hashcat Forum
am I doing something wrong? - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: am I doing something wrong? (/thread-6092.html)



am I doing something wrong? - heyu34 - 12-03-2016

hello I extracted a veracrypt hash from a encrypted drive which was encrypted with full drive encryption.
I used dd to achieve that (http://0x31.de/cracking-truecrypt-container-non-system-system/)
here I'm using a 13761 mode which is suppose to be the veracrypt one and I tried one with a custom charset which didn't crack it.
I would be thankful if someone gave it a look and told me if this is right.

hashcat32.exe -m 13761 -a 3 --increment --increment-min 7 hash.dd abcdefg?a?a?a?a?a
hashcat32.exe -m 13761 -a 3 -1 ,ro.{5 --increment --increment-min 7 hash.dd abcdefg?1?1?1?1?1


RE: am I doing something wrong? - atom - 12-03-2016

* Does the mask match the password?
* Did you set the correct offset for full drive encryption? Is this one really the same as with TrueCrypt?
* Are you sure the cipher is not cascaded?


RE: am I doing something wrong? - heyu34 - 12-06-2016

The mask should be right, I used " echo "31744/512" | bc " and got out of it "62".
then I used: " dd if=/dev/sdb of=/root/Desktop/512byte-at-offset-31744.dd bs=512 count=1 skip=62 "
so the 31744 offset was applied, but the guy on the site that i provided the link for uses -m 6241 insted of -m 13761 so
maybe thats my issue, should I use 6241 ?
I don't know if it's cascaded, I didn't explicitliy double encrypted it.
I assume the "cascaded cypher" means that the hash was encrypted with something else, which I didn't do.
I just followed the full drive system encryption wizard provided by veracrypt for windows, so if it would be cascaded then it was cascaded by the pretty much left to default settings of the veracrypt wizard.


RE: am I doing something wrong? - atom - 12-07-2016

> but the guy on the site that i provided the link for uses -m 6241 insted of -m 13761 so
This is correct for 6241

> maybe thats my issue, should I use 6241 ?
Maybe, yes. I can't say for sure if the offset should be different for veracrypt. Maybe someone else can?
However, for veracrypt you can not use 6241

> I don't know if it's cascaded, I didn't explicitliy double encrypted it.
So you did created the image or not? How can you be sure then that the mask is correct?


RE: am I doing something wrong? - heyu34 - 12-08-2016

Which image? I extracted the hash with dd exacly like the guy did for the system encrypion.
I'm pretty sure the mask is correct because I remember a good chunk of the password, the mask is the abcdefg?1?1?1?1?1
which consist of the neverchanging letters and 1 which will be replaced with the charset letters, numbers and symbols.


RE: am I doing something wrong? - atom - 12-09-2016

But if hashcat can not find it, it's either an invalid offset or the mask is invalid. To find out which of them is true, I can only see one way. You need to build a bootable veracrypt system and reproduce the steps you described. If you can crack it, you have an invalid mask (or the part you think is known is invalid). If you still can't crack it afterwards it's probably an invalid offset. I can confirm that I've tested hashcats veracrypt implementation successfully with all the images I got so far.