I'm a total noob when it comes to hashcat.
I have a Veracrypt HDD I fully encrypted with default settings.
Being and idiot I forgot the password. I'm pretty sure I remember the letters and numbers and characters used in the password.
My current problem is I am trying to figure out how to copy the boot loader to get the hash to try cracking it.
I used
dd if=/dev/sdc1 of=/home/tj/Documents/dump bs=1 skip=31744 count=512
Which created the dump file.
I then opened it using vi.
vi /home/tj/Documents/dump
Then opened hex editor.
:%!xxd
Which converted it to hex but instead of staying Veracrypt at the top its just a bunch of random letters and .
Anyone help?
Thanks.
Where did you get the information from that it needs to have a "Veracrypt" string in it?
This is not true as far as I can tell.
You are basically searching for something (the "Veracrypt" thing) that shouldn't be there if you extracted it correctly.
There are also some TrueCrypt example data on the example wiki (yeah, I know TrueCrypt is not VeraCrypt, but they are very similar when it comes to extracting etc) and also they do not have any hardcoded string in it (or as you would say it's just some random letters and symbols, and that is exactly what is to be expected).
https://hashcat.net/wiki/doku.php?id=example_hashes
Well, that's very different, both the size of the binary data and they don't even use an offset (the skip parameter).
Of course if you skip 31744 from the start you won't find the "Truecrypt΅ header which is at about offset 0x0 (the very beginning).
It's also not very good to mix-up the steps involved by hashcat with the ones of a different cracking tool (if you do not know exactly what these dd command do, including skip etc).
... to make it very clear, the 512 bytes hashcat needs, do not contain a Veracrypt/Truecrypt string, other tools might need much more data as input (and within this larger amount of data there might also be more headers/string). Don't follow the steps from a different password recovery tool and use that extracted data as input for hashcat because it might not be what hashcat expects. Just stick to the FAQ of hashcat!
The technical explanation is: the tool you linked to expects 64*bs (block size - bs - defaults to 512 bytes) = 32768 bytes from the start, while hashcat only expects the data needed (i.e. the 512 bytes after the 62*bs (512 bytes) = 31744 bytes). As you can see, both tools at the end have the 512 bytes needed (the other tool probably just ignores the remaining bytes of data you give to it).
Code:
In order to crack TrueCrypt volumes, you will need to feed hashcat with the correct binary data file. Where this data lives depends on the type of volume you are dealing with.
The rules are as follows:
for a TrueCrypt boot volume (i.e. the computer starts with the TrueCrypt Boot Loader) you need to extract 512 bytes starting with offset 31744 (62 * 512 bytes). This is true for TrueCrypt 7.0 or later. For TrueCrypt versions before 7.0 there might be different offsets.
Explanation for this is that the volume header (which stores the hash info) is located at the last sector of the first track of the system drive. Since a track is usually 63 sectors long (1 sector is 512 bytes), the volume header is at sector 63 - 1 (62).
if TrueCrypt uses a hidden partition, you need to skip the first 64K bytes (65536) and extract the next 512 bytes.
dd if=hashcat_ripemd160_AES_hidden.raw of=hashcat_ripemd160_AES_hidden.tc bs=1 skip=65536 count=512
else:
if you are cracking a single TrueCrypt file instead of a physical disk, you need the first 512 Bytes of the file.
in case of a physical disk you need to copy the last 512 bytes of the *first logical volume*.
You can extract the binary data from the raw disk, for example, with the Unix utility dd (e.g. use a block size of 512 and a count of 1).
You need to save this hash data into a file and simply use it as your hashlist with hashcat.
The hashcat wiki lists some TrueCrypt example hashes (e.g. -m 6211, -m 6221, -m 6231 or -m 6241 depending on the exact TrueCrypt settings that were used when setting up the TrueCrypt volume). If you want to test/crack those example “hashes”, as always, use the password “hashcat” (without quotes).
This is what I was going by from the Hashcat FAQ.
Mine isn't hidden. So I was going by the first step.
EDIT: Here is the Hex of the file i created.
Also comparing my file to the example hash for truecrpyt it looks like it should be the right thing.
Looks good. Good luck with the password recovery.
Thanks but this leads me to another question. I used mask processor to generate 50 million possible passwords.
I am using
Code:
hashcat64.exe -m 13751 -a 0 -w 3 Z:\(hash file location) A:\(dictionary file containing 50 million passwords)
The specs on my desktop is
AMD 9590 at stock 4.2ghz
Nvidia 780ti (older card but I built the desktop a few years ago)
I am running the latest Nvidia drivers.
I am only getting ~368 h/s.
Is this normal? Is it because its SHA2 with AES?
Looks like the default for Veracrypt is actually SHA512. Well I guess I'll let it run through the SHA256 then try the SHA512
EDIT:
Must be, cause my ASUS laptop with a 980m hashed 18768.6 kH/s on MD5. But when I was trying the same Veracrypt file it was only hashing 395h/s.
Why do you use mask processor? hashcat has inbuilt support for mask attack (--attack-mode 3 or short -a 3).
Your disk and transfer speed to the GPUs is probably the bottleneck (if you do not use -a 3 and specify the mask)
You should also not forget to specify -w 4 (or at least -w 3) to speed it up even more.
I did specify -w 3 didnt I? I put hashcat64.exe -m 13751 -a 0 -w 3
I didn't know how to use the hashcat so I was using mask processor so I can see the word list being generated. ~368h/s is on par with a 780TI. A 1080gtx can only do like ~800h/s on this algorithm.
-m 13741 -a 0
GTX1080 - 1231 H/s
GTX960 - 298 H/s
After 24 Hours:
GTX1080 - 1031 H/s
GTX960 - 243 H/s
Forget VeraCrypt!