ExtractBitlockerKeys - Automated BitLocker Key Extraction
This guide provides detailed instructions on using ExtractBitlockerKeys, a tool designed for system administrators or security professionals to automatically extract BitLocker recovery keys from a domain.
It supports both Linux and Windows environments and offers multiple export formats for storing the extracted data.
Features of ExtractBitlockerKeys
-
Automatically retrieves a list of all computers from the domain controller's LDAP.
-
Multithreaded connections for faster extraction of BitLocker keys.
-
Handles large domains by iterating through LDAP result pages.
-
Exports results in multiple formats:
-
JSON: Includes fields like Computer FQDN, Domain, Recovery Key, Volume GUID, Created At, and Organizational Units.
-
XLSX: Spreadsheet format with the same fields as JSON.
-
SQLITE3: Database file with structured data.
Warning: Avoid storing backups on an online SMB share of the domain. For security purposes, print the data and store it physically in a locked safe.
Demonstration Commands
From Linux (Python)
To extract BitLocker recovery keys for all computers in the domain domain.local, run the following command:
./ExtractBitlockerKeys.py -d 'domain.local' -u 'Administrator' -p 'Podalirius123!' --dc-ip 192.168.1.101
From Windows (PowerShell)
To extract keys and export them to CSV and JSON files:
.\ExtractBitlockerKeys.ps1 -dcip 192.168.1.101 -ExportToCSV ./keys.csv -ExportToJSON ./keys.json
Usage Instructions
Linux (Python Script)
Run the Python script with the following syntax:
$ ./ExtractBitlockerKeys.py -h
This displays the help menu with available options:
|
Option |
Description |
|
-h, --help |
Show help message and exit. |
|
-v, --verbose |
Enable verbose mode (default: False). |
|
-q, --quiet |
Suppress all output. |
|
-t THREADS, --threads |
Specify number of threads (default: 4). |
|
--export-xlsx EXPORT_XLSX |
Export results to an XLSX file. |
|
--export-json EXPORT_JSON |
Export results to a JSON file. |
|
--export-sqlite EXPORT_SQLITE |
Export results to an SQLITE3 database file. |
|
--dc-ip ip address |
IP address of the domain controller or KDC (Key Distribution Center). |
|
-d DOMAIN, --domain DOMAIN |
Fully Qualified Domain Name (FQDN) of the domain to authenticate to. |
|
-u USER, --user USER |
Username for authentication. |
Authentication Options:
-
--no-pass: Skip password prompt (useful with Kerberos).
-
-p PASSWORD: Specify password for authentication.
-
-H [LMHASH:]NTHASH: Use NT/LM hashes in the format LMhash:NThash.
-
--aes-key hex key: Use AES key for Kerberos authentication (128 or 256 bits).
-
-k, --kerberos: Use Kerberos authentication by grabbing credentials from .ccache file or command-line input.
Windows (PowerShell Script)
Run the PowerShell script using this syntax:
.\ExtractBitlockerKeys.ps1 -dcip <DomainControllerIP> -ExportToCSV <PathToCSV> -ExportToJSON <PathToJSON>
Example Outputs
When executed successfully, the tool provides output files containing detailed information about each computer in the domain, including:
-
Computer FQDN
-
Domain
-
Recovery Key
-
Volume GUID
-
Creation Date
-
Organizational Units
Best Practices
-
Secure Storage: Always store extracted keys securely, such as printing them and locking them in a safe.
-
Limit Access: Restrict access to this tool and its outputs to authorized personnel only.
-
Regular Updates: Keep your tools updated to ensure compatibility with your environment.
Contributing
The tool is open-source, and contributions are welcome! You can submit pull requests or open issues on its GitHub repository if you want to suggest new features or report bugs.
By following this guide, you can efficiently extract and manage BitLocker recovery keys across your domain while maintaining security best practices. You can learn more and Download ExtractBitlockerKeys in GitHub.
Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here