Nokia 920 - Bitlock...
 
Notifications
Clear all

Nokia 920 - Bitlocker

10 Posts
5 Users
0 Likes
936 Views
(@the_grinch)
Posts: 136
Estimable Member
Topic starter
 

Got a Nokia 920 running Windows 8 with an unknown passcode. I was able to get a physical of the device with Cellbrite, but no data was parsed out. Attempted importing it with XRY and got the same result. In looking through the bin I can can see the partition imgs and noticed that the OS and Userdata were encrypted via Bitlocker. It's a four digit passcode and I found software that lets me mount the partitions (prompts for the password), but typing 10000 possible combinations is not in the cards. Any info on how I could automate the password tries to unlock the data?

 
Posted : 09/01/2020 10:54 pm
(@dcs1094)
Posts: 146
Estimable Member
 

Dump the hash, salt and length then crack the passcode using wp8-sha256-pin-finder.py. After, manually access settings and disable bitlocker encryption. Make sure you leave it turned on to allow it to unencrypt the volume. Then carry out the physical extraction again in an unencrypted state. I don't think the encryption is tied to the passcode as its possible to activate encryption without the passcode.

 
Posted : 10/01/2020 8:55 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I am not sure if the question is "how to type all 10000 possible PIN's" ? , if it is you can use *any* scripting engine, but there are "brute force" password creators.

Of course it depends on which OS you are running and what is the "software" you are inputting the password(s) in.

If the range is just 0000 to 9999, even on a slow responding interface, 3 seconds per PIN, is 30000 seconds, or 500 minutes or 8.33 hours, slowish but doable.

jaclaz

 
Posted : 10/01/2020 10:14 am
(@jgilmour)
Posts: 8
Active Member
 

I've always been led to believe that the Bitlocker key is securely stored in the processor and cannot be recovered. The PIN code is also stored in the encrypted userdata partition, so that can't be brute forced either.

 
Posted : 10/01/2020 11:07 am
(@rich2005)
Posts: 535
Honorable Member
 

I am not sure if the question is "how to type all 10000 possible PIN's" ? , if it is you can use *any* scripting engine, but there are "brute force" password creators.

Of course it depends on which OS you are running and what is the "software" you are inputting the password(s) in.

If the range is just 0000 to 9999, even on a slow responding interface, 3 seconds per PIN, is 30000 seconds, or 500 minutes or 8.33 hours, slowish but doable.

jaclaz

I reckon he might choose the scripted option above rather than spending doing 8 hours doing that! lol
(if that's possible and doesn't lock out or increase time between attempts)

 
Posted : 10/01/2020 12:33 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I reckon he might choose the scripted option above rather than spending doing 8 hours doing that! lol
(if that's possible and doesn't lock out or increase time between attempts)

Sure, never thought of actually typing that, I was talking of the time needed using the scripted option, time depends on how responsive is the input interface, if there is some delay (for checking the pin, etc.).

And of course the script may take into account countermeasures such as increasing time for next attempt or resettting/rebooting every n attempts, etc. that will increase meeded time.

I was trying to convey the idea that even if slow, a 4 figures 0-9 PIN is doable, i.e. can be simply bruteforced in a reasonable amount of time.

Even (if needed) using a "fake" keyboard, like a USB RubberDucky or similar, example

https://1024kb.co.nz/hack-a-mac-again/

in this case overall time is 17 seconds per attempt as there is the need to reset periodically.

jaclaz

 
Posted : 10/01/2020 2:47 pm
(@the_grinch)
Posts: 136
Estimable Member
Topic starter
 

I would be doing it on the physical image of the device, not the device itself. The software I have mounts the drive and prompts for a password. Type the code, fails with a box, hit ok, clear the code, enter new code. But I'll see if I can find the hash and then run the script…would definitely save a lot of time.

 
Posted : 11/01/2020 12:50 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

The software I have mounts the drive and prompts for a password. Type the code, fails with a box, hit ok, clear the code, enter new code.

And again, depending on the OS that you are running this can be scripted.
Only as an example and on Windows AutoHotKey or AutoIt or aany other means to "SendKeys" would do nicely.

Example #1
https://autohotkey.com/board/topic/144987-need-help-with-a-4-digit-pin-code-cracker/

Example #2
https://www.codeproject.com/Articles/32556/Auto-Clicker-C

jaclaz

 
Posted : 11/01/2020 10:27 am
(@dcs1094)
Posts: 146
Estimable Member
 

The PIN code is also stored in the encrypted userdata partition, so that can't be brute forced either.

You are correct, think I misread the original post. Last time I ran into one, it was encrypted but no passcode set strangely enough! In this case, you've hit a brick wall! |

 
Posted : 11/01/2020 11:25 am
(@the_grinch)
Posts: 136
Estimable Member
Topic starter
 

Thanks all! Also noted that the TPM was used so I am SOL since the pin won't matter with out it.

 
Posted : 14/01/2020 7:57 pm
Share: