e-ago / bitcracker

BitCracker is the first open source password cracking tool for memory units encrypted with BitLocker
GNU General Public License v2.0
811 stars 188 forks source link

Question about false positives #1

Closed kawuum closed 7 years ago

kawuum commented 7 years ago

Hi,

I am using bitcracker to crack the password of encrypted external HDDs. Surprisingly, for 4 volumes I found one false positive result for each in a one-week run (on a GTX1080). Removing the false positive words from the dictionary and resuming the attack leads to other false positive results.

Attacking the same volumes using the same dictionary with passware does not lead to false positive results.

I started out by using the bitcracker plugin in John Jumbo but also verified, that the same happens using the latest bitcracker version (cloned today).

Can you advise in this case? Is it expected to find many false positives? I wanted to start out by asking you before digging into the code by myself.

Thanks for your help!

kawuum commented 7 years ago

Additionally, one sidenote: When I start the cracking process, bitcracker first finds an invalid signature and finds a signature with a valid version afterwards. I am not sure if this could have anything to do with the false posivies. The output is:

Opening file XXX Signature found at 0x00100003 Version: 8 Invalid version, looking for a signature with valid version... Signature found at 0x10a00000 Version: 2 (Windows 7 or later) VMK entry found at ... VMK entry found at ... VMK entry found at ... VMK entry found at ... Key protector with user password found

e-ago commented 7 years ago

Hi,

I've tested this tool with images encrypted with Windows 7, 8.1 and 10 and I never had a false positive in case of passwords between 8 and 27 characters, using both my images and JtR test cases; this is an interesting case. Looking at your output, probably there is some issue related to the detection of the VMK within the encrypted image.

Could you send to me the following:

Thank you

kawuum commented 7 years ago

Hi,

since this is a forensic examination, I can not provide you with all the information.

I do not have the real password nor do I know the Windows version used to encrypt the HDD. Since bdeinfo finds a Password Key Protector, I thought it is save to assume that the password method was used to encrypt the HDD but I might be completely wrong.

Here is what I have:

--> bitlocker2John does not find a signature:

sudo ./JohnTheRipper-bleeding-jumbo/run/bitlocker2john /dev/mapper/loop0p1 Error while extracting data: No signature found!

--> Then I tried with bdeinfo (i.e. method 2 in the OpenCL BitLocker wiki) and this gives me the following output:

sudo ./bitlocker2john-master/bdetools/bdeinfo /dev/mapper/loop0p1 -p dummy bdeinfo 20170204

masked_hashes

BitLocker Drive Encryption information: Encryption method : AES-CBC 128-bit Volume identifier : masked_id Creation time : Jun 18, 2015 13:17:05.349555700 UTC Description : NB011 media2048 6/18/2015 Number of key protectors : 4

Key protector 0: Identifier : masked_id Type : Recovery password

Key protector 1: Identifier : masked_id Type : Startup key

Key protector 2: Identifier : masked_id Type : Startup key

Key protector 3: Identifier : masked_id Type : Password

Unable to unlock volume.

--> I was using the $bitlocker§... hash for John.

--> Here is the output of bitcracker:

---------> BitCracker: BitLocker password cracking tool <---------

# Platform: 0, # Devices: 8

\==================================== Selected device: GeForce GTX 1080 (ID: 0) properties \====================================

Hardware version: OpenCL 1.2 CUDA Software version: 375.26 OpenCL C version: OpenCL C 1.2 Max Global Memory Size: 8507555840 Max Global Memory Alloc Size: 2126888960 Max Const Memory Buffer Size: 65536 Device Address Bits: 64 Parallel compute units: 20 Max Workgroup Size: 1024 Vendor: NVIDIA Corporation CC: 6.1 Registers per block: 65536 Warp Size: 32 Overlap Memory and Kernel: 1

For this session, BitCracker requires at least 268435456 bytes of memory

Setting context on Platform 0, Device 'GeForce GTX 1080' (ID: 0)

\==================================== Extracting data from disk image \====================================

Opening file image.bin Signature found at 0x00100003 Version: 8 Invalid version, looking for a signature with valid version... Signature found at 0x10a00000 Version: 2 (Windows 7 or later) VMK entry found at 0x10a000ac VMK entry found at 0x10a0020c VMK entry found at 0x10a002dc VMK entry found at 0x10a003ac Key protector with user password found

\==================================== Dictionary attack \====================================

Starting OpenCL attack: Local Work Size: 1024 Work Group Number: 4 Global Work Size: 4096 Password per thread: 8 Password per kernel: 65536 Dictionary: ../testwordlist.txt

OpenCL Kernel execution #0 Effective number psw: 4 Time: 19.968502 sec Passwords x second: 0.20 pw/sec

\================================================ OpenCL attack completed Passwords evaluated: 4 Password found: [countosic] \================================================

Tot passwords evaluated: 4

--> False positive passwords for the hash provided above are: "countosic", "alt-csurg" (without the quotes)

Thanks very much for your help!

e-ago commented 7 years ago

Thank you for providing me the info. I'll try to reproduce the test with the JtR bitlocker hash. In the meanwhile please pull again and run the CUDA version. I need to know if the VMK value extracted by this standalone version is the same as the one of the JtR tool.

kawuum commented 7 years ago

Thanks for looking into this! Here is the output with the latest version:

./bitcracker_cuda -i ../image.bin -d ../testwordlist.txt

---------> BitCracker: BitLocker password cracking tool <---------

\==================================== Selected device: GPU GeForce GTX 1080 (ID: 0) properties \====================================

Compute capability: 6.1 Clock rate: 1733500 Clock rate: 1734 MHz (1.73 GHz) Memory Clock Rate (KHz): 5005000 Memory Bus Width (bits): 256 Peak Memory Bandwidth (GB/s): 320.320000 Device copy overlap: Enabled Async memory engine count: 2 Concurrent kernels: 1 Kernel execition timeout: Disabled Total global mem: 8507555840 bytes Free memory: 8055619584 bytes Texture Alignment: 512 Multiprocessor count: 20 Shared mem per mp: 49152 Registers per mp: 65536 Threads in warp: 32 Max threads per block: 1024 Max thread dimensions: (1024, 1024, 64) Max grid dimensions: (2147483647, 65535, 65535)

For this session, BitCracker requires at least 268697600 bytes of memory

\==================================== Extracting data from disk image \====================================

Opening file image.bin Signature found at 0x00100003 Version: 8 Invalid version, looking for a signature with valid version... Signature found at 0x10a00000 Version: 2 (Windows 7 or later) VMK entry found at 0x10a000ac VMK entry found at 0x10a0020c VMK entry found at 0x10a002dc VMK entry found at 0x10a003ac Key protector with user password found Nonce: masked_id MAC: masked_id VMK: masked_id

\==================================== Dictionary attack \====================================

Starting CUDA attack: CUDA Threads: 1024 CUDA Blocks: 1 Psw per thread: 8 Max Psw per kernel: 8192 Dictionary: ../testwordlist.txt

CUDA Kernel execution: Stream 0 Effective number psw: 4 Time: 20.224299 sec Passwords x second: 0.20 pw/sec

\================================================ CUDA attack completed Passwords evaluated: 4 Password found: [countosic] \================================================

e-ago commented 7 years ago

Probably, I've found the reason for the false positives. I'm trying to check if the issue can be fixed; I'll let you know in 2 or 3 days.

kawuum commented 7 years ago

Great, thanks.

If there is anything I can help you with, please let me know.

e-ago commented 7 years ago

Please pull the most updated version and run again your tests with the -s option: this new check seems to fix the issue of yours false positives but it still finds the right password of this repo's images encrypted with Windows 7, 8.1 and 10. Unfortunately this check is empirically verified only (i.e. I need to prove it according to the format); in the next release I will improve BitCracker with an additional (but slower) final MAC check. Please let me know the result of your tests.

NB. in this new version you can use the JtR BitLocker hash you posted in this issue, see the updated README

e-ago commented 7 years ago

Please pull again, I've included a new default check totally compliant with the standard. It avoids your false positives even without the -s option.