Basic hashcat issue - beginner
#1
Hello there,

I am new to hashcat and I have got a problem with cracking a vera-crypt-container with a KNOWN password.
Unfortunately I forgot a quite long password but I still know the components of the password.
With a simple wordlist (severel spellings of some words etc) I could find out what it was.
So I created a wordlist of 155 words and thats it.

The container-format is AES and SHA-512 --> mode -m 6221 i guess.

But before I use this I wanted to test hashcat with a new container with test password "hashcat".
And a wordlist containing:
Code:
H4shcat
Hashcat
hashcat
hashcaT

Or I use only one word: "hashcat"

Here comes my little problem.

Quote:* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 1080, 2048/8192 MB allocatable, 20MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Uses-64-Bit

Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 75c

Dictionary cache built:
* Filename..: dummy.dict
* Passwords.: 1
* Bytes.....: 8
* Keyspace..: 1
* Runtime...: 0 secs

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Type........: TrueCrypt PBKDF2-HMAC-SHA512 + XTS 512 bit
Hash.Target......: dummy.hash
Time.Started.....: Thu Sep 28 11:12:44 2017 (0 secs)
Time.Estimated...: Thu Sep 28 11:12:44 2017 (0 secs)
Guess.Base.......: File (dummy.dict)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:        0 H/s (0.40ms)
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 1/1 (100.00%)
Candidates.#1....: hashcat -> hashcat
HWMon.Dev.#1.....: Temp: 57c Fan: 30% Util: 99% Core:2037MHz Mem:4714MHz Bus:16

Hashcat can't even find the password when I tell him the right one...
What am I doing wrong?

I extracted the first 512 bytes of the dummy-container with HxD (Hexeditor) and pasted it into a textfile (*.hash).
I created a dictionary-textfile and entered the "hashcat"-password (*.dict).
I used
Code:
hashcat64.exe -m 6221 dummy.hash dummy.dict

pause
for launching hashcat.

Can someone please help me?
I can't find the problem since two days.

Here a pic of the hash-extraction.
Is there maybe a problem? Wrong format?
[Image: unbenannt.jpg]
Hash:
Code:
..O"õ..Ñ3..6.û.V-í€Öâ–GD^.DÂm¯.F<m.èP\..è¢.¶×'¸îýØŠ .Câ2æåü1'ÿrãýîÇ..xR%£„ýºe!.æ5h.‹.}iíÇöAK.X÷Àá5Aâ~(á.ü+.–ˆpj@H¤.XKÔ—.é.þa8p?.ò:8©²—¾þ†-.ºUÐ..vÀñ‰±<ãé€ÎGË#$*àX¶..¯@Ú?.IÖÁ‰.| j2çã7çGe¡€DJÒ€£9üÊWO}Â.44©.Ñ1xê‘ø[†.Ø8¢º.0Nö5¡¨Ör_./.(âW.s–±%.mÔ÷o.WÊP#}%vÁBeAVΖ޼.|:óôV.ìÝÃàEî`.4-/Kù.²¯‡øZ¾´p¤.k+n@îHq.ž¼îa†Æœ;â¾Å.ªpÏŽV…®ò_Y.Âø.5Qç:.{úI›e¤“ùXv.6Í0È4..…’¹ÛN?9cô»jmµIÂIËÝb..yÊ¿…^gAø%t]³d“Æ.y.Vš‚ˆ.³.±X.ÛT¤?›l'.ãzô.8..÷2Á]ª..<óa³  Äs*«.Ò.\OÖLj¦÷{·”®Ø¾§3¦wO¦1“.aÖ.š.ÁÜÊŸv»7”r.ž.ƒA™š¶«a«.§ƒñXc…QpÐù.$.˜¥ÉJÍ!óŠÛkf³ts.3Ë.Š.
Password: "hashcat"

Can someone check it?

Thank you!
#2
You need the raw data, not the ascii representation of said data
#3
Well thank you very much for your answer.
I was expecting that something is wrong with those hash-extractions.

Unfortunately my hexeditor can only extract ANSI, DOS/IMB-ASCII, Macintosh, EBCDIC.

Which program can I use for getting my raw-data from such big containers on windows 10?

EDIT: Wait. Do you mean the left side of the hexeditor?
Those?
Code:
7F 13 4F 22 F5 81 1C D1 33 15 11 36 1E FB 81 56 2D ED 80 D6 E2 96 47 44 5E 0C 44 C2 6D AF 9D 46 3C 6D 2E E8 50 5C 13 17 E8 A2 8F B6 D7 27 B8 EE FD D8 8A A0 17 43 E2 32 E6 E5 FC 31 27 FF 72 E3 FD EE C7 2E 0B 78 52 25 A3 84 FD BA 65 21 14 E6 35 68 12 8B 0A 7D 69 ED C7 F6 41 4B 00 58 F7 C0 E1 35 41 E2 7E 28 E1 1F FC 2B 1C 96 88 70 6A 40 48 A4 0F 58 4B D4 97 9D E9 0B FE 61 38 70 3F 7F F2 3A 38 A9 B2 97 BE FE 86 2D 0F BA 55 D0 07 0A 76 C0 F1 89 B1 3C E3 E9 80 CE 47 CB 23 24 2A E0 58 B6 04 0E AF 40 DA 3F 07 49 D6 C1 89 04 7C A0 6A 32 E7 E3 37 E7 47 65 A1 80 44 4A D2 80 A3 39 FC CA 57 4F 7D C2 1C 34 34 A9 AD D1 31 78 EA 91 F8 5B 86 1C D8 38 A2 BA 0C 30 4E F6 35 A1 A8 D6 72 5F 0C 2F 2E 28 E2 57 0A 73 96 B1 25 1C 6D D4 F7 6F 18 57 CA 50 23 7D 25 76 C1 42 65 41 56 CE 96 DE BC 0D 7C 3A F3 F4 56 11 EC DD C3 E0 45 EE 60 90 34 2D 2F 4B F9 1B B2 AF 87 F8 5A BE B4 70 A4 0E 6B 2B 6E 40 EE 48 71 15 9E BC EE 61 86 C6 9C 3B E2 BE C5 00 AA 70 CF 8E 56 85 AE F2 5F 59 90 C2 F8 1F 35 51 E7 3A 8F 7B FA 49 9B 65 A4 93 F9 58 76 07 36 CD 30 C8 34 01 1D 85 92 B9 DB 4E 3F 39 63 F4 BB 6A 6D B5 49 C2 49 CB DD 62 1C 0E 79 CA BF 85 5E 67 41 F8 25 74 5D B3 64 93 C6 03 79 0D 56 9A 82 88 18 B3 8F B1 58 2E DB 54 A4 3F 9B 6C 27 0F E3 7A F4 1A 38 7F 12 F7 32 C1 5D AA 7F 11 3C F3 61 B3 20 A0 C4 73 2A AB 1D D2 07 5C 4F D6 C7 88 A6 F7 7B B7 94 AE D8 BE A7 33 A6 77 4F A6 31 93 0A 61 D6 AD 9A 04 C1 DC CA 9F 76 BB 37 94 72 8F 9E 1C 83 41 99 9A B6 AB 61 AB 11 A7 83 F1 58 63 85 51 70 D0 F9 7F 24 0D 98 A5 C9 4A CD 21 F3 8A DB 6B 66 B3 74 73 05 33 CB 10 8A 7F
#4
https://hashcat.net/wiki/doku.php?id=fre...pt_volumes

veracrypt is the same process as truecrypt which involves the use of dd
#5
veracrypt has these hash modes (-m):
Code:
137XY | VeraCrypt                                        | Full-Disk Encryption (FDE)
   X  | 1 = PBKDF2-HMAC-RIPEMD160                        | Full-Disk Encryption (FDE)
   X  | 2 = PBKDF2-HMAC-SHA512                           | Full-Disk Encryption (FDE)
   X  | 3 = PBKDF2-HMAC-Whirlpool                        | Full-Disk Encryption (FDE)
   X  | 4 = PBKDF2-HMAC-RIPEMD160 + boot-mode            | Full-Disk Encryption (FDE)
   X  | 5 = PBKDF2-HMAC-SHA256                           | Full-Disk Encryption (FDE)
   X  | 6 = PBKDF2-HMAC-SHA256 + boot-mode               | Full-Disk Encryption (FDE)
    Y | 1 = XTS  512 bit pure AES                        | Full-Disk Encryption (FDE)
    Y | 1 = XTS  512 bit pure Serpent                    | Full-Disk Encryption (FDE)
    Y | 1 = XTS  512 bit pure Twofish                    | Full-Disk Encryption (FDE)
    Y | 2 = XTS 1024 bit pure AES                        | Full-Disk Encryption (FDE)
    Y | 2 = XTS 1024 bit pure Serpent                    | Full-Disk Encryption (FDE)
    Y | 2 = XTS 1024 bit pure Twofish                    | Full-Disk Encryption (FDE)
    Y | 2 = XTS 1024 bit cascaded AES-Twofish            | Full-Disk Encryption (FDE)
    Y | 2 = XTS 1024 bit cascaded Serpent-AES            | Full-Disk Encryption (FDE)
    Y | 2 = XTS 1024 bit cascaded Twofish-Serpent        | Full-Disk Encryption (FDE)
    Y | 3 = XTS 1536 bit all                             | Full-Disk Encryption (FDE)

Therefore, your use of -m 6221 is completely wrong.
#6
Yea I read the FAQ
Quote:You can extract the binary data from the raw disk, for example, with the Unix utility dd (e.g. use a block size of 512 and a count of 1).

Is there no windows tool for extracting raw-code?

(09-28-2017, 11:50 AM)philsmd Wrote: veracrypt has these hash modes (-m):

Therefore, your use of -m 6221 is completely wrong.

Wow ok. I did not see that. In FAQ stood:
Quote: The hashcat wiki lists some TrueCrypt example hashes (e.g. -m 6211, -m 6221, -m 6231 or -m 6241 depending on the exact TrueCrypt settings that were used when setting up the TrueCrypt volume). If you want to test/crack those example “hashes”, as always, use the password “hashcat” (without quotes).
The same procedure should also work for VeraCrypt volumes.
I thought they were the same.
Thanks

I still need to know how to get those raw-data without linux/unix.

EDIT:
Ok I think I've got it now.
Created a new text-document and pasted the raw data "7F 13 4F 22 F5 etc" with my hexeditor in this file and overwrote everything.
Now it recovered the passwort "hashcat".

Thanks.

I hope this will now work for the bigger wordlist aswell.
#7
Great.

... and thanks for the hint about the possibility of missinterpretation of the sentence within the wiki.
I've updated/fixed it. Hopefully now it is better.