VMK not encrypted with AES-CCM about bitcracker HOT 26 OPEN

Hi, i've got a problem with bitlocker which use TPM (Windows 8 i suppose), the error message say "Error: VMK not encrypted with AES-CCM". I've got the password but due to TPM issue doesn't unlock the drive. There are some chance to retrive the 48-digit key for unlock it?

from bitcracker.

Is the windows vista info correct ? Which authentication method did you chose to encrypt your device? What's the size of your image?

from bitcracker.

The windows vista bit IS correct, and it finished with

`Error while extracting data: No signature found!

Error while parsing input device image`

The size of the image is 130GB. I dd'ed it from the partition into an IMG file (4096 block size).

Im not sure of the auth method, because I bitlocked this many years ago, but I remember that it had a TPM key with it, so that the password by itself cant unlock it, only the recovery key can.

from bitcracker.

I'm not sure if this helps or not, but using bdeinfo on the img file shows that it was encrypted using AES-CBC 128-bit with Diffuser.

Im thinking that this may be different to AES-CCM

from bitcracker.

Probably metadata in your encrypted image are organized in a different way wrt tests I've done until now. May I ask you to send to me the first 256Kb of your image?

from bitcracker.

Sure, I can do that. I'm a bit unsure of how to copy that though, people are saying I can use dd, or dd and truncate, and some other potential solutions. I don't have enough space for a second image so can I dd only a portion of it?

from bitcracker.

I have potentially found a way to do it. I used cat command and piped through to head, with

cat image.img | head -c 32000

Since you specified 256Kb, in kilobits, that is 32 kilobytes.

Furthermore, how should I attach this? Should I just attach this as a file to the issue?

from bitcracker.

I'm sorry, I meant 256 KB. Yes you can attach the file here

from bitcracker.

I have redone the command with "head -c 256000" instead, and attached the file
image.txt
.

Github only supports certain files, so I have chosen txt, but obviously as you know, its not a text format, its simply the first 256KB of the bitlocked image

from bitcracker.

I edited this comment, thus I'm tagging you @hammi1

Looking at the output, in this first signature there are some interesting info about the encryption of your device.
Unfortunately there aren't all the info needed by BitCracker to perform the attack, thus you should send to me also the 256 KB starting some byte before address 0x16dad00.

You can try with something like:
dd skip=23964908 count=262144 bs=1

would copy from byte 23964908 ( i.e. 0x16DACEC ) to byte 24227052 from its input to its output, and discard the rest (source https://stackoverflow.com/questions/218912/linux-command-like-cat-to-read-a-specified-quantity-of-characters )

from bitcracker.

Hi, sorry for the delay in replying. I didn't notice there was an update until today.

I have attached the image.txt file again, retrieved from the command you put out (amending if=bitlock.img of=image.txt )

Thanks again for looking into this.

image.txt

from bitcracker.

@hammi1 unfortunately the -FVE-FS- signature is not present in the file you sent.
Could you open your image with an hex editor (i.e. hex fiend) and find the -FVE-FS- around offset 0x16dad000? I need that part of the encrypted image

from bitcracker.

Hi @e-ago , I'm having the same issue as described above, while doing a build review on a laptop with what also seems to be a TPM encrypted partition. It's running Windows 7 Enterprise N. I can send whatever data you need, just send me the dd command you require. Here's the output I have so far:

# ./bitcracker_hash -i /dev/sda2 

---------> BitCracker Hash Extractor <---------
Opening file /dev/sda2

Signature found at 0x00000003
Version: 8 
Invalid version, looking for a signature with valid version...

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Error: VMK not encrypted with AES-CCM (0,8)
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Error: VMK not encrypted with AES-CCM (ffffff93,ffffffe0)

Signature found at 0x22fd3f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd3f123
VMK encrypted with Recovery Password found at 0x22fd3f144
Searching AES-CCM from 0x22fd3f144
Salt: 5c3394362de000247d3c4d6b27803507
Error: VMK not encrypted with AES-CCM (0,8)
Searching AES-CCM from 0x22fd3f144
Salt: 05000100e0d1e593b7e7d30103000000
Error: VMK not encrypted with AES-CCM (ffffff93,ffffffe0)

Signature found at 0x24b958000
Version: 2 (Windows 7 or later)

VMK entry found at 0x24b958123
VMK encrypted with Recovery Password found at 0x24b958144
Searching AES-CCM from 0x24b958144
Salt: 5c3394362de000247d3c4d6b27803507
Error: VMK not encrypted with AES-CCM (0,8)
Searching AES-CCM from 0x24b958144
Salt: 05000100e0d1e593b7e7d30103000000
Error: VMK not encrypted with AES-CCM (ffffff93,ffffffe0)

from bitcracker.

Based on the above I took a guess and did the following:

# printf "%d\n" 0x22fd2f000
9392287744 
# dd if=/dev/sda2 count=256 bs=1k > dev_sda2_first_256k.bin
256+0 records in
256+0 records out
262144 bytes (262 kB, 256 KiB) copied, 0.0620299 s, 4.2 MB/s
# dd if=/dev/sda2 count=256k bs=1 skip=9392287000 > dev_sda2_256k_9392287000b_skipped.bin
262144+0 records in
262144+0 records out
262144 bytes (262 kB, 256 KiB) copied, 0.532778 s, 492 kB/s

tpm_bitlocker_bitcracker_debug.zip

from bitcracker.

@ejtaal I found the signature -FVE-FS- in your file and it seems that AES-CCM signature flag is at a different offset. Later I'll push some changes to the hash_extractor according to this new offset. In the meantime, you could try to attack this recovery password hash:

$bitlocker$2$16$5c3394362de000247d3c4d6b27803507$1048576$12$e0d1e593b7e7d30104000000$60$b8abaf114057bc9f5b6d259db56c671181e10a111b0ca2da56bbf0f0c6a71c148211cf6e39ed496bcdbfa76290dd5951ee09e930f768caa4f5a23e6b

I can confirm there is a TPM part at a certain point. This is the complete output:

---------> BitCracker Hash Extractor <---------
Opening file dev_sda2_256k_9392287000b_skipped.bin

Signature found at 0x000002e8
Version: 2 (Windows 7 or later)

VMK entry found at 0x0000040b
VMK encrypted with Recovery Password found at 0x0000042c
Searching AES-CCM from 0x0000042c
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x000004d9
Error: VMK not encrypted with AES-CCM (0x00000000,0x00000008),  offset=0x000004db
Offset=0x00000489
VMK encrypted with AES-CCM (0x0000048b)

Nonce: e0d1e593b7e7d30104000000
MAC: b8abaf114057bc9f5b6d259db56c6711

VMK entry found at 0x000004db
VMK encrypted with TPM...not supported! (0x000004fc)

Signature found at 0x000102e8
Version: 2 (Windows 7 or later)

VMK entry found at 0x0001040b

VMK entry found at 0x000104db
VMK encrypted with TPM...not supported! (0x000104fc)
VMK: 81e10a111b0ca2da56bbf0f0c6a71c148211cf6e39ed496bcdbfa76290dd5951ee09e930f768caa4f5a23e6b
Recovery Key hash:
$bitlocker$2$16$5c3394362de000247d3c4d6b27803507$1048576$12$e0d1e593b7e7d30104000000$60$b8abaf114057bc9f5b6d259db56c671181e10a111b0ca2da56bbf0f0c6a71c148211cf6e39ed496bcdbfa76290dd5951ee09e930f768caa4f5a23e6b

from bitcracker.

I think I have the same problem

root@kali:/bitcracker/build#` ./bitcracker_hash -i /dev/nvme0n1p4

---------> BitCracker Hash Extractor <---------
Opening file /dev/nvme0n1p4

Signature found at 0x00000003
Version: 8
Invalid version, looking for a signature with valid version...

Signature found at 0x041ed000
Version: 2 (Windows 7 or later)

VMK entry found at 0x041ed15b
VMK encrypted with Recovery Password found at 0x041ed17c
Searching AES-CCM from 0x041ed17c
Salt: 6c00740061000000ea00000003000100
Offset=0x041ed229
Error: VMK not encrypted with AES-CCM (0x3a,0x17), offset=0x041ed22b
Offset=0x041ed1d9
Error: VMK not encrypted with AES-CCM (0x54,0xaa), offset=0x041ed1db
Searching AES-CCM from 0x041ed17c
Salt: 6642f81c548037601de3816250816c4e
Offset=0x041ed23d
Error: VMK not encrypted with AES-CCM (0x0,0x14), offset=0x041ed23f
Offset=0x041ed1ed
VMK encrypted with AES-CCM (0x041ed1ef)

Nonce: d03d9186660cd40138000000
MAC: a9e84bc5af3a4034ffacb780b42ca681

Signature found at 0x43e00000
Version: 2 (Windows 7 or later)

VMK entry found at 0x43e0015b

Signature found at 0x83e00000
Version: 2 (Windows 7 or later)

VMK entry found at 0x83e0015b

VMK entry found at 0xa47bd055
^C
root@kali:/bitcracker/build# printf "%d\n" 0x041ed000
69128192
root@kali:/bitcracker/build# dd if=/dev/nvme0n1p4 count=256 bs=1k > dev_nvmen1p4_256k.bin
256+0 records in
256+0 records out
262144 bytes (262 kB, 256 KiB) copied, 0.0012522 s, 209 MB/s
root@kali:/bitcracker/build# dd if=/dev/nvme0n1p4 count=256 bs=1k skip=69128100 > dev_nvmen1p4_256k_69128100.bin
256+0 records in
256+0 records out
262144 bytes (262 kB, 256 KiB) copied, 0.000691548 s, 379 MB/s

bitcracker_debug.zip

from bitcracker.

Sorry for that, I did not wait enought. I finaly had the hash ;).
Thanks a lot

from bitcracker.

@remitavenot could you paste the complete output?
@ejtaal Any news?

from bitcracker.

`# ./bitcracker_hash -i /dev/sda2

---------> BitCracker Hash Extractor <---------
Opening file /dev/sda2

Signature found at 0x00000003
Version: 8
Invalid version, looking for a signature with valid version...

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123
VMK encrypted with Recovery Password found at 0x22fd2f144
Searching AES-CCM from 0x22fd2f144
Salt: 5c3394362de000247d3c4d6b27803507
Offset=0x22fd2f1f1
Error: VMK not encrypted with AES-CCM (0x0,0x8), offset=0x22fd2f1f3
Offset=0x2fd2f1a1
Error: VMK not encrypted with AES-CCM (0x72,0xf9), offset=0x2fd2f1a3
Searching AES-CCM from 0x22fd2f144
Salt: 05000100e0d1e593b7e7d30103000000
Offset=0x22fd2f205
Error: VMK not encrypted with AES-CCM (0x93,0xe0), offset=0x22fd2f207
Offset=0x2fd2f1b5
Error: VMK not encrypted with AES-CCM (0x64,0xe8), offset=0x2fd2f1b7
Error while extracting data: No signature found!

Error while parsing input device image`

from bitcracker.

I'm not sure what's going wrong. If I run the latest code against the dd extracted file it extracts the hash just like in your post. Should the hash extractor not seek to the proper locations just like our dd command? From monitoring the extractor only read about 250MB of the drive in an hour before it quit, while the hash from the dd file came from an area about 9GB into the device. I probably only have tomorrow left to check this laptop before having to hand it back.

from bitcracker.

Hi, sorry again for the late reply. I am using Linux (cannot use HexFiend), not sure how to use the other hex editors to find the -FVE-FS- signature. Do I need to attach any segments of the image or just the address of whats needed?

from bitcracker.

Update: I ran the bitcracker_hash file again since when I last ran it, and I have different (perhaps more promising) results here.

Signature found at 0x00000003
Version: 8 
Invalid version, looking for a signature with valid version...

Signature found at 0x16dad000
Version: 1 (Windows Vista)

VMK entry found at 0x16dad177
VMK encrypted with Recovery Password found at 0x16dad198
Searching AES-CCM from 0x16dad198
Salt: 5b2eb594d822bcd2e20cf10a0e1da4c5
Offset=0x16dad245
Error: VMK not encrypted with AES-CCM (0x0,0x8),  offset=0x16dad247
Offset=0x16dad1f5
VMK encrypted with AES-CCM (0x16dad1f7)

Nonce: 008b543179bccb012a000000
MAC: 930539d51f018697c76e69b0f065f358

VMK entry found at 0x16dad247

VMK entry found at 0xb906ff6e

VMK entry found at 0x2d005e20d

VMK entry found at 0x39d91cbab

VMK entry found at 0x3ab54e194

VMK entry found at 0x5f860e60c

VMK entry found at 0x6314d56cd

This version of bitcracker found some aes-ccm encrypted VMKs, perhaps a hash can come from this? I wasnt able to leave it running for long, but as long as I left it, it was just producing those VMK messages until I cancelled. Is it worth running overnight to see if a recovery hash can be produced?

from bitcracker.

I've made a copy of the first 30GB of the bitlocker partition to check any code update against if you like. Running bitcracker_hash on the laptop itself a second time today again doesn't yield the hash and gives the same error as I posted above after about an hour of running.

from bitcracker.

@e-ago I have found the -FVE-FS- signature using a hex editor at the same offset you said, 0x16dad000 (i think), so how much do I need to send you, and how do I send the relevant info? Do I use the same method of dd skip=23964908 count=262144 bs=1 or something like that?

Thanks a lot

EDIT:

I seem to have found a recovery key hash by running hashextractor on the first 1gb of the image by cat'ing it to another image and running it on that instead.

from bitcracker.

I've just pushed an updated version of the hash extractor.

@ejtaal Try this new extractor. It would be great if you could send to me this 30GB image so I can do some test by myself: with my (smaller) encrypted images it works perfectly thus there should be some problem related to the size (it worked correctly with the sample you sent me) or to the structure of your BDE volume. As you may notice in your output, the extractor loops on the same address

Signature found at 0x22fd2f000
Version: 2 (Windows 7 or later)

VMK entry found at 0x22fd2f123

EDIT: @ejtaal wuold you be able to provide and image encrypted as yours (TPM + Recovery password with Windows 7 Enterprise N) but with a known recovery password?

@hammi1 Try this new extractor; if it doesn't work I need a sample (about 256KB) of your image starting from 0x16dacffc

from bitcracker.

Hi again e-ago,

Not going onto this issue (and don't want to open another one) but I'm just commenting to ask if the recovery hash is still valid for recovery key protected drives using TPM? On the readme it says TPM isn't supported, but from my knowledge the recovery key is the single common factor across all Bitlocker encrypted drives, so would the hash still be able to be cracked by the likes of JtR?

Many thanks.

from bitcracker.