Wireshark Decode As Feature

 Wireshark is no different than any other application, there are many features’ that you might not be aware of, or just have no idea how to use them.  We’ve all been there.

In this video I will walk you through how to use the 'Decode as" feature with that pretty interesting example.

This trace file was used in a previous video and I thought why not show people how to decode it and show you the real RTSP commands that was sent over the wire.

In many of my presentations, I mention that you should be familiar with your tools and their features since they can save you a lot of time, effort and probably help fix a problem or two.

 

Tony onsite: WiFi testing

 

I was just informed that all the access points were installed.

woo hoo

I went down the very next day - even though it was a Saturday of a long weekend and glad it did.

Overall, I would say that 90% went well.

Found an access point still in the box, when I went to that location the cables arent terminated yet, so that made sense and probably a miscommunication with the site supervisor.

i did find an access point that had about a third of the throughout that the others had.

Tony Onsite: Cable Placement

 

I thought it would be worth spending a few seconds about cabling placement near the rack.

If you have an experienced cabling contractor, they should place the cable bundles out of the way.

I have seen where the cabling bundle is in the way and you can't install anything near it because it protrudes past the rack.

You have to watch the 1-minute video to understand better what I’m talking about.

Decrypting BitLocker with Hashcat: A Beginner-Friendly Guide (Casey Mullis)

 

BitLocker is a Windows feature that encrypts an entire drive, making its data inaccessible without a password. If you need to unlock a BitLocker drive for legal, investigative, or data recovery purposes and don't have the password, you can attempt to "crack" it using Hashcat. This guide walks you through each step in simple terms so anyone can follow along.

Note: Only perform this on drives you own or have legal permission to access.

Tools You'll Need

1. Hashcat: A powerful password-cracking tool you can download for free.

2. John the Ripper (bitlocker2john): Specifically, we need bitlocker2john, a tool within John the Ripper, to extract the BitLocker hash.

3. Disk Imaging Tool: To make a copy of the drive, use dd (Linux) or FTK Imager (Windows).

4. Wordlist (optional): For password guessing, you can use wordlists like rockyou.txt for common passwords.

 

Step 1: Set Up the Tools

1.1 Install Hashcat

1. Download Hashcat from Hashcat’s website.

2. Extract it to a folder on your computer.

1.2 Install John the Ripper (for bitlocker2john)

1. Download John the Ripper from John the Ripper’s GitHub page.

2. After installing, find the bitlocker2john script in the installation directory (it’s usually in a folder named run).

1.3 Install FTK Imager (if on Windows)

1. Download FTK Imager from AccessData’s website.

2. Follow the installation instructions.

 

Step 2: Create a Disk Image of the BitLocker Drive

The next step is to make a "clone" of your BitLocker-encrypted drive, so you can work with a copy rather than the original.

2.1 Using dd on Linux

1. Open a terminal.

2. Plug in your BitLocker-encrypted drive.

3. Identify the drive by running:

 

Copy code

lsblk

Find your drive name (it may look like /dev/sdb).

4. Create an image with dd:

 

Copy code

sudo dd if=/dev/sdX of=/path/to/bitlocker_image.img bs=4M

Replace /dev/sdX with your drive's name (e.g., /dev/sdb), and choose a file location for bitlocker_image.img.

 

2.2 Using FTK Imager on Windows

1. Open FTK Imager.

2. Select your BitLocker-encrypted drive.

3. Choose File > Create Disk Image and select a raw image format (.img).

4. Save the image to your computer.

 

Step 3: Extract the BitLocker Hash Using bitlocker2john

With the disk image ready, it’s time to extract the BitLocker hash.

1. Open a terminal (on Linux or use Command Prompt if on Windows).

2. Run bitlocker2john with this command:

 

Copy code

bitlocker2john /path/to/bitlocker_image.img > bitlocker_hash.txt

2. /path/to/bitlocker_image.img: Replace this with the path to your image file.

3. bitlocker_hash.txt: This will be the output file where the hash is saved.

4. Check the output in bitlocker_hash.txt. You should see a string that starts with $bitlocker$. This is the hash Hashcat will use to try unlocking the BitLocker drive.

 

Step 4: Choose an Attack Mode for Hashcat

Hashcat works by trying different passwords to unlock the hash. You can choose from three main attack types:

1. Dictionary Attack: Uses a list of possible passwords (wordlist).

2. Brute-force Attack: Tries all possible character combinations.

3. Hybrid Attack: Combines a dictionary with other characters.

Prepare a Wordlist (for Dictionary Attack)

If you have a file with common passwords, it can save time. You can download common wordlists like rockyou.txt online and use it with Hashcat.

 

Step 5: Run Hashcat to Crack the BitLocker Hash

With the hash and attack mode ready, you’re set to run Hashcat.

Hashcat Command Format

In Hashcat, commands follow this structure:

 

Copy code

hashcat -m <hash type> -a <attack mode> <hash file> <wordlist or pattern>

• -m is the hash type; for BitLocker, use 22100.

• -a is the attack mode: 0 for dictionary, 3 for brute-force, and 6 for hybrid.

• <hash file> is the file where your BitLocker hash is stored (e.g., bitlocker_hash.txt).

• <wordlist or pattern> specifies the file or pattern for Hashcat to try.

 

5.1 Example Commands

1. Dictionary Attack Example:

   • If using a wordlist named wordlist.txt:

 

Copy code

hashcat -m 22100 -a 0 bitlocker_hash.txt wordlist.txt

2. Brute-force Attack Example:

   • If you know the password length and type, you can specify this. For example, to try passwords of four uppercase letters followed by two numbers:

 

Copy code

hashcat -m 22100 -a 3 bitlocker_hash.txt ?u?u?u?u?d?d

2. ?u represents uppercase letters, and ?d represents numbers.

3. Hybrid Attack Example:

   • Using a dictionary with two digits added at the end of each word:

 

Copy code

hashcat -m 22100 -a 6 bitlocker_hash.txt wordlist.txt ?d?d

 

Step 6: Monitor Hashcat’s Progress

As Hashcat runs, it will display information on progress, speed, and time remaining.

• If Hashcat finds the password, it will show it in the output and save it in a file (usually named hashcat.potfile).

• If Hashcat doesn’t crack the password, try a different attack mode, a longer wordlist, or a broader brute-force range.

 

Tips for Best Results

1. Use a GPU: Hashcat performs best with a GPU, which makes cracking faster.

2. Start Simple: Try common passwords first using a dictionary attack before moving to brute-force, which can be time-consuming.

3. Experiment with Wordlists: Many online wordlists contain common passwords and variations, so experiment to increase your chances.

 

Example Summary

Let’s quickly review the commands you’ll run from start to finish:

1. Create an Image of the drive:

 

Copy code

sudo dd if=/dev/sdX of=/path/to/bitlocker_image.img bs=4M

2. Extract the BitLocker Hash:

 

Copy code

bitlocker2john /path/to/bitlocker_image.img > bitlocker_hash.txt

3. Run Hashcat with a dictionary:

 

Copy code

hashcat -m 22100 -a 0 bitlocker_hash.txt wordlist.txt

Or, if brute-forcing:

 

Copy code

hashcat -m 22100 -a 3 bitlocker_hash.txt ?u?u?u?u?d?d

 

Conclusion

Decrypting a BitLocker drive with Hashcat might seem daunting, but by following these steps, you can systematically approach the task even as a beginner. Remember, this is a time-consuming process, especially if using brute-force methods, but with patience and the right setup, Hashcat can help you recover the BitLocker password. Just make sure to follow all legal guidelines for this process.

 

Emory “Casey” Mullis

Criminal Investigator

Coweta County Sheriff’s Office

Emory Casey Mullis has been in Law Enforcement for over 20 years, encompassing both military and civilian roles. His journey with computers began with a Gateway 266 MHz, which was the pinnacle of consumer technology at the time, costing around $2000. Driven by pure curiosity, he disassembled his new computer right out of the box, much to the dismay of his wife, who insisted, "It better work when you put it back together!" This hands-on experience provided him with a foundational understanding of computer hardware and sparked his career as a Cyber Investigator.

Over the years, Casey has tackled numerous cyber cases, continually honing his skills and knowledge. He emphasizes the importance of questioning, challenging, and testing daily to stay abreast of the latest tools, software, and technologies. Despite the ongoing challenges, he thrives on the dynamic nature of cyber forensics and eagerly embraces every opportunity to learn and grow in this ever-evolving field.