+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: Deceased Brother's Veracrypt (/thread-11828.html)
Deceased Brother's Veracrypt - RyRudiger24 - 02-21-2024
Hi i'm posting to get some Veracrypt related help on behalf of a friend who's Brother sadly passed away.
Upon booting Windows this is the screen prompted with:
https://imgur.com/a/AOxPAVj
After many incorrect attempts, he's then taken to this screen:
https://imgur.com/a/nLEEH9O
Thankfully he guessed his Brother's pin and can access the Desktop + C drive.
On disk management this is what shows:
https://imgur.com/a/7YEqDqZ
The theory is, the encrypted drive is the D drive
which also has another OS on it
This is the default BIOS boot order:
https://imgur.com/a/74CkX1f
I've told him that it may be possible to extract the VeraCrypt hash (OS is Windows)
and perform some attacks on already existing known passwords.
I just don't have the knowledge on how to do the extraction part.
Any advice/help is greatly appreciated.
RE: Deceased Brother's Veracrypt - Snoopy - 02-21-2024
there is a wiki entry on true/veracrypt
https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#how_do_i_extract_the_hashes_from_veracrypt_volumes
the problem is you need direkt access to the disk, is the account you are into an admin account? if yes you could use some hex editor like hxd to extract the needed binary data and then use the veracrypt2hashcat.py located under tools to extract all hashes for an attack (i your case i would extract the first 5 mb from each physical disk and then run the script with all possible offsets (normal, boot, boot+hidden) this ways you should obtain some empty hashes but also the real ones
BUT: if the brother used a PIM other than the standard you will never crack the pass