Extract VMK of BitLocker volume with TPMAndPIN protector and knowing PIN
Extract VMK of BitLocker volume with TPMAndPIN protector and knowing PIN
Technic to extract VMK from the bitlocker volume that TPM protects are already documented in different publications.
This GitHub repo gives a toolset to extract VMK in the case of TPMAndPIN which is different from TPM only case.
The usage of TPMAndPIN protector rely on TPM to release the encrypted Key Protector(aka KP) and the PIN code to decrypt KP. Then using the KP, the VMK can be decrypted and the BitLocker volume can be mounted.
One practical use of this tool is the Local Privilege Escalation as a valid PIN code is required.
Requirement
- Laptop/desktop volume protected by BitLocker using TPMAndPin protector
- TPM configured to use the motherboard TPM (dTPM)
- Knownledge of PIN code
- TPM capture done with DSview a fork of PulseView to be compatible with DreamSource logic analyzer. Not tested on PulseView.
Use
1 – Capture TPM traffic
- Connect logic analyzer probes to motherboard TPM. The TPM pinout can be found in its datasheet
- Configure decode the two decode:
- SPI
- TPM SPI transaction
- Capture TPM traffic at boot time
- Export the collected data in CSV format with only the column SPI TPM: TPM transactions
2 – Extract encrypted KP from sniffed TPM data
- Install script dependancy
- click
- tpmstream
git submodule update --init
pipenv --site-packages install
- Use the script
extract_kp.pyto extract encrypted KP from CSV data:
./extract_kp.py decoder--240531-140324.csv
3 – Decrypt KP and decode VMK using pin code and decrypted KP
- Install script dependancy
- click
- pycryptodome
pipenv --site-packages install
- Mount the target disk on another machine with linux as OS (Debian, Kali, etc.)
- Locate the BitLocker partition (during our test, the partition is the third one). A way to determine, if the partition is a BitLocker volume, is using the script
info.pyavailable in folder3_decode_vmk. This script permits to list the BitLocker metadata.
- With the extracted TPM data and the PIN code, use the script
decode_tpm_data.pyin the folder3_decode_vmk.
