Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
# -*- coding: binary -*-
2

3
require 'openssl/ccm'
4
require 'metasm'
5

6
##
7
# This module requires Metasploit: https://metasploit.com/download
8
# Current source: https://github.com/rapid7/metasploit-framework
9
##
10

11
module Rex
12
  module Parser
13
    ###
14
    #
15
    # This class parses the content of a Bitlocker partition file.
16
    # Author : Danil Bazin <danil.bazin[at]hsc.fr> @danilbaz
17
    #
18
    ###
19
    class BITLOCKER
20
      BLOCK_HEADER_SIZE = 64
21
      METADATA_HEADER_SIZE = 48
22

23
      ENTRY_TYPE_NONE  = 0x0000
24
      ENTRY_TYPE_VMK  = 0x0002
25
      ENTRY_TYPE_FVEK  = 0x0003
26
      ENTRY_TYPE_STARTUP_KEY  = 0x0006
27
      ENTRY_TYPE_DESC  = 0x0007
28
      ENTRY_TYPE_HEADER  = 0x000f
29

30
      VALUE_TYPE_ERASED = 0x0000
31
      VALUE_TYPE_KEY = 0x0001
32
      VALUE_TYPE_STRING = 0x0002
33
      VALUE_TYPE_STRETCH_KEY = 0x0003
34
      VALUE_TYPE_ENCRYPTED_KEY = 0x0005
35
      VALUE_TYPE_TPM = 0x0006
36
      VALUE_TYPE_VALIDATION = 0x0007
37
      VALUE_TYPE_VMK = 0x0008
38
      VALUE_TYPE_EXTERNAL_KEY = 0x0009
39
      VALUE_TYPE_UPDATE = 0x000a
40
      VALUE_TYPE_ERROR = 0x000b
41

42
      PROTECTION_TPM = 0x0100
43
      PROTECTION_CLEAR_KEY = 0x0000
44
      PROTECTION_STARTUP_KEY = 0x0200
45
      PROTECTION_RECOVERY_PASSWORD = 0x0800
46
      PROTECTION_PASSWORD = 0x2000
47

48
      def initialize(file_handler)
49
        @file_handler = file_handler
50
        volume_header = @file_handler.read(512)
51
        @fs_sign = volume_header[3, 8]
52
        unless @fs_sign == '-FVE-FS-'
53
          fail ArgumentError, 'File system signature does not match Bitlocker :
54
           #@fs_sign}, bitlocker not used', caller
55
        end
56
        @fve_offset = volume_header[176, 8].unpack('Q')[0]
57

58
        @file_handler.seek(@fve_offset)
59
        @fve_raw = @file_handler.read(4096)
60
        @encryption_methods = @fve_raw[BLOCK_HEADER_SIZE + 36, 4].unpack('V')[0]
61
        size = @fve_raw[BLOCK_HEADER_SIZE, 4].unpack('V')[0] -
62
               METADATA_HEADER_SIZE
63
        @metadata_entries = @fve_raw[BLOCK_HEADER_SIZE + METADATA_HEADER_SIZE,
64
                                     size]
65
        @version = @fve_raw[BLOCK_HEADER_SIZE + 4]
66
        @fve_metadata_entries = fve_entries(@metadata_entries)
67
        @vmk_entries_hash = vmk_entries
68
      end
69

70
      # Extract FVEK and prefix it with the encryption methods integer on
71
      # 2 bytes
72
      def fvek_from_recovery_password_dislocker(recoverykey)
73
        [@encryption_methods].pack('v') +
74
          fvek_from_recovery_password(recoverykey)
75
      end
76

77
      # stretch recovery key with all stretch key and try to decrypt all VMK
78
      # encrypted with a recovery key
79
      def vmk_from_recovery_password(recoverykey)
80
        recovery_keys_stretched = recovery_key_transformation(recoverykey)
81
        vmk_encrypted_in_recovery_password_list =  @vmk_entries_hash[
82
                                                   PROTECTION_RECOVERY_PASSWORD]
83
        vmk_recovery_password = ''
84
        vmk_encrypted_in_recovery_password_list.each do |vmk|
85
          vmk_encrypted = vmk[ENTRY_TYPE_NONE][VALUE_TYPE_ENCRYPTED_KEY][0]
86
          recovery_keys_stretched.each do |recovery_key|
87
            vmk_recovery_password = decrypt_aes_ccm_key(
88
            vmk_encrypted, recovery_key)
89
            break if vmk_recovery_password != ''
90
          end
91
          break if vmk_recovery_password != ''
92
        end
93
        if vmk_recovery_password == ''
94
          fail ArgumentError, 'Wrong decryption, bad recovery key?'
95
        end
96
        vmk_recovery_password
97
      end
98

99
      # Extract FVEK using the provided recovery key
100
      def fvek_from_recovery_password(recoverykey)
101
        vmk_recovery_password = vmk_from_recovery_password(recoverykey)
102
        fvek_encrypted = fvek_entries
103
        fvek = decrypt_aes_ccm_key(fvek_encrypted, vmk_recovery_password)
104
        fvek
105
      end
106

107
      def decrypt_aes_ccm_key(fve_entry, key)
108
        nonce = fve_entry[0, 12]
109
        mac = fve_entry[12, 16]
110
        encrypted_data = fve_entry[28..-1]
111
        ccm = OpenSSL::CCM.new('AES',  key, 16)
112
        decrypted_data = ccm.decrypt(encrypted_data + mac, nonce)
113
        decrypted_data[12..-1]
114
      end
115

116
      # Parse the metadata_entries and return a hashmap using the
117
      # following format:
118
      # metadata_entry_type => metadata_value_type => [fve_entry,...]
119
      def fve_entries(metadata_entries)
120
        offset_entry = 0
121
        entry_size = metadata_entries[0, 2].unpack('v')[0]
122
        result = Hash.new({})
123
        while entry_size != 0
124
          metadata_entry_type = metadata_entries[
125
                                offset_entry + 2, 2].unpack('v')[0]
126
          metadata_value_type = metadata_entries[
127
                                offset_entry + 4, 2].unpack('v')[0]
128
          metadata_entry = metadata_entries[offset_entry + 8, entry_size - 8]
129
          if result[metadata_entry_type] == {}
130
            result[metadata_entry_type] = { metadata_value_type => [
131
              metadata_entry] }
132
          else
133
            if result[metadata_entry_type][metadata_value_type].nil?
134
              result[metadata_entry_type][metadata_value_type] = [
135
                metadata_entry]
136
            else
137
              result[metadata_entry_type][metadata_value_type] += [
138
                metadata_entry]
139
            end
140
          end
141
          offset_entry += entry_size
142
          if metadata_entries[offset_entry, 2] != ''
143
            entry_size = metadata_entries[offset_entry, 2].unpack('v')[0]
144
          else
145
            entry_size = 0
146
          end
147
        end
148
        result
149
      end
150

151
      # Dummy strcpy to use with metasm and string asignement
152
      def strcpy(str_src, str_dst)
153
        (0..(str_src.length - 1)).each do |cpt|
154
          str_dst[cpt] = str_src[cpt].ord
155
        end
156
      end
157

158
      # stretch all the Recovery key and returns it
159
      def recovery_key_transformation(recoverykey)
160
        # recovery key stretching phase 1
161
        recovery_intermediate = recoverykey.split('-').map(&:to_i)
162
        recovery_intermediate.each do |n|
163
          n % 11 != 0 && (fail ArgumentError, 'Invalid recovery key')
164
        end
165
        recovery_intermediate =
166
                           recovery_intermediate.map { |a| (a / 11) }.pack('v*')
167

168
        # recovery key stretching phase 2
169
        recovery_keys = []
170
        cpu = Metasm.const_get('Ia32').new
171
        exe = Metasm.const_get('Shellcode').new(cpu)
172
        cp = Metasm::C::Parser.new(exe)
173
        bitlocker_struct_src = <<-EOS
174
          typedef struct {
175
          unsigned char updated_hash[32];
176
          unsigned char password_hash[32];
177
          unsigned char salt[16];
178
          unsigned long long int hash_count;
179
          } bitlocker_chain_hash_t;
180
        EOS
181
        cp.parse bitlocker_struct_src
182
        btl_struct = Metasm::C::AllocCStruct.new(cp, cp.find_c_struct(
183
                                                     'bitlocker_chain_hash_t'))
184
        vmk_protected_by_recovery_key = @vmk_entries_hash[
185
                                        PROTECTION_RECOVERY_PASSWORD]
186
        if vmk_protected_by_recovery_key.nil?
187
          fail ArgumentError, 'No recovery key on disk'
188
        end
189
        vmk_protected_by_recovery_key.each do |vmk_encrypted|
190
          vmk_encrypted_raw = vmk_encrypted[ENTRY_TYPE_NONE][
191
                              VALUE_TYPE_STRETCH_KEY][0]
192
          stretch_key_salt = vmk_encrypted_raw[4, 16]
193
          strcpy(Digest::SHA256.digest(recovery_intermediate),
194
                 btl_struct.password_hash)
195
          strcpy(stretch_key_salt, btl_struct.salt)
196
          btl_struct.hash_count = 0
197
          sha256 = Digest::SHA256.new
198
          btl_struct_raw = btl_struct.str
199
          btl_struct_hash_count_offset = btl_struct.struct.fldoffset[
200
                                         'hash_count']
201
          (1..0x100000).each do |c|
202
            updated_hash = sha256.digest(btl_struct_raw)
203
            btl_struct_raw = updated_hash + btl_struct_raw[btl_struct.updated_hash.sizeof..(
204
                             btl_struct_hash_count_offset - 1)] + [c].pack('Q')
205
            sha256.reset
206
          end
207
          recovery_keys += [btl_struct_raw[btl_struct.updated_hash.stroff,
208
                           btl_struct.updated_hash.sizeof]]
209
        end
210
        recovery_keys
211
      end
212

213
      # Return FVEK entry, encrypted with the VMK
214
      def fvek_entries
215
        @fve_metadata_entries[ENTRY_TYPE_FVEK][
216
          VALUE_TYPE_ENCRYPTED_KEY][ENTRY_TYPE_NONE]
217
      end
218

219
      # Produce a hash map using the following format:
220
      # PROTECTION_TYPE => [fve_entry, fve_entry...]
221
      def vmk_entries
222
        res = {}
223
        (@fve_metadata_entries[ENTRY_TYPE_VMK][VALUE_TYPE_VMK]).each do |vmk|
224
          protection_type = vmk[26, 2].unpack('v')[0]
225
          if res[protection_type].nil?
226
            res[protection_type] = [fve_entries(vmk[28..-1])]
227
          else
228
            res[protection_type] += [fve_entries(vmk[28..-1])]
229
          end
230
        end
231
        res
232
      end
233
    end
234
  end
235
end
236

237