Cannot Recall the Last 3 Characters of My VeraCrypt Password [HELP]
#1
Hi,

2 years ago, I decided to encrypt a file using VeraCrypt. I had not decrypted it since. I needed the file today and realized that I forgot the password I used for encryption. However, I don't think that it is that bad of a case. The password length is 15  characters and I remember the first 12.
What can I do to decrypt the file? I suppose bruteforcing would be the primary option in this case, but I am inexperienced in that.

I'd be glad to receive some help,


Thank you
Reply
#2
It depends on how much and what you exactly remember about the missing characters.
Do you know their position (missing chars at the end, at the beginning, can be everywhere, ...) ?
Can you limit the characters to a specific set of characters (charset), i.e. do you know if they are all numbers, lower letters etc?
etc...

3 characters indeed doesn't sound "that bad", but it's also important to realize that veracrypt is a quite slow algorithm and that you really should try to first think about the best attack and most likely password candidates, which you should run first.

Well, since veracrypt is a quite slow algorithm, it doesn't matter too much if you are running a dictionary attack, or a mask attack or a rule based attack etc... the speed will almost be the same because the algorithm is very slow and disk I/O etc can be neglected here.

Therefore, you could for instance just use a mask attack with custom charsets (see https://hashcat.net/wiki/doku.php?id=mas...m_charsets) or if the total number of candidates is very small (and it should be because veracrypt is a hard algorithm) you could generate a dictionary where all most likely passwords are at the beginning of the file.

What does this mean? that for algorithms like veracrypt the speed difference between several attack modes (-a x) isn't really noticeable, but the most important thing is that you are prioritizing your password candidates (most likely passwords should be tested first).

when it comes to cracking, I would suggest that you generate a new test veracrypt file (with a known and maybe similar password) and test the whole extraction (https://hashcat.net/wiki/doku.php?id=fre...pt_volumes) and cracking process by trying to crack this test "hash" first.
There are unfortunately a lot of people that we know messed up some steps here (mostly extracting the correct sequence of bytes) and therefore waste a lot of cracking time by running a "uncrackable hash" (because it's the wrong data etc). I would say it's important to get the feeling about how it is to extract and crack the (test) hashes correctly first and you shouldn't skip this testing step (btw there are also some "hashes" available here: https://hashcat.net/wiki/example_hashes , but it's important to note that these are already extracted "hashes" and the step that many mess up is the one before you get the hash, i.e. the "dd" extraction etc). You could/should play with both the wiki hashes and your own newly generated veracrypt-encrypted file with known test password.

you could for instance use maskprocessor or hashcat --stdout to generate some password candidates (if you want to launch a dictionary based cracking session), but if you really need to "brute-force" all the missing characters because you have no clue about what these characters could be, I would recommend to use -a 3 (mask attack) instead (with custom charsets).

Good luck
Reply
#3
(01-25-2019, 11:40 AM)philsmd Wrote: It depends on how much and what you exactly remember about the missing characters.
Do you know their position (missing chars at the end, at the beginning, can be everywhere, ...) ?
Can you limit the characters to a specific set of characters (charset), i.e. do you know if they are all numbers, lower letters etc?

The password is 14 or 15 characters long. The first 12 characters are numerics that I know. The rest are letters and probably a symbol; furthermore, I have no idea what these characters are (and I also don't know whether the letters are lowercase or capital).

As for cracking methods, I could not understand the instructions for extracting the hashes from TrueCrypt volumes. I have no idea how to extract the first 512 bytes of the encrypted file. Plus, I'm currently on Windows and have not ever used Hashcat before. Is there any tutorial out there for this process?

Just as you suggested, a mask attack with custom charsets will serve the best for this purpose, but  again, I do not know how to perform that (though it is not my main concern right now).

As we decided upon the methods, I believe I need practical instructions.
Reply
#4
Well, there are a lot of tutorials on how to use "dd.exe" or something like this.

of course with dd you need to use the command line (cmd).

I would say that the hashcat FAQ that I linked above is all you need in addition to the dd.exe tool (maybe from here: http://www.chrysocome.net/dd , on linux it is pre-installed).

Again, I would recommend playing around with a test and of course making copies/backups of the original file (because with dd.exe you could easily override files if you are doing something incorreclty).
Reply
#5
(01-25-2019, 12:04 PM)philsmd Wrote: Well, there are a lot of tutorials on how to use "dd.exe" or something like this.

of course with dd you need to use the command line (cmd).

I would say that the hashcat FAQ that I linked above is all you need in addition to the dd.exe tool (maybe from here: http://www.chrysocome.net/dd , on linux it is pre-installed).

Again, I would recommend playing around with a test and of course making copies/backups of the original file (because with dd.exe you could easily override files if you are doing something incorreclty).

Okay, I ran the following command

Code:
dd if=C:\Users\Hyper\Desktop\E\Vera of=C:\Users\Hyper\Desktop\ddump\attem.txt bs=512 count=1

and obtained a file called attem.txt (with the size of 1kb) that contains weird special characters.
Reply
#6
The next step is to define the mask.

According to the wiki page, ?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a means the password is 15 characters long. However, I could not find what to do if I already know a part of the password.

EDIT: Got it from a tutorial video. I need to do xxxxxxxxxxxx?a?a?a (x is the order-specific variable stating the characters that I know). So there is only one element left to consider: -m YYYYY. I have no idea what to type in there.

EDIT2: I found it from the example hashes table in the Wiki. I used the default settings when encrypting the file, which is VeraCrypt PBKDF2-HMAC-SHA512 + AES, so the hash-mode is 13721

The file that contains the extracted hashes is called hases.tc and located in ~Desktop\ddump.

Thus, the final code that I need to run is as follows (though I'll need to replace the variables with corresponding numbers);

Code:
hashcat -a 3 -m 13721 C:\Users\Hyper\Desktop\ddump\hashes.tc xxxxxxxxxxxx?a?a?a
Reply
#7
hashcat -1 ?l?s?u -a 3 -m 13721 --increment-min 14 --increment-max 15 -w 4 C:\Users\Hyper\Desktop\ddump\hashes.tc xxxxxxxxxxxx?1?1?1?1

This would search all lowercase, uppercase, and symbols with max workload starting with 14 characters and moving to 15 if not found. This way you can eliminate digits if you're 100% sure they are not in the last 3-4 characters, shortening your workload.
Reply