hashcat Forum
Empty hash? "Disk error" - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: Empty hash? "Disk error" (/thread-7141.html)



Empty hash? "Disk error" - Trolltramp - 12-29-2017

Hey, I'm new to hashcat and Linux so sorry for newbie question. I'm trying to crack my Veracrypt boot volume because I've changed password in a hurry and it doesn't work, so I need 512 bytes of the last sector of the first track. But this:
dd if=/dev/sda1 of=/root/Pobrane/hash.txt bs=1 skip=31744 count=512
creates file that doesn't look like hash file from examples, actually it looks like empty.
Also, when I extract 1st 512 bytes from that disk, I get message "Disk error\FF Press any key to restart" inside my hash file. What do I do wrong?
I've attached both files.


RE: Empty hash? "Disk error" - philsmd - 12-29-2017

I think the problem is that you are trying to extract the data from a specific partition (e.g. /dev/sda1) while the guide here https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#how_do_i_extract_the_hashes_from_truecrypt_volumes says that you need to extract the data from that specific offset from the start of the whole disk (/dev/sda for instance).
This means that the command should probably look like this:
Code:
dd if=/dev/sda of=/root/Pobrane/hash.txt bs=1 skip=31744 count=512

Furthermore, the data that you have posted does not look encrypted at all, it's the unencrypted version. This could be because the real data is "hidden" within a second ("hidden") partition etc (I'm not totally sure about this, would need to research it).
Are you 100% sure that on startup of this disk you see the VeraCrypt boot loader and need to insert the VeraCrypt password before starting the system? If that's the case, you should follow the faq/guide and extract the data from the volume/disk (and not just from the partition).


RE: Empty hash? "Disk error" - Trolltramp - 12-29-2017

Thanks! For some reason the option to encrypt whole disk was in grey (I couldn't choose it), so I've encrypted whole partition instead (the only one). In disk's properties it's name was /dev/sda1 so that's the name I've used. Now hash file looks ok I guess. Also the 1st 512 bytes of whole disk don't show error message now.
2nd thing, I'm absolutely sure that I haven't created hidden volume and that on startup of this disk I see VeraCrypt boot loader (but probably the only partition encryption works like whole disk encryption, so that's the reason).
I'll post later final results Smile