Jump to content

Bitlocker cracking


careless223
 Share

Recommended Posts

I thought of this idea driving home from working out and debating whether I should buy Vista tomorrow.

So I got to thinking about Bitlocker drive encryption. Apparently it encrypts system files and the swap space along with all the user’s files. So what I was thinking (this is still just theory) is that if the system files are encrypted which includes little files that don't vary such as icons, you can take the encrypted file and compare it to an unencrypted version of that file to determine the password used to encrypt it with. For example: the Firefox icon. If you have a Firefox icon that is excrypted with bitlocker and one that is not, could you theoretically scan and compare the 2 files to find the original password used to encrypt them? It is encrypted with AES which is essentially just an algorithm that you plug the password into which then generates the rules for encrypting that file or in this case the entire drive. Then with the password in hand you could unencrypt the entire drive.

Is this even possible or am I just stupid?

Link to comment
Share on other sites

Your are not stupid :P

This depends upon how the encryption is implemented.

If the implementation is any good it should be impossible to be able to get directory listings let alone get the data for a file.

So, while you are correct in one respect (be able to work out the key used to encrypt a file if you have the encrypted file and the unencrypted file) you are (hopefully) wrong in another respect (it should be impossible to distinguish one files data from any other files data on an encrypted volume).

Link to comment
Share on other sites

Well from what I understand and have read, it does not encrypt the FAT table. So from there could you not go to the physical portion of the disk to get the file if you know that it is so many bits in length?

If thats true (and I don't know that it is or it isn't) then theoretically you could I suppose. There is probably a good reason that doesn't work that I'm currently blind to lol

Link to comment
Share on other sites

Well from what I understand and have read, it does not encrypt the FAT table. So from there could you not go to the physical portion of the disk to get the file if you know that it is so many bits in length?

I don't think that's right, well, I know it's not right. First of all NTFS doesn't have a FAT, it has an MFT and the MFT is encrypted (clicky).

Link to comment
Share on other sites

They're right. With the encryption in place, it encrypts the whole volume...not just on a file to file basis. It looks like random data when it is encrypted.

Good thinking though, when you think like that you cross from the realm of being a script kiddie :-). If you have more ideas like this, please feel free to share them with us! I always like to entertain new ideas like this. And who knows, you might stumble on to something that everyone can benefit from! I know I am always adding to my Pen Testing kit, or my overall understanding.

Link to comment
Share on other sites

Known plaintext attacks aren't exactly a new idea, they've been used for a very long time.

Well yes, but easy cracking hard drive encryption is not really mainstream. I wasn't saying it was a NEW idea, but I was applauding his efforts to develop methodology to make a somewhat tedious effort a little easier.

Link to comment
Share on other sites

I just read you blurb and it sorta fills in the holes in my logic.

So basically the files are encrypted until you access them right? Could you then maybe steal these files from a laptop or desktop that is logged on with a U3 thumbdrive via a batch script to copy the specific files that you need?

Link to comment
Share on other sites

yes and no Vista no longer autoruns anything... sorry

Have you tried the Hacksaw and the Switchblade on Vista? I don't have mine on me right now or I would try.

The Amish switchblade kinda works on vista, but it has trouble with the user passwords. Should be ok if someone rejigs it to work with NTLM.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...