymore dash n and then the key for bitlocker is 22 100 and then we're going to give it our bitlocker txt file that we made put the hash in it and then we're also going to give it a password list and i'm going to use roku because that's the one that i have in here we're going to enter it's going to start all right now it's running uh you can see it's going to take 871 megabytes to run i'm also using the new cuda platform uh if you want to see more about this you can watch my other video about hashcat 6.0 and i'll link that up the top it's got a lot of new features and cool stuff i'm just going to move this over here on the right side so we can see john and hash cat over here it's cracking at 1704 hashes per second so it's not really a fast hash like wpa but it's also not really a slow hash like earlier my itunes cracking that i'll also put at the top of the video so you guys can watch that there here we go and you can see that it cracked our bit locker hash and the hash ended up being password so obviously if you have a more complex password it's going to take longer depending on the word lists you use if it's not a word list you have to brute force it then i recommend using the recovery key and not the user password um running the jumbo john to the bitlocker to john does take a long time i let it run overnight for mine um it's going to take longer if you have a larger drive so if your drive is a terabyte or two terabytes it might take an entire day to run but if you have smaller things like 100 gigs or 50 gigs or usb this could go very quickly in a matter of hours uh if you guys like this video hit like get subscribed hit that bell icon to see all my future videos if you guys didn't like this video you know what to do but i'll see you guys all later [Music] you
Info
Channel: Pentests and Tech
Views: 288,852
Rating: undefined out of 5
Keywords: Pentests and Tech, Luke, LeCain, Hacking, Hacker, Bitlocker, Windows Bitlocker, Encrypted drive, Hashcat, Johntobitlocker, Jumbo John, JTR, John the ripper, Cracking windows
Id: gue6suh7ZlM
Channel Id: undefined
Length: 9min 54sec (594 seconds)
Published: Thu Jul 16 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.