Skip to content

Commit

Permalink
Updated README.Bitlocker
Browse files Browse the repository at this point in the history 
Updated README.Bitlocker to include Python script usage.
  • Loading branch information
@holly-o
holly-o committed Nov 8, 2024
1 parent 738591c commit 1d33f8f
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 4 deletions.
42 changes: 39 additions & 3 deletions doc/README.BitLocker
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,11 @@ Step 1: Extract the hash
------------------------

In order to use the BitLocker-OpenCL format, you must produce a well-formatted
hash from your BitLocker encrypted image. Use the bitlocker2john tool to
extract hashes from password protected BitLocker encrypted volumes. It returns
four output hashes with different prefixes:
hash from your BitLocker encrypted image. Use the tool run/bitlocker2john.py to
extract hashes from password protected BitLocker encrypted volumes.
Usage: python3 bitlocker2john.py <bitlocker_image> [-o <bitlocker_partition_offset>]

It returns four output hashes with different prefixes:

* If the device was encrypted using the User Password authentication method,
bitlocker2john prints these two hashes:
Expand All @@ -20,6 +22,40 @@ four output hashes with different prefixes:

Hash extraction example,

$ python3 bitlocker2john.py bitlocker_image -o 4194304

[+] BitLocker signature found: -FVE-FS-
[+] Identified volume GUID: 4967D63B-2E29-4AD8-8399-F6A339E3D001 = BitLocker
[+] FVE metadata info found at offsets ['0x2500000', '0x42500000', '0x82500000']

Parsing FVE block...

Parsing FVE metadata header...
Metadata size: 820
Volume GUID: F23E2E52-12F0-4066-94B6-F91C9A1A1D91
Encryption method: 0x80028002

Parsing FVE metadata entry...
Entry size: 68
Entry type: 0x7 = Computer description
Value type: 0x2 = UTF-16 string

Parsing description...
Info: DESKTOP-J5HJVN9 E: 12/08/2022

...

The following hashes were found:
$bitlocker$0$16$4a67bc123abedc43d60b3ece78ec6d1e$1048558$12$a015f77b68aed80103000000$60$2dbacf4710d3d42aa4f7baeedff85d72fc892f8f3457271901c0d2eccc3de890f081b3335740a5b5f1473892569ec0455d1aa2fd0075ac073a5f7b2a
$bitlocker$1$16$4a67bc123abedc43d60b3ece78ec6d1e$1048558$12$a015f77b68aed80103000000$60$2dbacf4710d3d42aa4f7baeedff85d72fc892f8f3457271901c0d2eccc3de890f081b3335740a5b5f1473892569ec0455d1aa2fd0075ac073a5f7b2a
$bitlocker$2$16$4b10ca85ab17a7419990d92f75abc848$1048558$12$a015f77b68aed80106000000$60$11e39cfd4dc9f647cef46b843347a3677c0706d3653f3477d44c72c8e36e8e02e010744dc384a419ff487a0190b42da0a29229d57a0bc3c6a7193f7
$bitlocker$3$16$4b10ca85ab17a7419990d92f75abc848$1048558$12$a015f77b68aed80106000000$60$11e39cfd4dc9f647cef46b843347a3677c0706d3653f3477d44c72c8e36e8e02e010744dc384a419ff487a0190b42da0a29229d57a0bc3c6a7193f7


Alternatively, run the compiled program bitlocker2john, which is normally
built from source along with the rest of John the Ripper and is included
pre-built in John the Ripper binary releases.

$ ../run/bitlocker2john minimalistic.raw # operate on a disk image
Signature found at 0x00010003
Version: 8
Expand Down
2 changes: 1 addition & 1 deletion run/bitlocker2john.py
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#!/usr/bin/python3
#!/usr/bin/env python3

# Usage: python3 bitlocker2john.py <bitlocker_image> -o <bitlocker_partition_offset>
# Supported modes:
Expand Down

0 comments on commit 1d33f8f

Please sign in to comment.