kkamagui
Napper 1.3 is stacking without no results at the "Reading PCR values of TPM and checking a vulnerability ..." step
Hi, I'm trying to recover my data from my Dell Latitude 5511 laptop, as I cannot recover the recovery key since I've never activated bitlocker.
I found your amazing project and I thought perhaps I have a chance to get back my data.
I run Napper 1.3 live cd but after starting Napper, it seems to stack with no progress at the "Napper 1.3 is stacking without no results at the "Reading PCR values of TPM and checking a vulnerability ..." , I noted that there is an error, I will add a picture to let you understand better my problem
Can you please help me?
Hello @HarlockP4,
Thank you for visiting my project. Hmm... It seems that the kernel module of Napper, napper.ko, wasn't loaded successfully. Did you enable Secure Boot on your system? If not, would you give me the kernel log after running Napper? You can get the log with dmesg command. :)
Best regards,
Seunghun
Hi @kkamagui,
Thanks for your reply and support, I've attached the screenshoot of the BIOS that show the Secure Boot settings. About dmesg command, what parameters should I use for you?
Thanks again for the support
Hi @HarlockP4,
Thank you for your reply. The BIOS says UEFI secure boot is enabled. Please turn off the "Secure Boot Enable" check box and run my napper tool to check the TPM vulnerability.
Best regards,
Seunghun
Hi @kkamagui,
I disabled the secure boot as you suggested me, now the errror is vanished but the program is stacked here:
@kkamagui , sorry to bother you again, but do you know why your program is not moving over but just stack at the step of the pic above?
@HarlockP4, I need more information to know the reason stopped. Would you follow the process below and tell me the result?
# Open terminal and run resource manager
$> sudo resourcemgr
# Open another terminal and run pcrread command
$> tpm2_listpcrs
<Tell me the result below...>
@kkamagui , these are the pics of the output of the 2 commands you requested me:
@HarlockP4 , Thank you for your reply. I think we are almost close. Would you follow the below commands again?
# Check SHA1 hashes
$> tpm2_listpcrs -g 0x04
# Check SHA256 hashes
$> tpm2_listpcrs -g 0x0b
@HarlockP4 , OK. I finally understand what happened to you. It seems that the tool, TPM2_TSS, didn't parse your TPM information about SHA1. Are you a programmer? If so, please change all parts like "-g 0x04" to "-g 0x0b" of the napper.py file.
After it, rerun Napper tool with "sudo ./napper.py". Then you can see that your system has the TPM vulnerability or not.
@kkamagui , so if I will understand I have just to replace all "-g 0x04" occurance to "-g 0x0b" into napper.py file? just this?
Yes, exactly!
2021년 7월 22일 (목) 오후 8:01, HarlockP4 @.***>님이 작성:
@kkamagui https://github.com/kkamagui , so if I will understand I have just to replace all "-g 0x04" occurance to "-g 0x0b" into napper.py file? just this?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/kkamagui/bitleaker/issues/8#issuecomment-884826282, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJA43U3H67Y3UD5I43TUBLTY73BLANCNFSM5APNERAQ .
@kkamagui , ok I replaced the 2 "0x04" with "0x0b"
and I started the modified version of napper.py, this is the result
:(
it's safe, .................... so I have 2 other options now:
- as this dell laptop seems turned on bitlocker by itself without no user request and it has not saved the recovery key anywhere I will try the suggestion I found into: https://www.dell.com/community/Windows-10/BitLocker-need-a-key-but-I-never-installed-it/td-p/6019486 with all the FMs available
- I was able to extract the hash of the bitlocker recovery key by john2bitlocker and now I'm waiting for a friend of mine with some powerful SLI and attack the hash honestly I hope that solution 1 will work as solution 2 could require tons of time
Meanwhile I really wanna thank you for your fantastic project and support, thanks again for all your efforts and I wish the best on all
@HarlockP4 - Just a question, if you didn't turn on Bitlocker, I presume you have seen your disk encrypted which indicates Bitlocker was just ON? Did you look at the output of Dislocker? If it is encrypted, but not locked, then it should actually be able to retrieve your data, and a TPM won't actually have your key anyway. The TPM only has your key if THAT protector was enabled. And it doesn't sound like you enabled it.
dislocker-metadata -v -v -v -v -V YourPathToBitlockerVolumeHere Will provide a lot of output, but if you look back through it, you'll see if there is a key available allowing decryption (no protectors needed).
@HarlockP4,
Oh... I'm sorry to hear that. Fortunately and unfortunately, your system is safe. I hope you can get your data back soon.
Best regards,
Seunghun
Hi,Thanks, I hope to find a way to unlock the data of my friend :)RegardsSent from my Galaxy -------- Original message --------From: Seunghun Han @.> Date: 23/07/2021 03:35 (GMT+01:00) To: kkamagui/bitleaker @.> Cc: HarlockP4 @.>, Mention @.> Subject: Re: [kkamagui/bitleaker] Napper 1.3 is stacking without no results at the "Reading PCR values of TPM and checking a vulnerability ..." step (#8) @HarlockP4, Oh... I'm sorry to hear that. Fortunately and unfortunately, your system is safe. I hope you can get your data back soon. Best regards, Seunghun
—You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or unsubscribe.
Hi Brandon, Thanks for your suggestion, as I'm away from home for 1 week I will give it a go at my return. I'll keep you updated. Thanks again. Hope to not dream the recovery key request meanwhile I'm sleeping:)RegardsSent from my Galaxy -------- Original message --------From: Brandon Warhurst @.> Date: 22/07/2021 18:13 (GMT+01:00) To: kkamagui/bitleaker @.> Cc: HarlockP4 @.>, Mention @.> Subject: Re: [kkamagui/bitleaker] Napper 1.3 is stacking without no results at the "Reading PCR values of TPM and checking a vulnerability ..." step (#8) @HarlockP4 - Just a question, if you didn't turn on Bitlocker, I presume you have seen your disk encrypted which indicates Bitlocker was just ON? Did you look at the output of Dislocker? If it is encrypted, but not locked, then it should actually be able to retrieve your data, and a TPM won't actually have your key anyway. The TPM only has your key if THAT protector was enabled. And it doesn't sound like you enabled it. dislocker-meta -v -v -v -v -V YourPathToBitlockerVolumeHere Will provide a lot of output, but if you look back through it, you'll see if there is a key available allowing decryption (no protectors needed).
—You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or unsubscribe.
@roboknight Hi Brandon, I was finally able to try dislocker-metadata -v -v -v -v -V YourPathToBitlockerVolumeHere command This is the file: output.txt I know that the recovery key I'm looking for is a 48 digit numeric sequence and the ID of the recovery key is 07F75974-91A5-42EA-99AA-90750FB38A9F Just I cannot recognize the recovery key, do you?
I see the TPM is engaged in the output, which means that bitlocker was set up somewhere (at this point, who knows where if YOU didn't set it and your friend didn't set it). I see that there were 2 recovery keys. The current one is likely the one you mention (same GUID), and there was a previous one (maybe when the system was set up). The key, is of course, encrypted. So the trick now is to undo the system via Bitleaker, if in fact, it is vulnerable. Unfortunately, because I DO see the TPM enabled, the key I hoped would be there is not there (that's the one that is just unlocked). Since the system is SAFE (as I gathered from above), undoing the key via Bitleaker also will NOT work. One thing you MIGHT try is checking the BIOS settings. Is it possible that the BIOS settings have changed such that the system is booting without Secure Boot? Because, from what I can tell, one of two things is happening: 1) the BIOS is somehow corrupted causing bad PCRs or 2) the system just can't talk to the TPM correctly (which doesn't appear to be the case as Linux appears to work with it). Those are the only two real cases where I've seen Windows really fail to boot with Bitlocker enabled. Somehow the system cannot acquire the VMK from the TPM and then of course requires the recovery key. Unless you have the recovery key, which you don't, the only real hope is to make the TPM work correctly and give up the key. Otherwise, it looks like a re-install of Windows. Unless Bitleaker actually DOES work and there was some weirdness, but from the output I see above, it isn't likely. And the BIOS appears new enough, that Dell may have fixed the Bitleaker vuln. According to the link you posted above, it also appears that neither Dell, nor Microsoft, can get you the recovery key.
@roboknight thanks for your reply, I was able to create an image of the bitlocker disk with FTK imager and then run bitlocker2john against it. I have an hask to attack now but if I try to run the command:
john.exe --incremental:digits --format=bitlocker-opencl --mask=?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d hash_to_crack.txt
the output stops after few minutes with:
Device 1: GeForce GTX 750 Ti Using default input encoding: UTF-8 Loaded 1 password hash (BitLocker-opencl, BitLocker [SHA256 AES OpenCL]) Cost 1 (iteration count) is 1048576 for all loaded hashes Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Note: Minimum length forced to 8 by format Hybrid mask must contain ?w or ?W
I cannot understand why, do you?
@roboknight I also wondering if restoring the original firmware when bitlocker was turned on (not sure which one it is but I will try all the available from DELL site) can fix the issue, I 'm aware that all is started because a firmware upgrade and I'm also aware that my friend tried a downgrade as from suggestions coming from https://www.dell.com/community/Windows-10/BitLocker-need-a-key-but-I-never-installed-it/td-p/6019486
OH, now it makes WAY more sense. Yeah, if he/she upgraded, the hashes that were likely used to lock the key have probably changed. I don't know if downgrading will actually work, because there is no telling where you really need to downgrade to, but yeah, bitlocker probably should have been turned off before the upgrade. Of course, if your friend didn't think it was on, then that explains the whole problem. Dell is really stupid for forcing that feature ON in their loaded version of Windows. However, if you can downgrade far enough, it might be possible to make things vulnerable to bitleaker again. Although, you have one final issue. You now don't really know what hashes were provided to protect the key in the first place.
@roboknight as I wrote you above bitlocker2john produced this result:
Signature found at 0x76dfd1db1c Version: 0 Invalid version, looking for a signature with valid version... Hash type: Recovery Password fast attack $bitlocker$2$16$4b21696d29d29e7cb1507f378c8a9470$1048576$12$20989b195717d7018b000000$60$ce0f388d0f292ffe297e453672161c772c87f0eddd73e346494a450a357ecd7f304e4876a7fd2b74bd0565df620680d5403aacbb20768c7070712718 Hash type: Recovery Password with MAC verification (slower solution, no false positives) $bitlocker$3$16$4b21696d29d29e7cb1507f378c8a9470$1048576$12$20989b195717d7018b000000$60$ce0f388d0f292ffe297e453672161c772c87f0eddd73e346494a450a357ecd7f304e4876a7fd2b74bd0565df620680d5403aacbb20768c7070712718
now I'm trying to run john like this:
john.exe --format=bitlocker-opencl --mask=?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d hash_to_crack.txt
as I know that the recovery key is 48 digits
On the other side I'm wondering if I'm able to restore the previous version of the bios ( I don't what version it was) the one used when bitlocker was turned on can let the laptop reboot without asking you for a recovery key, what's your tought about it?
If you can get the original BIOS, and the original settings, it should boot to Windows. If that occurs, and you can log in, then manage-bde can get you the recovery key AND turn off Bitlocker. Then you can upgrade and turn it back on if you like. Otherwise, bitlocker2john it is…. And pray to the gods of chance that you hit the key soon. You have seen a recovery key before, right? I ask because it is 48 digits, but the groupings are odd. 8 groups of 6 digits.
@roboknight the problem is that I don't know which version of the bios was installed before of the bios upgrade, I'm wondering if I flash to a different bios, will the TPM keys stored being affected? I would say no but I would like to be sure before to move on that
yeah, 48 digits key I've already saw it I don't know how many times John will take to brute force it but I have no rush on that, I just got a doubt about it because if TMP is involved John will just produce false positive
Flashing the bios to YAV (yet another version) won't leave you in a different state than you are now. The only thing that will REALLY screw you up is if you clear the TPM, so don't do that. Bitlocker2John might take forever, not sure. The key SHOULD only be digits. The mask looks right. I guess now you wait? Did you use the fast or slow hash?
@roboknight ok, in this case I just will try to flash to different version without touching the TPM, I'm wondering if it's possible to backup it and restore. the test that I will try to do will be the following:
- flash to oldest bios available and check if it is vulnerable to bitleacker, if yes then YAY
- if the oldest bios is not vulnerable to bitleacker I will try to do the steps suggested in the link I posted above where they suggest to restore facory defaults settings (hope this will not clear TPM)
- try the step 2 with all the avaiable BIOS
Actually I 'm running John with slow hash I don't want to finish faster but with false positive, so bitlocker$3$, by the way when I started John, he is warning me about it could produce false positive so, it seems that also the slow one is no error free
@roboknight you know what it's really bad, no distribuited john exists to split the work among multiple machines :(
Like I said, even if bitleaker "works"... it won't work because unless you have a "bootable" device (i.e. the TPM recognizes the BIOS) it won't give you the key because the hash of the BIOS doesn't match. If you had the old values from the device BEFORE uploading, then you could just replay those (you wouldn't even need the bitleaker code per-se... just the module to reset the TPM and then you could read your file and replay the hashes. As it stands, I'm going to pray that the version you downgrade to is the correct version. And you'll know because the device should "just boot" (tm) ... This is where all this great security turns everyone sour... poor implementation. They should have WARNED, PLEADED and BEGGED your friend to shut off Bitlocker PRIOR to doing ANYTHING with an upgrade. In fact, just refusing the upgrade politely would have been a FANTASTIC option.
@roboknight so I can avoid to run john to try to hack the hash as also with a result from it, it will not work anyway.
Ok I will just focus on the bios thing and I keep you updated