Things to download
Here is a quick list of resources that I downloaded for the tutorial:
(1.) VMWare Workstation, it’ll ask you for a key but you can just used the trial version
(2.) Windows 10 VM, grab the one for VMWare
(3.) DiskCryptor v1.1, you want to grab the stable release which is under the BETA versions
(4.) diskcryptor2john Python script, save this to a text file called diskcryptor2john.py
(5.) System Rescue iso, I got the i868 version
(6.) HashCat, program for password cracking.
Other resources I used
Here are the other blogs that I used.
(1.) How to enable the bios boot in a VM check it out here. The command you want to add to the VM’s .vmx is Add bios.forceSetupOnce = “TRUE”
(2.) To enable a shared file between the host and VM check this blog
(3.) How to use HashCat in a quick guide created by LaconicWolf
(4.) HashCat hash types, this is how I identified the -m option
(5.) Password cracking time estimation, pretty basic but proves a point
(6.) ACSC mitigations for ransomware, great resource for anyone to read over.
Command line help
Within the system rescue iso to view the drives run;
fsarchiver probe simple
To mount the shared network drive once it’s set up run;
/usr/bin/mount -t cifs //[YOUR HOSTNAME]/Downloads /mnt/shared
Then to copy the Python script across;
cp shared/diskcryptor2john.py /usr/bin/
Find the drive you want to run the script against from fsarchiver and then run;
/usr/bin/diskcryptor2john.py /dev/sda1 » shared/dcrypt-hashes.txt
Then open a command line in Windows in the directory of HashCat executable and run;
hashcat.exe -a 0 -m 20011 C:<your path to the hashes>\dcrypt-hashes.txt example.dict -O
If the password is cracked it will show in the console.
This task took me a while to figure out so I’m not going to explain it here. If you know enough the commands should be enough. Otherwise you will just have to watch me fumble around in the video.