Help with VeraCrypt Password Recovery
#1
Question 
Hello Hashcat Forum,

My name is Senay, and I am a complete beginner with VeraCrypt and Hashcat. I have encountered a frustrating problem. I created a VeraCrypt volume on a USB stick that includes a hidden partition, but I have forgotten the password. I am not familiar with Hashcat or how to use (dd) at all. I only remember a portion of the password and a few possible variations, so I know part of it and could guess the other part.

I would be incredibly grateful if someone could assist me, as I am a complete beginner and do not have much knowledge about this topic. There are urgent private files on this USB stick, and I am willing to make a donation to anyone who can help me recover the password.

I have downloaded Hashcat, but I do not have any experience with (dd) since terms like "dictionary" are not familiar to me. I am having difficulty getting the hash values from the hidden partition and understanding the rest of the process.

Here is some information about my system:

Operating System: Windows 10
VeraCrypt USB Stick Encryption: AES-512
Normal volume (password known and accessible)
Hidden partition (partially known password + possible combinations)

Thank you for taking the time to read this. I hope that someone can assist me with this issue, and any help would be greatly appreciated.
Reply
#2
How do I extract the hashes from VeraCrypt volumes?
The procedure to extract the important information from data encrypted with VeraCrypt follows the same steps/rules as for TrueCrypt: see How do I extract the hashes from TrueCrypt volumes?

It's important that you do not forget to adapt the hash mode (-m). For all supported hash modes for data encrypted with VeraCrypt, please have a glance at the --help output.

How do I extract the hashes from TrueCrypt volumes?
In order to crack TrueCrypt volumes, you will need to feed hashcat with the correct binary data file. Where this data lives depends on the type of volume you are dealing with.

The rules are as follows:

for a TrueCrypt boot volume (i.e. the computer starts with the TrueCrypt Boot Loader) you need to extract 512 bytes starting with offset 31744 (62 * 512 bytes). This is true for TrueCrypt 7.0 or later. For TrueCrypt versions before 7.0 there might be different offsets.

Explanation for this is that the volume header (which stores the hash info) is located at the last sector of the first track of the system drive. Since a track is usually 63 sectors long (1 sector is 512 bytes), the volume header is at sector 63 - 1 (62).

if TrueCrypt uses a hidden partition or volume, you need to skip the first 64K bytes (65536) and extract the next 512 bytes.
dd if=hashcat_ripemd160_AES_hidden.raw of=hashcat_ripemd160_AES_hidden.tc bs=1 skip=65536 count=512
in all other cases (files, non-booting partitions) you need the first 512 Bytes of the file or partition.
You can extract the binary data from the raw disk, for example, with the Unix utility dd (e.g. use a block size of 512 and a count of 1).

You need to save this hash data into a file and simply use it as your hashlist with hashcat.

The hashcat wiki lists some TrueCrypt example hashes (e.g. -m 6211, -m 6221, -m 6231 or -m 6241 depending on the exact TrueCrypt settings that were used when setting up the TrueCrypt volume). If you want to test/crack those example “hashes”, as always, use the password “hashcat” (without quotes).

The same procedure should also work for VeraCrypt volumes (but you need to adapt the hash mode to -m 137XY - see the --help output for all the supported hash modes for VeraCrypt and the correct values for X and Y).
Reply