"--format=bitlocker" doesn't load a "hash" produced by bitlocker2john, but "--format=bitlocker-opencl" does

[PaulNevada]

Looked at FAQ and can't understand what's wrong...

[solardiz]

@PaulNevada Obviously, based solely on what you wrote, we can't understand this either. I'm closing this issue since it's not something we need to track, but please feel free to add comments.

[PaulNevada]

I use --bitlocker mode and it returns this error... The hash file is in utf-8 for sure...

[PaulNevada]

Help with that, please...

[solardiz]

Please copy-paste in here the specific commands you run. You're using bitlocker2john first, right? What version and build of John do you use, and on what OS?

Also specific to BitLocker, is there a human-chosen password involved? If not, then you're out of luck anyway.

[PaulNevada]

bitlocker2john -i c:\image john --format=bitlocker --wordlist=recovery_passwords.txt key1 --progress-every=3 john-1.9.0-jumbo-1-win64, windows 11 pro

yes, the volume is encrypted with the user password typed in...

[PaulNevada]

Also, I've found, that the mode --format=bitlocker-opencl works without errors... Am I right, this is the cpu one?

[solardiz]

OK, that's some progress towards understanding of the problem you're having. Here are the current guesses and other thoughts:

1. bitlocker2john somehow only found/extracted portions related to the recovery key, not to the user password. This could be if there's no user password set (in other words, if you're somehow wrong about "the volume is encrypted with the user password typed in") or if there's some incompatibility.
2. We "know" the above because bitlocker-opencl is more capable than the CPU bitlocker format in precisely this way, it's issue #3310.
3. "Am I right, this is the cpu one?" - no, it's the other way around - bitlocker-opencl is able to use GPUs, whereas bitlocker is CPU only.
4. In general, we recommend that instead of john-1.9.0-jumbo-1 you use our latest code from this repo, or a more recent Windows binary build available via the "Download Windows Build" badge from README.md in this repo. It currently links to https://github.com/openwall/john-packages/releases
5. We have in fact fixed some bugs related to BitLocker support since the john-1.9.0-jumbo-1 release.
6. With all of this said, I doubt even our latest code will find more than the recovery key related sections for you, and if it does not then like I said you're out of luck.

[solardiz]

One more:

7. We generally recommend starting without any --format option, and only then maybe adding such option if needed. The auto-detection should work fine, and will also tell you what other formats could have matched (so you can then choose one out of several with that option). In your case, it sounds like bitlocker-opencl would have been auto-detected, but bitlocker wouldn't be? Can you try (omitting the option) to confirm?

[PaulNevada]

Also, I've found, that the mode --format=bitlocker-opencl works without errors...

Am I right, this is the cpu one?

Here, I was mentioning exactly --format=bitlocker, asking my question 🙂 Thanks a lot for your comments! I'll give it a try and will let you know...

[PaulNevada]

Meanwhile - am I right thinking it's impossible at all - in my current case - with the quite strong user password (forgotten one) which is 20-25 characters long and of mixed words + symbols + registers --> to get it recovered?

[solardiz]

Yes, you generally won't be able to recover a BitLocker password "which is 20-25 characters long and of mixed words + symbols + registers" unless you recall a lot more about it (e.g., which specific few words could have been used, etc.) and focus the attack accordingly.

[solardiz]

Also, given that only bitlocker-opencl agreed to load your "hashes", you're probably not even testing any passwords correctly - probably only code suitable for machine-generated recovery keys runs correctly. So even if you had the correct password in your wordlist, it would likely not be detected.

[PaulNevada]

Understood... But, I'll try what you've offered above...