help designing an optimal attack - veracrypt non-boot drive
#1
Question 
Hi folks, about a week ago I reset my VeraCrypt password. Long story short: see my username.

After a week reading the forum, wiki, and googling up on password cracking, I'm almost ready to launch a years-long attack. But I could use some expert advice on designing an optimal ruleset or mask.

Some details: the password is likely 20 characters long. I believe it consists of a 32-character set, which includes some letters of both cases, a symbol and several numbers. It was based on a line of text that was right in front of me, which is why I didn't bother to write it down. I think I must've forgotten which case was used where (so I need to include a toggle attack), and I may have made a typo or accidentally held down the shift button. Is there a way I can account for all these factors in a single attack? Or should I break it down and do several simultaneously?

Since it isn't connected to anything online, I can provide the hash and/or the suspected password if that'd be relevant.

I've tried creating a dict file using crunch. This doesn't seem to have enough limiters. Using a more limited pattern with variations in only the last 6 characters, I ended up with a 6GB file; hashcat estimated that attack alone would take almost 2 years on my system (yay integrated graphics!).
#2
Sounds like you want to do a table attack. Although you need to generate and pipe in candidates using hashcat-legacy and also patch + compile the source code yourself to remove the 16 character limit for candidates.

To have hashcat-legacy support longer passwords you have to alter
Code:
#define TOGGLE_MAX
#define TABLE_MAX

in src/hashcat-cli.c

For now I would recommend running just that attack, without accounting for possible typos.

also take a look at https://hashcat.net/wiki/doku.php?id=tab...nner_guide
#3
(10-20-2018, 10:31 AM)undeath Wrote: Sounds like you want to do a table attack. Although you need to generate and pipe in candidates using hashcat-legacy and also patch + compile the source code yourself to remove the 16 character limit for candidates.

To have hashcat-legacy support longer passwords you have to alter
Code:
#define TOGGLE_MAX
#define TABLE_MAX

in src/hashcat-cli.c

For now I would recommend running just that attack, without accounting for possible typos.

also take a look at https://hashcat.net/wiki/doku.php?id=tab...nner_guide

I should mention this is my first attempt at compiling source code, and I'm new to most of the tools, like cygwin, that I've needed to use in the process. Altering the code was the easy part.

I was able to compile, but I can't get hashcat-cli64 to run. Application Error: "The application was unable to start correctly (0xc000007b)."

Troubleshooting I've tried so far: run as Admin; compatibility mode; repair Visual C++ redist; install .NET runtime; restart; rebuild hashcat-legacy.

Here's the output from running make on cygwin:

Code:
$ make windows64
x86_64-w64-mingw32-gcc -W -Wall -pipe -I include/ -O2 -s -fomit-frame-pointer -funroll-loops -Ideps/gmp/win64/include -D__HC_x86_64__ -DWINDOWS -m64 -msse2 -D__USE_MINGW_ANSI_STDIO=1 -mstackrealign -c src/common.c -o obj/win64/common.o
x86_64-w64-mingw32-gcc -W -Wall -pipe -I include/ -O2 -s -fomit-frame-pointer -funroll-loops -Ideps/gmp/win64/include -D__HC_x86_64__ -DWINDOWS -m64 -msse2 -D__USE_MINGW_ANSI_STDIO=1 -mstackrealign -c src/tsearch.c -o obj/win64/tsearch.o
x86_64-w64-mingw32-gcc -W -Wall -pipe -I include/ -O2 -s -fomit-frame-pointer -funroll-loops -Ideps/gmp/win64/include -D__HC_x86_64__ -DWINDOWS -m64 -msse2 -D__USE_MINGW_ANSI_STDIO=1 -mstackrealign -c src/rp.c -o obj/win64/rp.o
x86_64-w64-mingw32-gcc -W -Wall -pipe -I include/ -O2 -s -fomit-frame-pointer -funroll-loops -Ideps/gmp/win64/include -D__HC_x86_64__ -DWINDOWS -m64 -msse2 -D__USE_MINGW_ANSI_STDIO=1 -mstackrealign -c src/engine.c -o obj/win64/engine.o
x86_64-w64-mingw32-gcc -W -Wall -pipe -I include/ -O2 -s -fomit-frame-pointer -funroll-loops -Ideps/gmp/win64/include -D__HC_x86_64__ -DWINDOWS -m64 -msse2 -D__USE_MINGW_ANSI_STDIO=1 -mstackrealign obj/win64/*.o /usr/x86_64-w64-mingw32/lib/CRT_glob.o src/hashcat-cli.c -o obj/win64/hashcat-cli64.exe  -Ldeps/gmp/win64/lib -lm -lgmp
cp obj/win64/hashcat-cli64.exe .

Although make ran without error and created the .exe, I think the problem is with the step before it - running $ sudo deps.sh.

Sudo doesn't exist in cygwin. So it's unclear how to run the sh. This issue has led me in a circle, trying to install one thing which then has a different error that requires something else to be installed... (Case in point: 'sudo for cygwin', which produces errors when trying to install the required python modules, telling me 'gcc is missing' even though it's certainly in the cygwin install.)

Eventually, I ran deps.sh with $ runas deps.sh. It returned no errors or any output. But I'm guessing that wasn't correct.

Now, I know gmp is installed in cygwin. But if this is the cause of the application error, please tell me if there's a easier way to run deps.sh or fix the dependencies manually.
#4
before running deps.sh, try running
export CC="x86_64-w64-mingw32-gcc"
export CXX="x86_64-w64-mingw32-g++"
#5
Thank you for helping, undeath. It seems to be resolved. However I am not sure what solved it.

I ran the commands above, but still could not run deps.sh using 'bash', so I did not try opening hashcat-cli64.exe . Eventually, I found instructions to run '$ chmod +x [pathto]deps.sh'. Like runas before it, this caused it to be executed silently. Then I tried opening hashcat-cli64.exe, and now it opens.

I assume people with better technical knowledge than I have might understand how this worked. Anyway, I hope it's clear enough to anyone else who runs into the same problem.

Now on to the table attack! Smile