How to: Crack Bitlocker encrypted drives
HTML-код
- Опубликовано: 10 июл 2024
- UPDATE: Because of the requirement of TPM 2.0 in Windows 11, this method no longer works. On older Windows 10 systems that are not using TPM it will still work as described.
NOTE: This is a very long process, and may not always be successful. There are people who crack hashes for money, I AM NOT ONE OF THEM. Do not contact me to crack "your" hash.
This is for educational purposes only and is only to be used on computers that you own or have permission to test.
In this video we go through the steps of creating a Bitlocker drive, imaging it, turning the image into a crackable hash and then cracking that hash with Hashcat.
FTK imager: marketing.accessdata.com/imag...
Article I used: openwall.info/wiki/john/OpenC...
Intro: (0:00)
Bitlocker settings: (1:10)
FTK imager: (1:50)
Bitlocker2john: (4:27)
Hashcat (Crack the Hash): (7:20)
Password cracked: (8:40)
Outro: (9:27)
My setup:
CPU: amzn.to/35CsCsO
GPU: amzn.to/33uLB5E
Ram: amzn.to/2ZzNfBQ
SSD: amzn.to/32uDiHW
Motherboard: amzn.to/2RqgNgP
PSU: amzn.to/2Rq0SiD 
Наука
Here is the command if you want to crack the recovery key: John --format=bitlocker-opencl -mask=?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d target_hash
Can you tell me which code to be replaced?
Target_hash
@@PentestsandTech Awesome video. How can I carry this out with hashcat? Target_hash only seems to exist as part of the John attack.
@@PentestsandTech Hi, can I know what is the code I need to replace for the "Target_hash"? Do you mean the Txt file name where I saved the hash?
Yes, the text file containing the hash
Best soft soft tutorial for beginners on RUclips! I'm an absolute beginner and all the other tutorials I've found on RUclips have been so
I agree
Thank you for this video. This seems to be the only method I could get to work (I originally had trouble just making the image of the drive).
Hey! I deleted my comment before seeing your response, but I just had to press Enter and it showed the results! Currently running Hashcat, hopefully should be cracked soon. Great video, you got yourself a subscriber. Keep up the good work! ;)
Hey I needed this today... and you uploaded it today. Hello =D
I'm glad I could help!
How on earth have I not seen this until now?!?!?! Thanks!
You’re welcome, just so you know, it dosen’t work on windows 11 anymore
This is a great video! Though as a preventative, what is the best thing (besides long complex password) that one can do to make cracking the bitlocker driver extremely difficult to almost impossible?
IT WORKED!!! THANK YOU SO MUCH!!!!
how many people here are like me where I lost the key and password...
Do you find any solution for this problem ?
😢
@bibizarafshan4723 do you find any solution for the problem
I'm here because windows decided to permanently encrypt my entire fucking ssd because I had the audacity to disable boot security in my bios. I never even activated the fucking thing and never set up a password
I had two partitions on my bitlockered 1TB drive. jumbo-john stops always at "VMK entry found at 0xede90f8a90" after around 24 hours of work. How, in that case, find the hashes of only one partition instead of a whole disk? Any suggestions? How to make a bit-to-bit image of chosen partition only?
Awesome Buddy
quick question, since this is specific to bitlocker can i still use these tools for other types of brute forcing? I got a computer in an estate auction, and strangely there was also a disk labeled "merlin encrypted HD". i can't seem to find much specific to merlin and encryption other than 'merlincryption' but not sure if that's relevant? it mentions an m70 which is a dell laptop, does dell have proprietary encryption?
I was tempted to answer, so here I am. Yes, Dell does have proprietary encryption
I'm sitting here struggling to get bitlocker removed😂
For the bitlocker2john how long does it take? I have a 500gb HDD if that helps.
It's working thanks my friend
Amazing tutorial
do we really need the full image to be stored somewhere? because my bitlockered drive is 4tb and my other drive is only 1tb will it still be possible to use this method?
Can you give some stats on end-to-end cracking time? Ie. against recovery keys, since they are fixed in size and complexity. Which means cracking time of a fixed volume size should be relatively constant.
TNice tutorialS IS WHAT I NEEDED BRO, thank you for taking the ti and doing tNice tutorials for most of that are starting with tNice tutorials beautiful tNice tutorialng called
Hi, I have FTK imager downloaded, where do I find the other 2 that I need
Thanks
Sorry, I don't totally get how to crack the recovery key per se...I understand the mask part, but where to place the command during the hashcat part? or will it be a file with different recovery keys that will do the same trick as if it was a dictionary?
The mask is put in place of the file
Good job, thx !
Hi.. when I ran the Jumbo John, i got the following error. Does that mean it didn't generate any hash for the Bitlocker drive?
Error while extracting data: No signature found!
You showed how to crack it with a dictionary "wordlist" passwords. What about a recovery key? there is no wordlist for it so how is it done?
I created disk image using external hard disk.when using code commend it shows invalid version.is it necessary to create image with TPM chip and possible to extract the image using another system with TPM Chip
Hey, I have a big problem - the thing is that I saved the key on an encrypted disk - I only saved it there and I do not have access to it, unfortunately I do not remember the password, is there any possibility to crack the password, recover the key or, for example, recover files from of an encrypted disk, and then clean it and upload a new system to have access to this disk?
Hey, I'm just starting to get into making soft and tNice tutorials 17 minute video helped a LOT MORE than those one hour long tutorials out
Thanx for the video, good stuff! When I run the command to crack the recovery key I get the error "No OpenCL devices found". My target_hash file has the $bitlocker$2 and $bitlocker$3 hashes listed. What could be the cause of the error?
Super video cute !!!! Thanks
I got to 7:56 and it gets stuck at "Initializing backend runtime for device #1..." I left it alone for half an hour and still nothing. Any suggestions as to why that's happening?
What can I do with numerical password ID and external key id ?
Hello
Thank for this video.
At the end, I don't understand that you said (i'm french) : More the disc image is bigger, fast the crack is ?
The bigger the disk, the longer it takes to extract the hash. The bigger the password, the longer it takes to crack.
@@PentestsandTech Tank you !
Please does soft soft need a driver for midi controller? Coz it's not reading my midi controller, m-content oxygen49, thanks if it need please
Is it possibile to crack the 48 digits that you enter before booting the system?
I always got error notification receive like this (error recovering disk G: A Recovery key was not found on this drive) any one can give me any soloution ???
Greeting, I have WD my passport portable drive bitlocker and I do not have the password or they backup key. so my question is it possible to access the drive and backup all files saved on it ?
please let me know I appreciated your quick replay
interesting vid 👍
While trying to install FTK imager, I'm getting a Processor not supported error - is it because I'm on a 32 bit system??
If so from where can I get the 32 bit one??
Sorry man, they don’t make a 32 bit version. 32 bit is being phased out because 32 bit processors are not being made anymore. I’m guessing you have a 64 bit processor but your windows install is probably 32 bit. Consider reinstalling windows and making sure you select 64 bit.
If the all drives are encrypted and don't know any decrypt key what I can do ? (Only hope is cmd with X: drive in the blu screen.)
how u get 6gb from 8gb of ur video memory? i have 3070
Hi. I ran jumbo john, but didn't get any hash at the end. All results were "Invalid Version" or "Error: VMK not encrypted with AES-CCM". Do you know why?
Sounds like it’s a different encryption method, not sure how you would crack it. Sorry.
I've had a rapid influx of people coming into my tech repair store because the Windows 22H2 update has been bricking systems left and right and unfortunately many of these people don't even know what bitlocker is, why it was enabled, and don't have their key. I'm hoping this method might be a solution for these people.
Hi i m badly facing the problem of forget pwd and recovery key of my ext hd, plz guide me in simple words how can i get my data recovered plz
To increase performance (lower times), what hardware would be best? A video card? If so, what brands/models do best?
Nvidia graphics card, as high end as your budget can go
Thank you for this demonstration. Have you ever encountered a scenario where bl2j did NOT return any hashes, but detected an unencrypted VMK stored clear? Does the lack of a hash return indicate no 48 digit recovery key or user-created password is present, only a VMK?
Error: VMK not encrypted with AES-CCM. Like in my case
@@bernhardandresen And what did You do? I have this problem
@@rubenkaczmarek3962 sadly, couldn't solve the problem
If I encrypted my personal USB on a work computer and don't have that original device anymore that encrypted - does this work?
and if my result on john is: VMK encrypted with TPM...not supported! (0x71bbf928)
There's an alternative method or game over for my HD?
Please help me....
The bitlocker encryption on this Drive isn't compatible with your version of Windows, try opening the drive using a never version of Windows.
If i was doing a recovery key attack with hashcat, can I create a wordlist of a couple of six digit numbers (some of which I know to work), to use on the bitlocker decryption? This is assuming I am using a $bitlocker$2 hash
You can enter in manual numbers when you are using mask attack.
@@PentestsandTech where would I enter those and how?
Hashcat -a 3 yourhash.txt 1223456-?d?d?d?d?d
is it ok that you unlocked the drive before the operation ? is it the same with locked drives ?
Yes, it’s the same.
Thanks!
Thank you!
Could it be that this doesn't work if the image was encrypted by the TPM?
So is it better to get a USB like the Kingston datatraveler 2000 that has hardware encryption with a keypad on is it possible to crack those
Those are much more secure
Hi there, I actually have the recovery key, but when i enter the Bitlocker-Key it opens the lock but I still cannot access the drive! I get the Message: I need to format the drive before using it; file location is not available ! any Idea?
thank you in advance
HI, my hdd was locked by bitlocker when after re-install windows. However, i don't have the recovery key and no record in my hotmail account. is it can unlock my hdd & save the data?
Great video bro, I'm in the midst of doing a pen test for a client now. About to try this out, I'll report back if you helped me gain access to them :)
is this step possible if i format boot drive and the one im trying to unlock is the other drive (different hard drive).
Yes
so no matter how strong the password is, it can be broken by the recovery key
right?
Yes, the recovery key and password are independent.
Hi there, I am trying to download the FTK on my old computer, windows 7 and it is stating the program wont work on this processor. Is there any other way to get around this or use another program? Thank you.
There’s other ways to image a hard drive, just search online and I’m sure you’ll find something
I know this is 2 years old. But What do I do if john keeps saying No opencl devices found? I'm trying to crack a recovery key since thats all I am getting
Hi, im having a little trouble down here. when i ran a hashcat.exe it gives me an error it says "salt value exception", how im supposed to do?
It sounds like your drive may be encrypted with a different version of bitlocker, or a TPM chip was used.
@@PentestsandTech okey, but i try with this step
"John --format=bitlocker-opencl -mask=?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d target_hash"
it takes forever to find that key, is this normal?
Yeah, that process takes very very long
can a sd card that was encrypted with “bit locker to go” be bypassed as well? Can i use this same method on the sd card?
Haven’t tried it, but i think the to go version can also be cracked with this method.
hi after using "ftk imager" who software use for browsing image?
You can’t browse the image because it is encrypted. But if it was not you would need to use a forensic tool like Phyiscal analyzer, FTk, Encase, Autopsy or magnet forensics.
Is it possible to use a similar method to decrypt files encrypted with ransomware?
yes and no. an example: ruclips.net/video/Sv8yu12y5zM/видео.html
Hi - instead of a specific drive, my laptop has been locked with BitLocker, I need assistance to retrieve my data. Is there a way I can use another system to run your hashing technique to get my BitLocker key? Thanks in advance!
Assuming you no longer can log on the original Laptop , your only option is check and see if you backed up the bitlocker recovery keys in your Microsoft account. If you no longer have the original computer and try to install the hard drive and try to recover the data with another computer , this method won’t work.
Is this if the whole drive is BitLocker encrypted? If I have an encrypted partition would I need to separate the encrypted partition to it's own image file and then run it? When running it on the physical disk image it failed saying no HASHES were found. THANKS! and Subscribed!
Disregard- I imaged out the encrypted partition and it appeared to fix the issue. Great video. I appreciate it.
Glad you got it figured out!
So i got the hash, but when i use hashcat it says that -n is out of date and i have to use --force. Then when i do that, it says that no hash loaded? plus where did you get the password list?
It’s -m, and i got the password list from a GitHub called seclists. You can get the rockyou file from basically anywhere, and there are other good ones as well.
Hey sorry for bother but I can't use dictionary since my password had special characters, is there any way to configure and download a dictionary with a maximum of 14 characters alphanumeric and with special characters? Sorry I literally have no idea how to code but I'm guessing this would be a lot faster than using the recovery password method
You would need to make your own, or just brute force it.
How much time it will take for 300gb disk with 80 gb of data?
hey , i m in a trouble , due to hadware change of my system my hardisk has been encrypted . and its 48 digit recovery key is not saved in my microsoft account . will i get accsses to those data , through this method ?
If you found any solution for it, kindly share. Thanking you in advance
I have a doubt will this work on partitioned drive. Like I have a 500Gig drive with a 100gig locked away. So will creating the whole 500gig disk image work?
The drive i used had multiple partitions.
@@PentestsandTech Thanks a lot ! Oh and I might have follow up questions cause currently it's running the FTK Imager :)
@@PentestsandTech Ok so I tried doing this method in hashcat but it is showing hash input is slow and then goes looping. And when I tried the mask method it says Hashfile Salt value exception error. what to do?
my HDD is lock by bitlocker for some reason the drive got locked after an update and the Bitlocker key ID has changed,
Pls clarify my doubt sir does it have tabla soft????? Pls tell sir
Interesting Video, great Quality 👍
Cool to see how active you respond to all the people having questions in the comments 👍👌
And I have a question as well but not like the others before me. I'd like to ask about whats the conclusion for using Bitlocker safely (if you don't want to get your encrypted files decrypted with the technologies available (at least today))?
Is it enough to set a 'strong' password (for example a 30 digit letters and special symbol combination not fitting a dictionary attack)?
Or what kind of password would I need so it's impossible with today's technical possibilities to crack the encryption by brute forcing the passphrase? (impossible in the meaning of not possible in under like 40 years or something like that)
Bitlocker is much stronger when paired with a TPM module, (found in newer laptops and macs). A 30 character complex password is more than enough for today’s technology.
@@PentestsandTech okay, thanks and thank you for that ultra fast answer as well :)
And one more question about the TPM module, I mainly thought about using Bitlocker on a desktop pc but especially for USB drives, I guess the encryption will still be enough without a TPM module on the mainboard as long as you got a safe password and the recovery file somewhere external and safe?
PS: (off topic to my question) I saw a video about the TPM module being a potential surface for multiple kinds of attacks on the Bitlocker mechanism, interesting to watch:
ruclips.net/video/eRuca6eAdFM/видео.html
You have a great channel mate, keep up the good work :)
@@PentestsandTech Hello, Sir. Do you mean, the tutorial will not work if I use BitLocker with TPM?
Hi Ad,If I delete old windows and reinstall new windows, can I still open bitlocker on drive D?
As long as you know the password it should be fine
HI, Have a ASUS tablet with soldered HD so cant connect to other computer to erase drive. All boot USB attempts keep triggering Bitlocker. So i want to erase drive and install Win 8 but how can i do this? Can i use command prompt in recovery blue screen F8 area or will i still need key. As you explained, will erasing drive totally still leave Key with TPM and still lock me out?
You’re gonna need to get usb boot to work, in the bios you should be able to set usb to boot before windows. Either use a Linux usb or the windows installer usb. Both will let you wipe the hard drive.
I have my hashes so how do I do the recovery key process?
What is 22100 you typed ? Appreciate if help is it random number or any specific
That’s the code for bitlocker hashes so hashcat knows what type of hash you’re trying to crack.
Thanks
You're welcome
Hi hi - my external drive freezes after I enter my bitlocker password - how can I attack this problem?
Sounds like you have a hard drive issue.
I encrypted my 250g drive from my Dell laptop and for some reason the drive got locked after an update and the Bitlocker key ID has changed, making my backed-up key obsolete.
I know the password which is composed of 12 characters (1 capital letter + 8 lower case letters + 1 special character + 2 numbers)
Whats the best method to retrieve the key and not the password?
Thanks for the video.
@Leon Wallace I have a similar problem (bitlocker screen after update) but I never used bitlocker on the computer. Any success on your part? have you succeeded in recovering your data?
Hi I have the same problem, did you ever find a solution?
@@alexhall2514 unfortunately no
I tried a bunch of different solutions and ultimately the ssd got corrupted so I had it replaced
I tried all the steps did get work out. I have 64GB sd pulled from lumia 950 when testing arm on windows, the phone suddently when dead. i found this video and tried all steps, the bitlokerjohn end up empty, no password, also tried different pirated data recovery, tried to open the image file, still get nothing. what do to?
If I understand him right. The recovery key is easier to hack in brute force scenarios. Am I right?
Hm m8 i dont know why is it even possible to crack...i mean AES 256 is not hacked yet but ifyo can hack bitlocker it makes no sense to encrypt anything.
when running jumbo john...how long does it take to find a signature? thanks
For me it took 6 hours, but it depends on the drives size and speed. I’ve had some peoples take two days.
@@PentestsandTech okay thanks. i let it run for 40+ hours and last night....i went back to check on it and jumbo john cml screen was closed out. =(
That sucks man, I’m sorrry.
add the command to write your progress to a text file. The same thing happened with me. Windows update messed up inbetween in the night. So i am rerunning with writing the stdout to file
nice thank u
what if the john output is only 2 hashes?
will I lose the data inside de HD bitlocked?
Do you help people with this as I struggled and need access to a harddrive with my old resume on it
I'm sorry, I don't help people crack passwords
I can't see how to install or download Jumbo John...you mention that was covered earlier, but I can't see anything here. Thanks.
Thanks for you video but i'm not sure to understand all steps. I have some keys on John but i don't think that's the good one... I have a RP MAC / RP VMK / RP NONCE only.
Does it mean i have to wait more ? It's a M2 from a Surface Pro 4, my customer doesn't know the password and he think he never set a password... His tablet is out and i just have to unlock the M2 for put it on a external box.
I'm scared because i think it doesn't have any password but only a recovery key :/
Can you help me please? I try to put the RP VMK hash on the txt but i have a "No hashes loaded" on Hashcat.
Thank you :)
I don't get it. If you have logged onto the pc, then you have access to the drive, and can manage bitlocker. It would be more useful to see how you would access a drive that you dont have access to the Windows credentials.
hello ! when use the hashcat show this error No hashes loaded any idea?
That could mean a number of things, make sure you have the right hash identifier, the -m and the number that goes with it. Also make sure your hash is complete and matches the description from example hashes on hashcat.
Neat hack. Is there same tools in Linux?
Same tools different names, replace ftk imager with dd, also mounting bitlocker drives on Linux is a bit different
Help ME this error in USB BitLocker Drive Encryption failed to recover from an abruptly terminated Conversion. This
Could be due to either all conversion logs being corrupted or the media being write-protected.
I'm not sure how to fix that, sorry
yayy
Can you explain about file "rock you"? I don´t understand how I create this file. What content will this file contain?
It’s a wordlist of possible passwords, if you google rock you it’ll come up
i was preparing to crack my friends Disk... luckily he found his Key last minute
Your guide won't work for a 20 character password with 256bit Bitlocker encryption in 2021 :) What modifications would you do to the guide for a 256bit 20+ char Bitlocker encryption ? Thanks
Wait for technology to improve, or wait for quantum computers to crack it lol
how long time would you say it should take for a 1tb drive? Mine has been running for 24 hours and still no bitlocker hashes yet.
Shouldn’t take more than two days
Well mine is seems like its frozen after some while. Possible to have somekind of status bar to see whether it works or not? It has been running for 2 days and still no hashes output.
I do not believe there is any status bar, you could try rerunning it, but that’s all that i can think of.
@@PentestsandTech mate can I get in contact with you through LinkedIn, FB or mail. Could I hire you to get the hash out for me?
Sorry i don’t crack hashes.
Does it usually take long to pass the "Invalid version, looking for a signature with a valid version..."?
it's kind of hit or miss, if it is spamming that then its not going to work, but if you get a couple then you're probably fine, unless it says TPM
@@PentestsandTech to me it says "VMK encrypted with TPM....not supported". Should I drop or keep it running? thanks from italy
@@alfdib drop it, TPM is not supported
@@PentestsandTech thanks done. Something doable over TPM?
just want to share my terrible experience. I had my maxtor 1T send to netherlands to recover data which only have 2 years life time then sudden death. Journey took 2 months. Yesterday i get my recovered data stored in a 2T seagate expansion+ but encrypted by bitlocker. the decryption process is hell long only 52% stuck, then i pause and shut down, next day it is unreadable and no way to format it. So bad seagate quality!
Is the microsoft bit locker kill the 2T seagate expension+ or it is a defective product manufactured in china 2020?