I want to crack a VeraCrypt SHA512 + XTS 1536 bit encryption with the latest hashcat beta. According to
the example hashes the hash mode should be 29423.
The example hash looks like this:
Code:
$veracrypt$d44f26d1742260f88023d825729cc5a64cf8475d887632a2fb4a84af27af138cfadc4bcbb122f6ba68339ae8427d1f72c0c4aeef041291492ae0a7d8677d8da4$3227ae2a26d9a433076b44458b14f52766cf0e4baeb473a789180660d62e42bbea7c042379a5a74e259463e1c18381fa13aee27141264be381de71c12f8f704913f211c45fda0295e963d90fc35272e907858c0522601f6e7a73b43ff222663f149a485fc6c464e5f3b7cc0b6508f30621385365ca8a4e0bff4061f64f5fbdb11f70f19d77e56fa6ff015ad76ecaaccd759d30da05d2a6fbf00ac9673ac3c23efd339313c2a99511e928f976bf9b2664d97685498d5931af2d453edc6fb1129e324eaba64264711fbe21d0d202b3659106e8100634f09c38cd15b1b3acba79d7f31d31fe23c166392e300db09f10550c83187566dc0fdf768b872555851b34e3c15ad7e7438a72e6126c895cf1204987df4b42cb7bc2fe03c5777867d269378c6e496df2a1a3457b907f7143a139d800868ad95e2901723c6ebb991054b4e991c67fe4c17702d9829d9dc1fe8bf4a956460721c858e31dbcbe56850a4ed31558c6ee89ba2cba2ef4bde77fed11848f9f92e0add54964a683c3686dbab4695ebc42554da922a08c6fff32cac936ea447e771aa74a689eb269ffef677294ef297600dfd73bbbb734d2968e38a98b4a8a77ff0eec8246d93b542e3521a3eb636101
So this time it is not the first 512 bytes of a veracrypt encrypted volume/device but a "real hash string". I did not found anything about this syntax in the hashcat documentation/wiki. How can i obtain this 1024 byte string?
take a look at the 1372* Modes, these are the binary modes for attacking veracrypt
(07-22-2022, 01:32 PM)Snoopy Wrote: [ -> ]take a look at the 1372* Modes, these are the binary modes for attacking veracrypt
Yes, but i want do crack SHA512 + XTS 1536. I can't find a hash mode for this specific case which is a 1372* hash mode and is using binary files. There is only Streebog-512 + XTS **** bit with hash mode 1372*.
(07-22-2022, 03:37 PM)Banaanhangwagen Wrote: [ -> ]This got recently implemented. See https://github.com/hashcat/hashcat/pull/3302 for more details.
In the tools-folder, you'll find the script veracrypt2hashcat.
Thanks, this scirpt is exactly what i was looking for. I tested it with a veracrypt test volume and it works like a charm.
After that i tried to test it on y veracrypt full disk encryption.
I've got only .E01 fiiles from this device so i mounted them like
Code:
ewfmount ./image.E01 ./mountpoint
Inside mountpoint is now a ewf1 file. I checked it with "hexdump -C ewf1 | less" and it looks pretty good (readably ascii character, etc). So now i tried the veracrypt2hashcat script again:
Code:
python3 /path/to/hashcat/tools/veracrypt2hashcat.py ewf1
and this time the output is bad:
Code:
$veracrypt$00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000$00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000xxxxxxxxxxxxxxxxxxxxxxxxxxxxx1000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000055aa
(ignore all those X characters, they are from me just in case). Many zeros, and it ends with a 55aa magic byte.
I re-checked the ewf1 file and recognized something:
Code:
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000001b0 00 00 00 00 00 00 00 00 xx x xx xx xx xx xx xx |...........Q....|
000001c0 xx xx xx xx xx xx x1 00 00 00 ff ff ff ff 00 00 |................|
000001d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|
There we are. What am i doing wrong? Do I need to add an offset as a parameter? If yes what offset is necessary?
31744?
As this is a bootable veracrypt full disk encrypted device, i choosed the parameter '--offset bootable'. Thankfully, i don't need to add a "real" offset here. So my command looks like
Code:
python3 /path/to/hashcat/tools/veracrypt2hashcat.py ewf1 --offset bootable
$veracrypt$f105dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxbc52
Now this strings looks pretty good. high entropy. Hashcat recognize the syntax as correct with hash mode 29423, hopefully the dump itself from the veracrypt2hashcat script is correct.