Added bitlocker2john.py

[holly-o]

Added Python script to extract hashes for BitLocker-encrypted volumes

[solardiz]

Thank you @holly-o.

@exploide You might want to help us review this, although since it's a new script we can as well merge first - it shouldn't hurt.

[solardiz]

The script is missing a shebang line. Is it Python 3 only or is it also compatible with Python 2? Depending on this, please start it with either #!/usr/bin/env python3 or #!/usr/bin/env python. For this sort of updates to the main script within this PR, please amend the one existing commit and force-push.

You could also want to update doc/README.BitLocker to mention this script as (the recommended?) alternative to our compiled bitlocker2john program (making that program a secondary choice?)

[solardiz]

Thank you for these updates, they mostly look good. I suggest a couple of minor edits, can you please incorporate those as well?

For such fixups within a PR, we normally amend the existing commit and force-push, not add more commits. But if you're not used to work like that (or if the git client software you use doesn't let you), it's OK if you add commits (I will then need to temporarily allow squash-and-merge for this repo and use that on this specific PR).

Thanks again!

[solardiz]

The C program isn't a script and we do not have a tools/john directory and people are not expected to compile just one C file manually. So I'd replace this line with:

Alternatively, run the compiled program bitlocker2john, which is normally
built from source along with the rest of John the Ripper and is included
pre-built in John the Ripper binary releases.

[solardiz]

Please use the env trick here for consistency with our other scripts and not to rely on specific location of python3. So the line should be:

#!/usr/bin/env python3

[solardiz]

This failed our CI whitespace-errors check, please also fix this minor detail:

Run git diff-index --check --cached b1b622f691d40196815939e4736a5da71befd206
doc/README.BitLocker:9: trailing whitespace.
+extract hashes from password protected BitLocker encrypted volumes. 
run/bitlocker2john.py:4: trailing whitespace.
+# Supported modes: 
run/bitlocker2john.py:100: trailing whitespace.
+    print("\nParsing description...")    
run/bitlocker2john.py:105: trailing whitespace.
+    print("\nParsing volume header block...")        
run/bitlocker2john.py:150: trailing whitespace.
+        
run/bitlocker2john.py:158: trailing whitespace.
+    entry_size = uint_to_int(block[0:2]) 
run/bitlocker2john.py:160: trailing whitespace.
+    value_type = uint_to_int(block[4:6]) 
run/bitlocker2john.py:219: trailing whitespace.
+        
run/bitlocker2john.py:226: trailing whitespace.
+        

[solardiz]

Oh, we also need to add a doc/NEWS entry mentioning this contribution.

[solardiz]

I've just merged this PR (thanks!) but now I notice that the two example Recovery Password "hashes" given here are somehow one character too short - last field is 119 instead of 120 chars. Do we maybe have a bug where a leading zero is omitted? In my testing of the script, I got all strings of the same length, but maybe I just didn't trigger that bug.

[solardiz]

I'm not seeing such bug in the current script, so maybe it was in some older revision? I think I'll "fix" these "hashes" by inserting a 0 after $60$, just so that they're a correct illustration. But I'd appreciate @holly-o's comments here.

[holly-o]

I edited one of my known hashes to add as an example, and accidentally removed a character. The script should always output len 120.
Thanks for your fix!

[exploide]

@exploide You might want to help us review this, although since it's a new script we can as well merge first - it shouldn't hurt.

Sorry for being late. I had a quick look, no deep dive or actual testing but I think it looks good. Only some formatting things or minor idiomatic points. Noting that needs a fix now and it's probably fine being merged.