How to: Crack Bitlocker encrypted drives
Vložit
- čas přidán 27. 07. 2024
- UPDATE: Because of the requirement of TPM 2.0 in Windows 11, this method no longer works. On older Windows 10 systems that are not using TPM it will still work as described.
NOTE: This is a very long process, and may not always be successful. There are people who crack hashes for money, I AM NOT ONE OF THEM. Do not contact me to crack "your" hash.
This is for educational purposes only and is only to be used on computers that you own or have permission to test.
In this video we go through the steps of creating a Bitlocker drive, imaging it, turning the image into a crackable hash and then cracking that hash with Hashcat.
FTK imager: marketing.accessdata.com/imag...
Article I used: openwall.info/wiki/john/OpenC...
Intro: (0:00)
Bitlocker settings: (1:10)
FTK imager: (1:50)
Bitlocker2john: (4:27)
Hashcat (Crack the Hash): (7:20)
Password cracked: (8:40)
Outro: (9:27)
My setup:
CPU: amzn.to/35CsCsO
GPU: amzn.to/33uLB5E
Ram: amzn.to/2ZzNfBQ
SSD: amzn.to/32uDiHW
Motherboard: amzn.to/2RqgNgP
PSU: amzn.to/2Rq0SiD - Věda a technologie
Here is the command if you want to crack the recovery key: John --format=bitlocker-opencl -mask=?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d target_hash
Can you tell me which code to be replaced?
Target_hash
@@PentestsandTech Awesome video. How can I carry this out with hashcat? Target_hash only seems to exist as part of the John attack.
@@PentestsandTech Hi, can I know what is the code I need to replace for the "Target_hash"? Do you mean the Txt file name where I saved the hash?
Yes, the text file containing the hash
Thank you for this video. This seems to be the only method I could get to work (I originally had trouble just making the image of the drive).
Hey! I deleted my comment before seeing your response, but I just had to press Enter and it showed the results! Currently running Hashcat, hopefully should be cracked soon. Great video, you got yourself a subscriber. Keep up the good work! ;)
Best soft soft tutorial for beginners on CZcams! I'm an absolute beginner and all the other tutorials I've found on CZcams have been so
I agree
This is a great video! Though as a preventative, what is the best thing (besides long complex password) that one can do to make cracking the bitlocker driver extremely difficult to almost impossible?
I had two partitions on my bitlockered 1TB drive. jumbo-john stops always at "VMK entry found at 0xede90f8a90" after around 24 hours of work. How, in that case, find the hashes of only one partition instead of a whole disk? Any suggestions? How to make a bit-to-bit image of chosen partition only?
how many people here are like me where I lost the key and password...
Do you find any solution for this problem ?
😢
@bibizarafshan4723 do you find any solution for the problem
I'm here because windows decided to permanently encrypt my entire fucking ssd because I had the audacity to disable boot security in my bios. I never even activated the fucking thing and never set up a password
For the bitlocker2john how long does it take? I have a 500gb HDD if that helps.
Hi, I have FTK imager downloaded, where do I find the other 2 that I need
Thanks
do we really need the full image to be stored somewhere? because my bitlockered drive is 4tb and my other drive is only 1tb will it still be possible to use this method?
quick question, since this is specific to bitlocker can i still use these tools for other types of brute forcing? I got a computer in an estate auction, and strangely there was also a disk labeled "merlin encrypted HD". i can't seem to find much specific to merlin and encryption other than 'merlincryption' but not sure if that's relevant? it mentions an m70 which is a dell laptop, does dell have proprietary encryption?
I was tempted to answer, so here I am. Yes, Dell does have proprietary encryption
I'm sitting here struggling to get bitlocker removed😂
Hey I needed this today... and you uploaded it today. Hello =D
I'm glad I could help!
Can you give some stats on end-to-end cracking time? Ie. against recovery keys, since they are fixed in size and complexity. Which means cracking time of a fixed volume size should be relatively constant.
Hey, I have a big problem - the thing is that I saved the key on an encrypted disk - I only saved it there and I do not have access to it, unfortunately I do not remember the password, is there any possibility to crack the password, recover the key or, for example, recover files from of an encrypted disk, and then clean it and upload a new system to have access to this disk?
I created disk image using external hard disk.when using code commend it shows invalid version.is it necessary to create image with TPM chip and possible to extract the image using another system with TPM Chip
Hi.. when I ran the Jumbo John, i got the following error. Does that mean it didn't generate any hash for the Bitlocker drive?
Error while extracting data: No signature found!
Thanx for the video, good stuff! When I run the command to crack the recovery key I get the error "No OpenCL devices found". My target_hash file has the $bitlocker$2 and $bitlocker$3 hashes listed. What could be the cause of the error?
How on earth have I not seen this until now?!?!?! Thanks!
You’re welcome, just so you know, it dosen’t work on windows 11 anymore
What can I do with numerical password ID and external key id ?
I got to 7:56 and it gets stuck at "Initializing backend runtime for device #1..." I left it alone for half an hour and still nothing. Any suggestions as to why that's happening?
I always got error notification receive like this (error recovering disk G: A Recovery key was not found on this drive) any one can give me any soloution ???
Sorry, I don't totally get how to crack the recovery key per se...I understand the mask part, but where to place the command during the hashcat part? or will it be a file with different recovery keys that will do the same trick as if it was a dictionary?
The mask is put in place of the file
Is it possibile to crack the 48 digits that you enter before booting the system?
Hi i m badly facing the problem of forget pwd and recovery key of my ext hd, plz guide me in simple words how can i get my data recovered plz
Please help me....
The bitlocker encryption on this Drive isn't compatible with your version of Windows, try opening the drive using a never version of Windows.
If the all drives are encrypted and don't know any decrypt key what I can do ? (Only hope is cmd with X: drive in the blu screen.)
Please does soft soft need a driver for midi controller? Coz it's not reading my midi controller, m-content oxygen49, thanks if it need please
While trying to install FTK imager, I'm getting a Processor not supported error - is it because I'm on a 32 bit system??
If so from where can I get the 32 bit one??
Sorry man, they don’t make a 32 bit version. 32 bit is being phased out because 32 bit processors are not being made anymore. I’m guessing you have a 64 bit processor but your windows install is probably 32 bit. Consider reinstalling windows and making sure you select 64 bit.
how u get 6gb from 8gb of ur video memory? i have 3070
If I encrypted my personal USB on a work computer and don't have that original device anymore that encrypted - does this work?
Hi there, I actually have the recovery key, but when i enter the Bitlocker-Key it opens the lock but I still cannot access the drive! I get the Message: I need to format the drive before using it; file location is not available ! any Idea?
thank you in advance
Hi. I ran jumbo john, but didn't get any hash at the end. All results were "Invalid Version" or "Error: VMK not encrypted with AES-CCM". Do you know why?
Sounds like it’s a different encryption method, not sure how you would crack it. Sorry.
and if my result on john is: VMK encrypted with TPM...not supported! (0x71bbf928)
There's an alternative method or game over for my HD?
HI, my hdd was locked by bitlocker when after re-install windows. However, i don't have the recovery key and no record in my hotmail account. is it can unlock my hdd & save the data?
Good job, thx !
If i was doing a recovery key attack with hashcat, can I create a wordlist of a couple of six digit numbers (some of which I know to work), to use on the bitlocker decryption? This is assuming I am using a $bitlocker$2 hash
You can enter in manual numbers when you are using mask attack.
@@PentestsandTech where would I enter those and how?
Hashcat -a 3 yourhash.txt 1223456-?d?d?d?d?d
Could it be that this doesn't work if the image was encrypted by the TPM?
IT WORKED!!! THANK YOU SO MUCH!!!!
Hello
Thank for this video.
At the end, I don't understand that you said (i'm french) : More the disc image is bigger, fast the crack is ?
The bigger the disk, the longer it takes to extract the hash. The bigger the password, the longer it takes to crack.
@@PentestsandTech Tank you !
I know this is 2 years old. But What do I do if john keeps saying No opencl devices found? I'm trying to crack a recovery key since thats all I am getting
Awesome Buddy
I tried all the steps did get work out. I have 64GB sd pulled from lumia 950 when testing arm on windows, the phone suddently when dead. i found this video and tried all steps, the bitlokerjohn end up empty, no password, also tried different pirated data recovery, tried to open the image file, still get nothing. what do to?
Thanks for you video but i'm not sure to understand all steps. I have some keys on John but i don't think that's the good one... I have a RP MAC / RP VMK / RP NONCE only.
Does it mean i have to wait more ? It's a M2 from a Surface Pro 4, my customer doesn't know the password and he think he never set a password... His tablet is out and i just have to unlock the M2 for put it on a external box.
I'm scared because i think it doesn't have any password but only a recovery key :/
Can you help me please? I try to put the RP VMK hash on the txt but i have a "No hashes loaded" on Hashcat.
Thank you :)
so no matter how strong the password is, it can be broken by the recovery key
right?
Yes, the recovery key and password are independent.
is it ok that you unlocked the drive before the operation ? is it the same with locked drives ?
Yes, it’s the same.
Is it possible to use a similar method to decrypt files encrypted with ransomware?
yes and no. an example: czcams.com/video/Sv8yu12y5zM/video.html
Hi there, I am trying to download the FTK on my old computer, windows 7 and it is stating the program wont work on this processor. Is there any other way to get around this or use another program? Thank you.
There’s other ways to image a hard drive, just search online and I’m sure you’ll find something
hey , i m in a trouble , due to hadware change of my system my hardisk has been encrypted . and its 48 digit recovery key is not saved in my microsoft account . will i get accsses to those data , through this method ?
If you found any solution for it, kindly share. Thanking you in advance
Hey sorry for bother but I can't use dictionary since my password had special characters, is there any way to configure and download a dictionary with a maximum of 14 characters alphanumeric and with special characters? Sorry I literally have no idea how to code but I'm guessing this would be a lot faster than using the recovery password method
You would need to make your own, or just brute force it.
is this step possible if i format boot drive and the one im trying to unlock is the other drive (different hard drive).
Yes
So is it better to get a USB like the Kingston datatraveler 2000 that has hardware encryption with a keypad on is it possible to crack those
Those are much more secure
my HDD is lock by bitlocker for some reason the drive got locked after an update and the Bitlocker key ID has changed,
To increase performance (lower times), what hardware would be best? A video card? If so, what brands/models do best?
Nvidia graphics card, as high end as your budget can go
Hey, I'm just starting to get into making soft and tNice tutorials 17 minute video helped a LOT MORE than those one hour long tutorials out
It's working thanks my friend
can a sd card that was encrypted with “bit locker to go” be bypassed as well? Can i use this same method on the sd card?
Haven’t tried it, but i think the to go version can also be cracked with this method.
Hi, im having a little trouble down here. when i ran a hashcat.exe it gives me an error it says "salt value exception", how im supposed to do?
It sounds like your drive may be encrypted with a different version of bitlocker, or a TPM chip was used.
@@PentestsandTech okey, but i try with this step
"John --format=bitlocker-opencl -mask=?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d target_hash"
it takes forever to find that key, is this normal?
Yeah, that process takes very very long
So i got the hash, but when i use hashcat it says that -n is out of date and i have to use --force. Then when i do that, it says that no hash loaded? plus where did you get the password list?
It’s -m, and i got the password list from a GitHub called seclists. You can get the rockyou file from basically anywhere, and there are other good ones as well.
How much time it will take for 300gb disk with 80 gb of data?
I can't see how to install or download Jumbo John...you mention that was covered earlier, but I can't see anything here. Thanks.
I encrypted my 250g drive from my Dell laptop and for some reason the drive got locked after an update and the Bitlocker key ID has changed, making my backed-up key obsolete.
I know the password which is composed of 12 characters (1 capital letter + 8 lower case letters + 1 special character + 2 numbers)
Whats the best method to retrieve the key and not the password?
Thanks for the video.
@Leon Wallace I have a similar problem (bitlocker screen after update) but I never used bitlocker on the computer. Any success on your part? have you succeeded in recovering your data?
Hi I have the same problem, did you ever find a solution?
@@alexhall2514 unfortunately no
I tried a bunch of different solutions and ultimately the ssd got corrupted so I had it replaced
You showed how to crack it with a dictionary "wordlist" passwords. What about a recovery key? there is no wordlist for it so how is it done?
Brute force, try 10^48 combination of recovery keys
Thank you for the video. Please, I need your help. I have my external hard drive encrypted using bitlocker. The laptop I used to encrypt the external is no longer available. I have tried to decrypt the external drive with passwords I can remember using another laptop but it doesn't work and the recovery key is even in the external drive which is about 1TB.
I saw you that you you have an image of your drive. In my case I don't have an image of my external drive. Do I need to make an image of the external or I don't need to.
Please, can you drop your email to enage more.
hi after using "ftk imager" who software use for browsing image?
You can’t browse the image because it is encrypted. But if it was not you would need to use a forensic tool like Phyiscal analyzer, FTk, Encase, Autopsy or magnet forensics.
Hi - instead of a specific drive, my laptop has been locked with BitLocker, I need assistance to retrieve my data. Is there a way I can use another system to run your hashing technique to get my BitLocker key? Thanks in advance!
Assuming you no longer can log on the original Laptop , your only option is check and see if you backed up the bitlocker recovery keys in your Microsoft account. If you no longer have the original computer and try to install the hard drive and try to recover the data with another computer , this method won’t work.
Thank you for this demonstration. Have you ever encountered a scenario where bl2j did NOT return any hashes, but detected an unencrypted VMK stored clear? Does the lack of a hash return indicate no 48 digit recovery key or user-created password is present, only a VMK?
Error: VMK not encrypted with AES-CCM. Like in my case
@@bernhardandresen And what did You do? I have this problem
@@rubenkaczmarek3962 sadly, couldn't solve the problem
Greeting, I have WD my passport portable drive bitlocker and I do not have the password or they backup key. so my question is it possible to access the drive and backup all files saved on it ?
please let me know I appreciated your quick replay
Did you find any solution?
Hi hi - my external drive freezes after I enter my bitlocker password - how can I attack this problem?
Sounds like you have a hard drive issue.
Amazing tutorial
ftk is not install. why? my problem is that i know my bitlocker password but unfortunately i have window 10 to 8.1. now my encrypted drive is not open by saying wrong password. what i do help me??
i have formatted my pc and trying to enter the password but showing it wrong why ???
i used to open it everyday with the password
Your guide won't work for a 20 character password with 256bit Bitlocker encryption in 2021 :) What modifications would you do to the guide for a 256bit 20+ char Bitlocker encryption ? Thanks
Wait for technology to improve, or wait for quantum computers to crack it lol
why I took a long time when 'creating image' it's been 3 hours, and the progress is just like 1% 😭
Either you have a really slow hard drive, its in the process of failing or FTK needs to be restarted.
I've had a rapid influx of people coming into my tech repair store because the Windows 22H2 update has been bricking systems left and right and unfortunately many of these people don't even know what bitlocker is, why it was enabled, and don't have their key. I'm hoping this method might be a solution for these people.
I have a doubt will this work on partitioned drive. Like I have a 500Gig drive with a 100gig locked away. So will creating the whole 500gig disk image work?
The drive i used had multiple partitions.
@@PentestsandTech Thanks a lot ! Oh and I might have follow up questions cause currently it's running the FTK Imager :)
@@PentestsandTech Ok so I tried doing this method in hashcat but it is showing hash input is slow and then goes looping. And when I tried the mask method it says Hashfile Salt value exception error. what to do?
HI, Have a ASUS tablet with soldered HD so cant connect to other computer to erase drive. All boot USB attempts keep triggering Bitlocker. So i want to erase drive and install Win 8 but how can i do this? Can i use command prompt in recovery blue screen F8 area or will i still need key. As you explained, will erasing drive totally still leave Key with TPM and still lock me out?
You’re gonna need to get usb boot to work, in the bios you should be able to set usb to boot before windows. Either use a Linux usb or the windows installer usb. Both will let you wipe the hard drive.
Hello, I encrypted a USB drive (8GB) years ago (2018) and I forgot the password. I know the first 5 characters and the rest of the password are numbers but I forgot the combination. I know what numbers I usually used but this time I added all of them. My question is how can I create a password text file that will use the first 5 characters then will add all possible combinations of numbers I used? BTW the format of the password is something like this: Ph@so then 5 to 10 numbers.
Mask attack, with static characters. Look at the hashcat wiki
Is this if the whole drive is BitLocker encrypted? If I have an encrypted partition would I need to separate the encrypted partition to it's own image file and then run it? When running it on the physical disk image it failed saying no HASHES were found. THANKS! and Subscribed!
Disregard- I imaged out the encrypted partition and it appeared to fix the issue. Great video. I appreciate it.
Glad you got it figured out!
Help ME this error in USB BitLocker Drive Encryption failed to recover from an abruptly terminated Conversion. This
Could be due to either all conversion logs being corrupted or the media being write-protected.
I'm not sure how to fix that, sorry
I have my hashes so how do I do the recovery key process?
Hi, i have a very big problem and i was not my fault.
HP ProBook 450 G5 with 2 drives i just reinstalled windows 11 fresh to M2 drive after formating everything but never touched SATA drive with all the data inside almost 950gb of data.
I also did load factory default settings in bios and now i have the SATA drive with bitlocker encryption and of course don't know the password.
Can you help me please, i need to recover my data please
"rockyou.txt" file what do I put in it, where can I get a password list... I know most of the password just not the combination of numbers and possibly 1 special character
If I understand him right. The recovery key is easier to hack in brute force scenarios. Am I right?
Hm m8 i dont know why is it even possible to crack...i mean AES 256 is not hacked yet but ifyo can hack bitlocker it makes no sense to encrypt anything.
i have a vhd which was created and encrypted in windows 7 but after i upgrade to windows10/11 bitlocker doesnt recognize the drive and mount directly but files are still encrypted cant be opened. Any way i can recover my files?
I haven’t heard of this problem, i would try to make a windows 7 VM and decrypt the files.
Hi, I have BitLocker on my D: drive after OS crash the BL asking for the recovery key instead which I don't have instead of the password which i have. Please help.
Recovery key should be on your Microsoft account of saved in a file somewhere. Try locating this first.
What is 22100 you typed ? Appreciate if help is it random number or any specific
That’s the code for bitlocker hashes so hashcat knows what type of hash you’re trying to crack.
Doesnt work for me. at Bitlocker2John it shows "Error: VMK not encrypted with AES-CCM (0x93,0xa0)" Anyone can help?
hello ! when use the hashcat show this error No hashes loaded any idea?
That could mean a number of things, make sure you have the right hash identifier, the -m and the number that goes with it. Also make sure your hash is complete and matches the description from example hashes on hashcat.
Pls clarify my doubt sir does it have tabla soft????? Pls tell sir
Hey plis can help me to unlock my external drive what have mys archives whit bitlocker my pc die so I don’t have the key
When you ran hashcat and typed -m 22100 on the cmd. Is 22100 a universal key number for all bitlocker hard drives. If not, how do I find the key number of the bitlocker so that I can complete command prompt. Please and thank you
hello, do you have asnwer?
@@PChelper39ru never got one unfortunately 😞
@@MikailAtiyeh 22100 universal -i find information in Google
My all drives are encrypted by bit locked and my laptop was update Windows 10 to 11 and I never used bitlocker. Three days back when ai turned on my computer and it shown a blue screen with bitlocker recovery key bar to open... I have reinstalled the Windows on C and now other 3 drives are locked and they important data on them... How I have open the drives?
Check and see if your Microsoft account have a back up of the recovery key , as most people didn’t save it locally
Great video bro, I'm in the midst of doing a pen test for a client now. About to try this out, I'll report back if you helped me gain access to them :)
you never explained how did you get the jumbo john......im stuck there
what happens if i create an image with overflow?
Just make sure it’s a bit for but image, otherwise known as DD
Hi Ad,If I delete old windows and reinstall new windows, can I still open bitlocker on drive D?
As long as you know the password it should be fine
will I lose the data inside de HD bitlocked?
I was considering upgrading to windows 10 pro go encrypt my laptop, but now I'm not sure :/
Just use a secure password you will be fine
Some new laptops come with TPM, but most computers that people are using do not have a TPM chip. And TPM is not foolproof, it can also be hacked, albeit with a lot more effort.
I encrypted a divce with bitlocker but the encyption failed and now I cannot get access to my device, the password doesn't work and the key recovery doesn't work either, so what can I do to recover my data? I tried M3 bitlocker recovery but it did not work... please help
You get the device you stole to his owner, you scumbag 😂
Can you explain about file "rock you"? I don´t understand how I create this file. What content will this file contain?
It’s a wordlist of possible passwords, if you google rock you it’ll come up