How do I extract a BitLocker hash for cracking with BitCracker?

Use the bitcracker_hash tool on your encrypted disk image. It validates the format, identifies if it's user or recovery password encrypted, and outputs hash files (e.g., hash_user_pass.txt) needed to start the attack, as detailed in the 'Prepare the attack' section.

BitCracker vs Hashcat for BitLocker cracking: which is better?

BitCracker is specialized for BitLocker with integrated hash extraction and recovery password support, while Hashcat is a general-purpose tool. Hashcat may have broader format support, but BitCracker offers research-backed optimizations; Hashcat integration is listed as 'work in progress' in the README.

Can BitCracker crack BitLocker with TPM enabled?

For recovery password attacks, no. The README explicitly states that recovery password attacks are not possible on TPM-encrypted devices. User password attacks might still work if a password is used, but TPM alone blocks this method.

What's the best GPU for running BitCracker?

Higher-end NVIDIA GPUs like Tesla V100 offer the best performance, with up to 3,252 passwords per second. Refer to the performance table in the README for specific benchmarks and match CUDA versions to your GPU architecture (e.g., SM version for Makefile).

How to generate wordlists for BitCracker recovery password attacks?

Use the bitcracker_rpgen tool to create wordlists. Specify options like -n for number of lists and -p for passwords per list, but note the search space is vast and uniform, making attacks time-consuming without prior clues.

Is BitCracker compatible with Windows operating system?

BitCracker is primarily built for Unix-like systems, as indicated by shell scripts and commands like dd. There's no mention of native Windows support; it likely requires a Linux environment or WSL for execution, which can be a barrier for Windows-only forensic setups.

BitCracker — GPU BitLocker Password Cracker

What is BitCracker?

BitCracker is an open-source password cracking tool specifically for storage devices encrypted with Microsoft BitLocker. It performs dictionary attacks to recover user passwords or recovery passwords, utilizing GPU acceleration via CUDA and OpenCL for speed. The tool extracts hashes from encrypted disk images and supports both fast attacks and MAC-verified modes to ensure accuracy.

Target Audience

Security researchers, forensic analysts, and penetration testers who need to assess or recover access to BitLocker-encrypted drives in legal or authorized testing scenarios.

Value Proposition

BitCracker is unique as the first open-source tool focused on BitLocker encryption, offering GPU-accelerated performance and compatibility with John The Ripper. Its research-backed approach and support for multiple attack modes provide a specialized solution for a niche in digital forensics.

BitCracker is the first open source password cracking tool for memory units encrypted with BitLocker

Use Cases

Best For

Performing forensic analysis on BitLocker-encrypted drives
Testing password strength of BitLocker-protected storage
Recovering access to locked BitLocker volumes with forgotten passwords
GPU-accelerated dictionary attacks for security assessments
Researching BitLocker encryption vulnerabilities
Integrating with John The Ripper for extended cracking capabilities

Not Ideal For

Attempting to crack BitLocker drives encrypted with TPM for recovery passwords
General-purpose password cracking across multiple encryption types like VeraCrypt or LUKS
Situations requiring rapid recovery password brute-forcing without prior dictionary clues
Environments lacking compatible NVIDIA or OpenCL GPU hardware for acceleration

Pros & Cons

Pros

GPU-Optimized Performance

Leverages CUDA and OpenCL to achieve high hash rates, such as 6.820 MH/s on Tesla V100, making dictionary attacks significantly faster than CPU-based methods.

BitLocker-Specialized Attacks

Specifically designed for BitLocker encryption, supporting both user password (8-55 chars) and recovery password attacks, with integrated tools like bitcracker_hash for extraction.

Integration with John The Ripper

Hash files are compatible with John The Ripper's OpenCL-BitLocker format, allowing seamless use within established forensic toolchains for extended cracking capabilities.

False Positive Handling

Offers a MAC verification option (-m flag) to eliminate false positives at the cost of speed, ensuring accuracy in critical forensic scenarios.

Cons

TPM Encryption Limitation

Cannot attack recovery passwords on BitLocker volumes encrypted with Trusted Platform Module (TPM), a common enterprise security feature, as explicitly admitted in the README.

Complex Build and Tuning

Requires manual modification of Makefiles for specific GPU architectures and careful parameter adjustment (-t, -b flags) for optimal performance, which can be error-prone and time-consuming.

Recovery Password Attack Inefficiency

The recovery password search space is uniformly distributed and enormous, making brute-force attacks impractical without effective reduction strategies, as noted in the documentation.

Frequently Asked Questions

What is BitCracker?

Target Audience

Security researchers, forensic analysts, and penetration testers who need to assess or recover access to BitLocker-encrypted drives in legal or authorized testing scenarios.

Value Proposition

Use Cases

Best For

Performing forensic analysis on BitLocker-encrypted drives
Testing password strength of BitLocker-protected storage
Recovering access to locked BitLocker volumes with forgotten passwords
GPU-accelerated dictionary attacks for security assessments
Researching BitLocker encryption vulnerabilities
Integrating with John The Ripper for extended cracking capabilities

Not Ideal For

Attempting to crack BitLocker drives encrypted with TPM for recovery passwords
General-purpose password cracking across multiple encryption types like VeraCrypt or LUKS
Situations requiring rapid recovery password brute-forcing without prior dictionary clues
Environments lacking compatible NVIDIA or OpenCL GPU hardware for acceleration

Pros & Cons

Pros

GPU-Optimized Performance

Leverages CUDA and OpenCL to achieve high hash rates, such as 6.820 MH/s on Tesla V100, making dictionary attacks significantly faster than CPU-based methods.

BitLocker-Specialized Attacks

Specifically designed for BitLocker encryption, supporting both user password (8-55 chars) and recovery password attacks, with integrated tools like bitcracker_hash for extraction.

Integration with John The Ripper

Hash files are compatible with John The Ripper's OpenCL-BitLocker format, allowing seamless use within established forensic toolchains for extended cracking capabilities.

False Positive Handling

Offers a MAC verification option (-m flag) to eliminate false positives at the cost of speed, ensuring accuracy in critical forensic scenarios.

Cons

TPM Encryption Limitation

Cannot attack recovery passwords on BitLocker volumes encrypted with Trusted Platform Module (TPM), a common enterprise security feature, as explicitly admitted in the README.

Complex Build and Tuning

Requires manual modification of Makefiles for specific GPU architectures and careful parameter adjustment (-t, -b flags) for optimal performance, which can be error-prone and time-consuming.

Recovery Password Attack Inefficiency

The recovery password search space is uniformly distributed and enormous, making brute-force attacks impractical without effective reduction strategies, as noted in the documentation.

Frequently Asked Questions

BitCracker

What is BitCracker?

Overview

Use Cases

Best For

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions

Found a gem we're missing?

BitCracker

What is BitCracker?

Overview

Use Cases

Best For

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions

Found a gem we're missing?