github/hashcat
1
Fork 0
mirror of https://github.com/hashcat/hashcat synced 2024-11-20 23:27:31 +01:00
Code Releases Activity

fixes #1117: added -m 22100 = BitLocker

Browse Source
This commit is contained in:
philsmd 2019-12-31 18:42:13 +01:00
parent 4338f100e9
commit 1c1ed72c65
No known key found for this signature in database
GPG Key ID: 4F25D016D9D6A8AF
5 changed files with 1107 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

403
OpenCL/m22100-pure.cl Normal file
View File

@ -0,0 +1,403 @@
/**
* Author......: See docs/credits.txt
* License.....: MIT
*/
#define NEW_SIMD_CODE
#ifdef KERNEL_STATIC
#include "inc_vendor.h"
#include "inc_types.h"
#include "inc_platform.cl"
#include "inc_common.cl"
#include "inc_simd.cl"
#include "inc_hash_sha256.cl"
#include "inc_cipher_aes.cl"
#endif
typedef struct bitlocker
{
u32 type;
u32 iv[4];
u32 data[15];
} bitlocker_t;
typedef struct bitlocker_tmp
{
u32 last_hash[8];
u32 init_hash[8];
u32 salt[4];
} bitlocker_tmp_t;
KERNEL_FQ void m22100_init (KERN_ATTR_TMPS_ESALT (bitlocker_tmp_t, bitlocker_t))
{
/**
* base
*/
const u64 gid = get_global_id (0);
if (gid >= gid_max) return;
// sha256 of utf16le converted password:
sha256_ctx_t ctx0;
sha256_init (&ctx0);
sha256_update_global_utf16le_swap (&ctx0, pws[gid].i, pws[gid].pw_len);
sha256_final (&ctx0);
u32 w[16] = { 0 }; // 64 bytes blocks/aligned, we need 32 bytes
w[0] = ctx0.h[0];
w[1] = ctx0.h[1];
w[2] = ctx0.h[2];
w[3] = ctx0.h[3];
w[4] = ctx0.h[4];
w[5] = ctx0.h[5];
w[6] = ctx0.h[6];
w[7] = ctx0.h[7];
// sha256 of sha256:
sha256_ctx_t ctx1;
sha256_init (&ctx1);
sha256_update (&ctx1, w, 32);
sha256_final (&ctx1);
// set tmps:
tmps[gid].init_hash[0] = ctx1.h[0];
tmps[gid].init_hash[1] = ctx1.h[1];
tmps[gid].init_hash[2] = ctx1.h[2];
tmps[gid].init_hash[3] = ctx1.h[3];
tmps[gid].init_hash[4] = ctx1.h[4];
tmps[gid].init_hash[5] = ctx1.h[5];
tmps[gid].init_hash[6] = ctx1.h[6];
tmps[gid].init_hash[7] = ctx1.h[7];
tmps[gid].last_hash[0] = 0;
tmps[gid].last_hash[1] = 0;
tmps[gid].last_hash[2] = 0;
tmps[gid].last_hash[3] = 0;
tmps[gid].last_hash[4] = 0;
tmps[gid].last_hash[5] = 0;
tmps[gid].last_hash[6] = 0;
tmps[gid].last_hash[7] = 0;
tmps[gid].salt[0] = salt_bufs[salt_pos].salt_buf[0];
tmps[gid].salt[1] = salt_bufs[salt_pos].salt_buf[1];
tmps[gid].salt[2] = salt_bufs[salt_pos].salt_buf[2];
tmps[gid].salt[3] = salt_bufs[salt_pos].salt_buf[3];
}
KERNEL_FQ void m22100_loop (KERN_ATTR_TMPS_ESALT (bitlocker_tmp_t, bitlocker_t))
{
const u64 gid = get_global_id (0);
if ((gid * VECT_SIZE) >= gid_max) return;
// init
u32x w[32] = { 0 }; // 64 bytes blocks/aligned, 88 bytes needed (22 u32 = 22 * 4)
w[ 0] = packv (tmps, last_hash, gid, 0);
w[ 1] = packv (tmps, last_hash, gid, 1);
w[ 2] = packv (tmps, last_hash, gid, 2);
w[ 3] = packv (tmps, last_hash, gid, 3);
w[ 4] = packv (tmps, last_hash, gid, 4);
w[ 5] = packv (tmps, last_hash, gid, 5);
w[ 6] = packv (tmps, last_hash, gid, 6);
w[ 7] = packv (tmps, last_hash, gid, 7);
w[ 8] = packv (tmps, init_hash, gid, 0);
w[ 9] = packv (tmps, init_hash, gid, 1);
w[10] = packv (tmps, init_hash, gid, 2);
w[11] = packv (tmps, init_hash, gid, 3);
w[12] = packv (tmps, init_hash, gid, 4);
w[13] = packv (tmps, init_hash, gid, 5);
w[14] = packv (tmps, init_hash, gid, 6);
w[15] = packv (tmps, init_hash, gid, 7);
w[16] = packv (tmps, salt, gid, 0);
w[17] = packv (tmps, salt, gid, 1);
w[18] = packv (tmps, salt, gid, 2);
w[19] = packv (tmps, salt, gid, 3);
// main loop
for (u32 i = 0, j = loop_pos; i < loop_cnt; i++, j++)
{
w[20] = hc_swap32 (j);
sha256_ctx_vector_t ctx;
sha256_init_vector (&ctx);
sha256_update_vector (&ctx, w, 88);
sha256_final_vector (&ctx);
w[0] = ctx.h[0];
w[1] = ctx.h[1];
w[2] = ctx.h[2];
w[3] = ctx.h[3];
w[4] = ctx.h[4];
w[5] = ctx.h[5];
w[6] = ctx.h[6];
w[7] = ctx.h[7];
}
unpackv (tmps, last_hash, gid, 0, w[0]);
unpackv (tmps, last_hash, gid, 1, w[1]);
unpackv (tmps, last_hash, gid, 2, w[2]);
unpackv (tmps, last_hash, gid, 3, w[3]);
unpackv (tmps, last_hash, gid, 4, w[4]);
unpackv (tmps, last_hash, gid, 5, w[5]);
unpackv (tmps, last_hash, gid, 6, w[6]);
unpackv (tmps, last_hash, gid, 7, w[7]);
}
KERNEL_FQ void m22100_comp (KERN_ATTR_TMPS_ESALT (bitlocker_tmp_t, bitlocker_t))
{
const u64 gid = get_global_id (0);
const u64 lid = get_local_id (0);
const u64 lsz = get_local_size (0);
/**
* aes shared
*/
#ifdef REAL_SHM
LOCAL_VK u32 s_td0[256];
LOCAL_VK u32 s_td1[256];
LOCAL_VK u32 s_td2[256];
LOCAL_VK u32 s_td3[256];
LOCAL_VK u32 s_td4[256];
LOCAL_VK u32 s_te0[256];
LOCAL_VK u32 s_te1[256];
LOCAL_VK u32 s_te2[256];
LOCAL_VK u32 s_te3[256];
LOCAL_VK u32 s_te4[256];
for (u32 i = lid; i < 256; i += lsz)
{
s_td0[i] = td0[i];
s_td1[i] = td1[i];
s_td2[i] = td2[i];
s_td3[i] = td3[i];
s_td4[i] = td4[i];
s_te0[i] = te0[i];
s_te1[i] = te1[i];
s_te2[i] = te2[i];
s_te3[i] = te3[i];
s_te4[i] = te4[i];
}
SYNC_THREADS ();
#else
CONSTANT_AS u32a *s_td0 = td0;
CONSTANT_AS u32a *s_td1 = td1;
CONSTANT_AS u32a *s_td2 = td2;
CONSTANT_AS u32a *s_td3 = td3;
CONSTANT_AS u32a *s_td4 = td4;
CONSTANT_AS u32a *s_te0 = te0;
CONSTANT_AS u32a *s_te1 = te1;
CONSTANT_AS u32a *s_te2 = te2;
CONSTANT_AS u32a *s_te3 = te3;
CONSTANT_AS u32a *s_te4 = te4;
#endif
if (gid >= gid_max) return;
/*
* AES decrypt the data_buf
*/
// init AES
u32 ukey[8];
ukey[0] = tmps[gid].last_hash[0];
ukey[1] = tmps[gid].last_hash[1];
ukey[2] = tmps[gid].last_hash[2];
ukey[3] = tmps[gid].last_hash[3];
ukey[4] = tmps[gid].last_hash[4];
ukey[5] = tmps[gid].last_hash[5];
ukey[6] = tmps[gid].last_hash[6];
ukey[7] = tmps[gid].last_hash[7];
#define KEYLEN 60
u32 ks[KEYLEN];
AES256_set_encrypt_key (ks, ukey, s_te0, s_te1, s_te2, s_te3);
// decrypt:
u32 iv[4];
iv[0] = esalt_bufs[digests_offset].iv[0];
iv[1] = esalt_bufs[digests_offset].iv[1];
iv[2] = esalt_bufs[digests_offset].iv[2];
iv[3] = esalt_bufs[digests_offset].iv[3];
// in total we've 60 bytes: we need out0 (16 bytes) to out3 (16 bytes) for MAC verification
// 1
u32 out1[4];
AES256_encrypt (ks, iv, out1, s_te0, s_te1, s_te2, s_te3, s_te4);
// some early reject:
out1[0] ^= esalt_bufs[digests_offset].data[4]; // skip MAC for now (first 16 bytes)
if ((out1[0] & 0xffff0000) != 0x2c000000) return; // data_size must be 0x2c00
out1[1] ^= esalt_bufs[digests_offset].data[5];
if ((out1[1] & 0xffff0000) != 0x01000000) return; // version must be 0x0100
out1[2] ^= esalt_bufs[digests_offset].data[6];
if ((out1[2] & 0x00ff0000) != 0x00200000) return; // v2 must be 0x20
if ((out1[2] >> 24) > 0x05) return; // v1 must be <= 5
// if no MAC verification should be performed, we are already done:
u32 type = esalt_bufs[digests_offset].type;
if (type == 0)
{
if (atomic_inc (&hashes_shown[digests_offset]) == 0)
{
mark_hash (plains_buf, d_return_buf, salt_pos, digests_cnt, 0, digests_offset + 0, gid, 0, 0, 0);
}
return;
}
out1[3] ^= esalt_bufs[digests_offset].data[7];
/*
* Decrypt the whole data buffer for MAC verification (type == 1):
*/
// 0
iv[3] = iv[3] & 0xff000000; // xx000000
u32 out0[4];
AES256_encrypt (ks, iv, out0, s_te0, s_te1, s_te2, s_te3, s_te4);
out0[0] ^= esalt_bufs[digests_offset].data[0];
out0[1] ^= esalt_bufs[digests_offset].data[1];
out0[2] ^= esalt_bufs[digests_offset].data[2];
out0[3] ^= esalt_bufs[digests_offset].data[3];
// 2
// add 2 because we already did block 1 for the early reject
iv[3] += 2; // xx000002
u32 out2[4];
AES256_encrypt (ks, iv, out2, s_te0, s_te1, s_te2, s_te3, s_te4);
out2[0] ^= esalt_bufs[digests_offset].data[ 8];
out2[1] ^= esalt_bufs[digests_offset].data[ 9];
out2[2] ^= esalt_bufs[digests_offset].data[10];
out2[3] ^= esalt_bufs[digests_offset].data[11];
// 3
iv[3] += 1; // xx000003
u32 out3[4]; // actually only 3 needed
AES256_encrypt (ks, iv, out3, s_te0, s_te1, s_te2, s_te3, s_te4);
out3[0] ^= esalt_bufs[digests_offset].data[12];
out3[1] ^= esalt_bufs[digests_offset].data[13];
out3[2] ^= esalt_bufs[digests_offset].data[14];
// compute MAC:
// out1
iv[0] = (iv[0] & 0x00ffffff) | 0x3a000000;
iv[3] = (iv[3] & 0xff000000) | 0x0000002c;
u32 mac[4];
AES256_encrypt (ks, iv, mac, s_te0, s_te1, s_te2, s_te3, s_te4);
iv[0] = mac[0] ^ out1[0];
iv[1] = mac[1] ^ out1[1];
iv[2] = mac[2] ^ out1[2];
iv[3] = mac[3] ^ out1[3];
// out2
AES256_encrypt (ks, iv, mac, s_te0, s_te1, s_te2, s_te3, s_te4);
iv[0] = mac[0] ^ out2[0];
iv[1] = mac[1] ^ out2[1];
iv[2] = mac[2] ^ out2[2];
iv[3] = mac[3] ^ out2[3];
// out3
AES256_encrypt (ks, iv, mac, s_te0, s_te1, s_te2, s_te3, s_te4);
iv[0] = mac[0] ^ out3[0];
iv[1] = mac[1] ^ out3[1];
iv[2] = mac[2] ^ out3[2];
iv[3] = mac[3];
// final
AES256_encrypt (ks, iv, mac, s_te0, s_te1, s_te2, s_te3, s_te4);
if (mac[0] != out0[0]) return;
if (mac[1] != out0[1]) return;
if (mac[2] != out0[2]) return;
if (mac[3] != out0[3]) return;
// if we end up here, we are sure to have found the correct password:
if (atomic_inc (&hashes_shown[digests_offset]) == 0)
{
mark_hash (plains_buf, d_return_buf, salt_pos, digests_cnt, 0, digests_offset + 0, gid, 0, 0, 0);
}
}

1
docs/changes.txt
View File

@ -21,6 +21,7 @@
- Added hash-mode: Android Backup
- Added hash-mode: AuthMe sha256
- Added hash-mode: BitLocker
- Added hash-mode: BitShares v0.x
- Added hash-mode: Blockchain, My Wallet, Second Password (SHA256)
- Added hash-mode: DiskCryptor

1
docs/readme.txt
View File

@ -237,6 +237,7 @@ NVIDIA GPUs require "NVIDIA Driver" (418.56 or later) and "CUDA Toolkit" (10.1 o
- Oracle Transportation Management (SHA256)
- Huawei sha1(md5($pass).$salt)
- AuthMe sha256
- BitLocker
- eCryptfs
- LUKS
- VeraCrypt

400
src/modules/module_22100.c Normal file
View File

@ -0,0 +1,400 @@
/**
* Author......: See docs/credits.txt
* License.....: MIT
*/
#include "common.h"
#include "types.h"
#include "modules.h"
#include "bitops.h"
#include "convert.h"
#include "shared.h"
static const u32 ATTACK_EXEC = ATTACK_EXEC_OUTSIDE_KERNEL;
static const u32 DGST_POS0 = 0;
static const u32 DGST_POS1 = 1;
static const u32 DGST_POS2 = 2;
static const u32 DGST_POS3 = 3;
static const u32 DGST_SIZE = DGST_SIZE_4_4;
static const u32 HASH_CATEGORY = HASH_CATEGORY_FDE;
static const char *HASH_NAME = "BitLocker";
static const u64 KERN_TYPE = 22100;
static const u32 OPTI_TYPE = OPTI_TYPE_SLOW_HASH_SIMD_LOOP;
//static const u32 OPTI_TYPE = OPTI_TYPE_ZERO_BYTE
// | OPTI_TYPE_EARLY_SKIP
static const u64 OPTS_TYPE = OPTS_TYPE_PT_GENERATE_LE;
static const u32 SALT_TYPE = SALT_TYPE_EMBEDDED;
static const char *ST_PASS = "hashcat";
static const char *ST_HASH = "$bitlocker$1$16$6f972989ddc209f1eccf07313a7266a2$1048576$12$3a33a8eaff5e6f81d907b591$60$316b0f6d4cb445fb056f0e3e0633c413526ff4481bbf588917b70a4e8f8075f5ceb45958a800b42cb7ff9b7f5e17c6145bf8561ea86f52d3592059fb";
u32 module_attack_exec (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return ATTACK_EXEC; }
u32 module_dgst_pos0 (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS0; }
u32 module_dgst_pos1 (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS1; }
u32 module_dgst_pos2 (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS2; }
u32 module_dgst_pos3 (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS3; }
u32 module_dgst_size (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_SIZE; }
u32 module_hash_category (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return HASH_CATEGORY; }
const char *module_hash_name (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return HASH_NAME; }
u64 module_kern_type (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return KERN_TYPE; }
u32 module_opti_type (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return OPTI_TYPE; }
u64 module_opts_type (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return OPTS_TYPE; }
u32 module_salt_type (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return SALT_TYPE; }
const char *module_st_hash (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return ST_HASH; }
const char *module_st_pass (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return ST_PASS; }
typedef struct bitlocker
{
u32 type;
u32 iv[4];
u32 data[15];
} bitlocker_t;
typedef struct bitlocker_tmp
{
u32 last_hash[8];
u32 init_hash[8];
u32 salt[4];
} bitlocker_tmp_t;
static const char *SIGNATURE_BITLOCKER = "$bitlocker$";
#define ITERATION_BITLOCKER 0x100000
#define SALT_LEN_BITLOCKER 16
#define IV_LEN_BITLOCKER 12
#define DATA_LEN_BITLOCKER 60
u64 module_esalt_size (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra)
{
const u64 esalt_size = (const u64) sizeof (bitlocker_t);
return esalt_size;
}
u64 module_tmp_size (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra)
{
const u64 tmp_size = (const u64) sizeof (bitlocker_tmp_t);
return tmp_size;
}
u32 module_pw_max (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra)
{
// this overrides the reductions of PW_MAX in case optimized kernel is selected
// IOW, even in optimized kernel mode it support length 256
const u32 pw_max = PW_MAX;
return pw_max;
}
int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED void *digest_buf, MAYBE_UNUSED salt_t *salt, MAYBE_UNUSED void *esalt_buf, MAYBE_UNUSED void *hook_salt_buf, MAYBE_UNUSED hashinfo_t *hash_info, const char *line_buf, MAYBE_UNUSED const int line_len)
{
u32 *digest = (u32 *) digest_buf;
bitlocker_t *bitlocker = (bitlocker_t *) esalt_buf;
token_t token;
token.token_cnt = 9;
token.signatures_cnt = 1;
token.signatures_buf[0] = SIGNATURE_BITLOCKER;
token.len[0] = 11;
token.attr[0] = TOKEN_ATTR_FIXED_LENGTH
| TOKEN_ATTR_VERIFY_SIGNATURE;
token.sep[1] = '$';
token.len_min[1] = 1;
token.len_max[1] = 1;
token.attr[1] = TOKEN_ATTR_VERIFY_LENGTH
| TOKEN_ATTR_VERIFY_DIGIT;
token.sep[2] = '$';
token.len_min[2] = 2;
token.len_max[2] = 2;
token.attr[2] = TOKEN_ATTR_VERIFY_LENGTH
| TOKEN_ATTR_VERIFY_DIGIT;
token.sep[3] = '$';
token.len_min[3] = 32;
token.len_max[3] = 32;
token.attr[3] = TOKEN_ATTR_VERIFY_LENGTH
| TOKEN_ATTR_VERIFY_HEX;
token.sep[4] = '$';
token.len_min[4] = 7;
token.len_max[4] = 7;
token.attr[4] = TOKEN_ATTR_VERIFY_LENGTH
| TOKEN_ATTR_VERIFY_DIGIT;
token.sep[5] = '$';
token.len_min[5] = 2;
token.len_max[5] = 2;
token.attr[5] = TOKEN_ATTR_VERIFY_LENGTH
| TOKEN_ATTR_VERIFY_DIGIT;
token.sep[6] = '$';
token.len_min[6] = 24;
token.len_max[6] = 24;
token.attr[6] = TOKEN_ATTR_VERIFY_LENGTH
| TOKEN_ATTR_VERIFY_HEX;
token.sep[7] = '$';
token.len_min[7] = 2;
token.len_max[7] = 2;
token.attr[7] = TOKEN_ATTR_VERIFY_LENGTH
| TOKEN_ATTR_VERIFY_DIGIT;
token.sep[8] = '$';
token.len_min[8] = 120;
token.len_max[8] = 120;
token.attr[8] = TOKEN_ATTR_VERIFY_LENGTH
| TOKEN_ATTR_VERIFY_HEX;
const int rc_tokenizer = input_tokenizer ((const u8 *) line_buf, line_len, &token);
if (rc_tokenizer != PARSER_OK) return (rc_tokenizer);
// type
const u8 *type_pos = token.buf[1];
const u32 type = hc_strtoul ((const char *) type_pos, NULL, 10);
if ((type != 0) && (type != 1)) return PARSER_SALT_VALUE;
bitlocker->type = type;
// salt
const u8 *salt_len_pos = token.buf[2];
const u32 salt_len = hc_strtoul ((const char *) salt_len_pos, NULL, 10);
if (salt_len != SALT_LEN_BITLOCKER) return PARSER_SALT_LENGTH;
const u8 *salt_pos = token.buf[3];
salt->salt_buf[0] = hex_to_u32 (salt_pos + 0);
salt->salt_buf[1] = hex_to_u32 (salt_pos + 8);
salt->salt_buf[2] = hex_to_u32 (salt_pos + 16);
salt->salt_buf[3] = hex_to_u32 (salt_pos + 24);
salt->salt_buf[0] = byte_swap_32 (salt->salt_buf[0]);
salt->salt_buf[1] = byte_swap_32 (salt->salt_buf[1]);
salt->salt_buf[2] = byte_swap_32 (salt->salt_buf[2]);
salt->salt_buf[3] = byte_swap_32 (salt->salt_buf[3]);
salt->salt_len = SALT_LEN_BITLOCKER;
// iter
const u8 *iter_pos = token.buf[4];
const u32 iter = hc_strtoul ((const char *) iter_pos, NULL, 10);
if (iter != ITERATION_BITLOCKER) return PARSER_SALT_VALUE;
salt->salt_iter = ITERATION_BITLOCKER;
// IV (nonce)
const u8 *iv_len_pos = token.buf[5]; // aka nonce_len
const u32 iv_len = hc_strtoul ((const char *) iv_len_pos, NULL, 10);
if (iv_len != IV_LEN_BITLOCKER) return PARSER_SALT_LENGTH;
const u8 *iv_pos = token.buf[6];
u32 iv[4] = { 0 };
iv[0] = hex_to_u32 (iv_pos + 0);
iv[1] = hex_to_u32 (iv_pos + 8);
iv[2] = hex_to_u32 (iv_pos + 16);
iv[0] = byte_swap_32 (iv[0]);
iv[1] = byte_swap_32 (iv[1]);
iv[2] = byte_swap_32 (iv[2]);
// prefix 0x02 and shift-right by 1 byte:
iv[3] = (iv[2] << 24) | 0x01; // 0x01 because we start with the VMK (skip MAC)
iv[2] = (iv[1] << 24) | (iv[2] >> 8);
iv[1] = (iv[0] << 24) | (iv[1] >> 8);
iv[0] = (0x02 << 24) | (iv[0] >> 8); // 15 - strlen (iv) - 1 = 14 - 12 = 0x02
bitlocker->iv[0] = iv[0];
bitlocker->iv[1] = iv[1];
bitlocker->iv[2] = iv[2];
bitlocker->iv[3] = iv[3];
// data and digest:
const u8 *data_len_pos = token.buf[7];
const u32 data_len = hc_strtoul ((const char *) data_len_pos, NULL, 10);
if (data_len != DATA_LEN_BITLOCKER) return PARSER_SALT_LENGTH;
const u8 *data_pos = token.buf[8];
for (u32 i = 0, j = 0; i < DATA_LEN_BITLOCKER / 4; i += 1, j += 8)
{
bitlocker->data[i] = hex_to_u32 (data_pos + j);
bitlocker->data[i] = byte_swap_32 (bitlocker->data[i]);
}
// fake digest:
memcpy (digest, bitlocker->data, 16);
return (PARSER_OK);
}
int module_hash_encode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const void *digest_buf, MAYBE_UNUSED const salt_t *salt, MAYBE_UNUSED const void *esalt_buf, MAYBE_UNUSED const void *hook_salt_buf, MAYBE_UNUSED const hashinfo_t *hash_info, char *line_buf, MAYBE_UNUSED const int line_size)
{
bitlocker_t *bitlocker = (bitlocker_t *) esalt_buf;
// type
u32 type = bitlocker->type;
// salt
#define SALT_HEX_LEN SALT_LEN_BITLOCKER * 2 + 1
char salt_buf[SALT_HEX_LEN] = { 0 };
for (u32 i = 0, j = 0; i < SALT_LEN_BITLOCKER / 4; i += 1, j += 8)
{
snprintf (salt_buf + j, SALT_HEX_LEN - j, "%08x", salt->salt_buf[i]);
}
// iv
u32 iv[4] = { 0 };
iv[0] = bitlocker->iv[0];
iv[1] = bitlocker->iv[1];
iv[2] = bitlocker->iv[2];
iv[3] = bitlocker->iv[3];
// remove 0x02 from start (left-shift by 1 byte):
iv[0] = (iv[0] << 8) | (iv[1] >> 24);
iv[1] = (iv[1] << 8) | (iv[2] >> 24);
iv[2] = (iv[2] << 8) | (iv[3] >> 24);
iv[3] = 0;
#define IV_HEX_LEN IV_LEN_BITLOCKER * 2 + 1
char iv_buf[IV_HEX_LEN] = { 0 };
for (u32 i = 0, j = 0; i < IV_LEN_BITLOCKER / 4; i += 1, j += 8)
{
snprintf (iv_buf + j, IV_HEX_LEN - j, "%08x", iv[i]);
}
// data
#define DATA_HEX_LEN DATA_LEN_BITLOCKER * 2 + 1
char data_buf[DATA_HEX_LEN] = { 0 };
for (u32 i = 0, j = 0; i < DATA_LEN_BITLOCKER / 4; i += 1, j += 8)
{
snprintf (data_buf + j, DATA_HEX_LEN - j, "%08x", bitlocker->data[i]);
}
// output
int line_len = snprintf (line_buf, line_size, "$bitlocker$%i$%i$%s$%i$%i$%s$%i$%s",
type,
SALT_LEN_BITLOCKER,
salt_buf,
ITERATION_BITLOCKER,
IV_LEN_BITLOCKER,
iv_buf,
DATA_LEN_BITLOCKER,
data_buf);
return line_len;
}
void module_init (module_ctx_t *module_ctx)
{
module_ctx->module_context_size = MODULE_CONTEXT_SIZE_CURRENT;
module_ctx->module_interface_version = MODULE_INTERFACE_VERSION_CURRENT;
module_ctx->module_attack_exec = module_attack_exec;
module_ctx->module_benchmark_esalt = MODULE_DEFAULT;
module_ctx->module_benchmark_hook_salt = MODULE_DEFAULT;
module_ctx->module_benchmark_mask = MODULE_DEFAULT;
module_ctx->module_benchmark_salt = MODULE_DEFAULT;
module_ctx->module_build_plain_postprocess = MODULE_DEFAULT;
module_ctx->module_deep_comp_kernel = MODULE_DEFAULT;
module_ctx->module_dgst_pos0 = module_dgst_pos0;
module_ctx->module_dgst_pos1 = module_dgst_pos1;
module_ctx->module_dgst_pos2 = module_dgst_pos2;
module_ctx->module_dgst_pos3 = module_dgst_pos3;
module_ctx->module_dgst_size = module_dgst_size;
module_ctx->module_dictstat_disable = MODULE_DEFAULT;
module_ctx->module_esalt_size = module_esalt_size;
module_ctx->module_extra_buffer_size = MODULE_DEFAULT;
module_ctx->module_extra_tmp_size = MODULE_DEFAULT;
module_ctx->module_forced_outfile_format = MODULE_DEFAULT;
module_ctx->module_hash_binary_count = MODULE_DEFAULT;
module_ctx->module_hash_binary_parse = MODULE_DEFAULT;
module_ctx->module_hash_binary_save = MODULE_DEFAULT;
module_ctx->module_hash_decode_potfile = MODULE_DEFAULT;
module_ctx->module_hash_decode_zero_hash = MODULE_DEFAULT;
module_ctx->module_hash_decode = module_hash_decode;
module_ctx->module_hash_encode_status = MODULE_DEFAULT;
module_ctx->module_hash_encode_potfile = MODULE_DEFAULT;
module_ctx->module_hash_encode = module_hash_encode;
module_ctx->module_hash_init_selftest = MODULE_DEFAULT;
module_ctx->module_hash_mode = MODULE_DEFAULT;
module_ctx->module_hash_category = module_hash_category;
module_ctx->module_hash_name = module_hash_name;
module_ctx->module_hashes_count_min = MODULE_DEFAULT;
module_ctx->module_hashes_count_max = MODULE_DEFAULT;
module_ctx->module_hlfmt_disable = MODULE_DEFAULT;
module_ctx->module_hook12 = MODULE_DEFAULT;
module_ctx->module_hook23 = MODULE_DEFAULT;
module_ctx->module_hook_salt_size = MODULE_DEFAULT;
module_ctx->module_hook_size = MODULE_DEFAULT;
module_ctx->module_jit_build_options = MODULE_DEFAULT;
module_ctx->module_jit_cache_disable = MODULE_DEFAULT;
module_ctx->module_kernel_accel_max = MODULE_DEFAULT;
module_ctx->module_kernel_accel_min = MODULE_DEFAULT;
module_ctx->module_kernel_loops_max = MODULE_DEFAULT;
module_ctx->module_kernel_loops_min = MODULE_DEFAULT;
module_ctx->module_kernel_threads_max = MODULE_DEFAULT;
module_ctx->module_kernel_threads_min = MODULE_DEFAULT;
module_ctx->module_kern_type = module_kern_type;
module_ctx->module_kern_type_dynamic = MODULE_DEFAULT;
module_ctx->module_opti_type = module_opti_type;
module_ctx->module_opts_type = module_opts_type;
module_ctx->module_outfile_check_disable = MODULE_DEFAULT;
module_ctx->module_outfile_check_nocomp = MODULE_DEFAULT;
module_ctx->module_potfile_custom_check = MODULE_DEFAULT;
module_ctx->module_potfile_disable = MODULE_DEFAULT;
module_ctx->module_potfile_keep_all_hashes = MODULE_DEFAULT;
module_ctx->module_pwdump_column = MODULE_DEFAULT;
module_ctx->module_pw_max = module_pw_max;
module_ctx->module_pw_min = MODULE_DEFAULT;
module_ctx->module_salt_max = MODULE_DEFAULT;
module_ctx->module_salt_min = MODULE_DEFAULT;
module_ctx->module_salt_type = module_salt_type;
module_ctx->module_separator = MODULE_DEFAULT;
module_ctx->module_st_hash = module_st_hash;
module_ctx->module_st_pass = module_st_pass;
module_ctx->module_tmp_size = module_tmp_size;
module_ctx->module_unstable_warning = MODULE_DEFAULT;
module_ctx->module_warmup_disable = MODULE_DEFAULT;
}

302
tools/test_modules/m22100.pm Normal file
View File

@ -0,0 +1,302 @@
#!/usr/bin/env perl
##
## Author......: See docs/credits.txt
## License.....: MIT
##
use strict;
use warnings;
use Digest::SHA qw (sha256);
use Crypt::Mode::ECB;
use Encode;
sub module_constraints { [[0, 256], [16, 16], [-1, -1], [-1, -1], [-1, -1]] }
my $ITER = 1048576; # 0x100000
my $SALT_LEN = 16;
my $IV_LEN = 12;
my $MAC_LEN = 16;
my $VMK_LEN = 44; # note: MAC_LEN + VMK_LEN = 60
sub bitlocker_kdf
{
my $initial_hash = shift;
my $salt = shift;
# password_key_data (88 bytes):
# 0-31 (32): last_hash
# 32-63 (32): init_hash
# 64-79 (16): salt
# 80-87 ( 8): iter
my $password_key_data = "\x00" x (32 + 32 + 16 + 8);
substr ($password_key_data, 32, 32) = $initial_hash;
substr ($password_key_data, 64, 16) = $salt;
for (my $iter = 0; $iter < 0x100000; $iter++)
{
substr ($password_key_data, 80, 8) = pack ("Q", $iter);
substr ($password_key_data, 0, 32) = sha256 ($password_key_data);
}
return substr ($password_key_data, 0, 32); # AES-CCM key
}
# non-standard/variant of AES-CCM (encrypt or decrypt, both => crypt):
sub bitlocker_crypt_data
{
my $key = shift;
my $data = shift;
my $iv = shift;
my $ret = ""; # return value (output buffer)
my $iiv = "\x02"; # 15 - length ($iv) - 1 = 14 - length ($iv)
$iiv = $iiv . $iv . "\x00\x00\x00"; # add "\x00" x (16 - length ($iv))
# we could do this in a loop (but let's unroll it to make it clear what is going on):
# (first and last are special)
# 0
# substr ($iiv, 15, 1) = "\x00";
my $aes = Crypt::Mode::ECB->new ('AES', 0);
my $block = $aes->encrypt ($iiv, $key);
for (my $i = 0; $i < 16; $i++)
{
$ret .= chr (ord (substr ($data, $i, 1)) ^ ord (substr ($block, $i, 1)));
}
# 1
substr ($iiv, 15, 1) = "\x01";
$block = $aes->encrypt ($iiv, $key);
for (my $i = 0; $i < 16; $i++)
{
$ret .= chr (ord (substr ($data, 16 + $i, 1)) ^ ord (substr ($block, $i, 1)));
}
# 2
substr ($iiv, 15, 1) = "\x02";
$block = $aes->encrypt ($iiv, $key);
for (my $i = 0; $i < 16; $i++)
{
$ret .= chr (ord (substr ($data, 32 + $i, 1)) ^ ord (substr ($block, $i, 1)));
}
# 3 (final/remaining data: 12 bytes):
substr ($iiv, 15, 1) = "\x03";
$block = $aes->encrypt ($iiv, $key);
for (my $i = 0; $i < 12; $i++)
{
$ret .= chr (ord (substr ($data, 48 + $i, 1)) ^ ord (substr ($block, $i, 1)));
}
return $ret;
}
sub bitlocker_generate_mac
{
my $key = shift;
my $data = shift;
my $iv = shift;
my $iiv = "\x3a" . $iv . "\x00\x00" . "\x2c";
# we could do this in a loop (but let's unroll it to make it clear what is going on):
# (first and last are special)
# 0
my $aes = Crypt::Mode::ECB->new ('AES', 0);
my $block = $aes->encrypt ($iiv, $key);
my $res = "";
for (my $i = 0; $i < 16; $i++)
{
$res .= chr (ord (substr ($data, $i, 1)) ^ ord (substr ($block, $i, 1)));
}
# 1
$block = $aes->encrypt ($res, $key);
$res = "";
for (my $i = 0; $i < 16; $i++)
{
$res .= chr (ord (substr ($data, 16 + $i, 1)) ^ ord (substr ($block, $i, 1)));
}
# 2
$block = $aes->encrypt ($res, $key);
$res = "";
for (my $i = 0; $i < 12; $i++)
{
$res .= chr (ord (substr ($data, 32 + $i, 1)) ^ ord (substr ($block, $i, 1)));
}
# 3
$block = $aes->encrypt ($res . substr ($block, 12, 4), $key);
return $block;
}
sub module_generate_hash
{
my $word = shift;
my $salt = shift;
my $iv = shift // random_bytes (12);
my $data = shift; # if not set, we're going to "generate"/fake it below
my $type = shift // random_number (0, 1); # if set to 1: check also the MAC in hashcat
# key generation (KDF):
my $word_utf16le = encode ("UTF-16LE", $word);
my $pass_hash = sha256 (sha256 ($word_utf16le));
my $key = bitlocker_kdf ($pass_hash, $salt);
if (! $data)
{
$data = pack ("H*", "2c000000"); # actually, only 0x2c00 can be expected for sure
$data .= pack ("H*", "01000000"); # actually, only 0x0100 can be expected for sure
$data .= chr (random_number (0, 5));
$data .= pack ("H*", "200000"); # actually, only 0x20 can be expected for sure
$data .= random_bytes (44 - 12); # 44 - bytes that we set above
}
else
{
# verification:
my $dec_data = bitlocker_crypt_data ($key, $data, $iv); # decryption
my $data_size = ord (substr ($dec_data, 16, 1)) | (ord (substr ($dec_data, 17, 1)) << 8);
my $version = ord (substr ($dec_data, 20, 1)) | (ord (substr ($dec_data, 21, 1)) << 8);
my $v1 = ord (substr ($dec_data, 16 + 8, 1)); # Volume Master Key (VMK) + 8
my $v2 = ord (substr ($dec_data, 16 + 9, 1)); # Volume Master Key (VMK) + 9
# early ejects / failed:
return unless ($data_size == 0x2c);
return unless ($version == 0x01);
return unless ($v2 == 0x20);
return unless ($v1 <= 0x05);
$data = substr ($dec_data, 16); # skip the MAC such that we get only the raw data (VMK etc)
# note: we do NOT check the $type value ... we do the MAC verification anyway to be safe
# (for "verify" and $type set to 0 - no MAC verification -, we could early exit here already)
}
# MAC (authenticate-then-encrypt, MAC first!):
my $mac = bitlocker_generate_mac ($key, $data, $iv);
# encrypt (both, MAC + VMK):
my $mac_vmk = $mac . $data;
my $enc_data = bitlocker_crypt_data ($key, $mac_vmk, $iv); # encryption
# output:
my $hash = sprintf ("\$bitlocker\$%i\$%i\$%s\$%i\$%i\$%s\$%i\$%s",
$type,
$SALT_LEN,
unpack ("H*", $salt),
$ITER,
$IV_LEN,
unpack ("H*", $iv),
$MAC_LEN + $VMK_LEN,
unpack ("H*", $enc_data));
return $hash;
}
sub module_verify_hash
{
my $line = shift;
my $idx = index ($line, ':');
return if ($idx < 0);
my $hash = substr ($line, 0, $idx);
my $word = substr ($line, $idx + 1);
return unless defined $hash;
return unless defined $word;
my @data = split ('\$', $hash);
return unless (scalar (@data) == 10);
my $signature = $data[1];
my $type = $data[2];
my $salt_len = $data[3];
my $salt = $data[4];
my $iter = $data[5];
my $iv_len = $data[6];
my $iv = $data[7];
my $data_len = $data[8];
my $data = $data[9];
# sanity checks:
return unless ($signature eq "bitlocker");
return unless ($salt_len == $SALT_LEN);
return unless ($iv_len == $IV_LEN);
return unless ($data_len == $MAC_LEN + $VMK_LEN);
# hex to binary conversion:
$salt = pack ("H*", $salt);
$iv = pack ("H*", $iv);
$data = pack ("H*", $data);
return unless (length ($salt) == $SALT_LEN);
return unless (length ($iv) == $IV_LEN);
return unless (length ($data) == $MAC_LEN + $VMK_LEN);
my $word_packed = pack_if_HEX_notation ($word);
my $new_hash = module_generate_hash ($word_packed, $salt, $iv, $data, $type);
return ($new_hash, $word);
}
1;