Hello,
I am sorry but I can't get it working with standard vera-crypt-containers.
Therefore I just created 4 folders with combinations of SHA512, Whirlpool and AES, AES/TWOFISH/SERPENT to try all available hash-modes which I prefer and that are in FAQ:
-m 13721
-m 13723
-m 13731
-m 13733
So I created 4 basic containers with each encryption-mode, set the passwort to "mic" (3 letters) and extracted their first 512bytes and pasted them with notepad++ into new hash-files (see screenshot).
Then I used command
to let hashcat brute-force the 3 letters of this simple password.
It finished after ~3 minutes but it did not crack it.
?
LINK: SCREENSHOT
![[Image: unkenntlich.jpg]](https://img1.picload.org/image/dgopiwrl/unkenntlich.jpg)
I double-checked the hash-file, the right hash-mode, encryption-mode, the FAQs and the password (vera-crypt can decrypt it!).
Why doesn't it work?
Thanks in advance.
EDIT:
WTF are you serious?
Vera-Crypt containers do not need the first 512 bytes of the container-raw-data but the first 299008 bytes.
Your FAQ is wrong.
I tested it with the example hash from the FAQ/wiki
And I was wondering why the file was so big. When I extracted the first 512 bytes nothing happened.
But when I used the full file (299008 bytes!) it encrypted the "hashcat" password.
Please update your FAQ/wiki asap!
Else explain me what you meant with 512bytes in the description......
I am sorry but I can't get it working with standard vera-crypt-containers.
Therefore I just created 4 folders with combinations of SHA512, Whirlpool and AES, AES/TWOFISH/SERPENT to try all available hash-modes which I prefer and that are in FAQ:
-m 13721
-m 13723
-m 13731
-m 13733
So I created 4 basic containers with each encryption-mode, set the passwort to "mic" (3 letters) and extracted their first 512bytes and pasted them with notepad++ into new hash-files (see screenshot).
Then I used command
Code:
hashcat64.exe -m 13721 -a 3 Hash.txt ?l?l?l
pauseto let hashcat brute-force the 3 letters of this simple password.
It finished after ~3 minutes but it did not crack it.
?
LINK: SCREENSHOT
I double-checked the hash-file, the right hash-mode, encryption-mode, the FAQs and the password (vera-crypt can decrypt it!).
Why doesn't it work?
Thanks in advance.
EDIT:
WTF are you serious?
Vera-Crypt containers do not need the first 512 bytes of the container-raw-data but the first 299008 bytes.
Your FAQ is wrong.
I tested it with the example hash from the FAQ/wiki
Quote:13731
VeraCrypt PBKDF2-HMAC-Whirlpool + AES
https://hashcat.net/misc/example_hashes/...s_13731.vc
And I was wondering why the file was so big. When I extracted the first 512 bytes nothing happened.
But when I used the full file (299008 bytes!) it encrypted the "hashcat" password.
Please update your FAQ/wiki asap!
Else explain me what you meant with 512bytes in the description......
Quote:How do I extract the hashes from TrueCrypt volumes?
In order to crack TrueCrypt volumes, you will need to feed hashcat with the correct binary data file. Where this data lives depends on the type of volume you are dealing with.
The rules are as follows:
You can extract the binary data from the raw disk, for example, with the Unix utility dd (e.g. use a block size of 512 and a count of 1).
- for a TrueCrypt boot volume (i.e. the computer starts with the TrueCrypt Boot Loader) you need to extract 512 bytes starting with offset 31744 (62 * 512 bytes). This is true for TrueCrypt 7.0 or later. For TrueCrypt versions before 7.0 there might be different offsets.
Explanation for this is that the volume header (which stores the hash info) is located at the last sector of the first track of the system drive. Since a track is usually 63 sectors long (1 sector is 512 bytes), the volume header is at sector 63 - 1 (62).
- if TrueCrypt uses a hidden partition, you need to skip the first 64K bytes (65536) and extract the next 512 bytes.
dd if=hashcat_ripemd160_AES_hidden.raw of=hashcat_ripemd160_AES_hidden.tc bs=1 skip=65536 count=512
- else:
- if you are cracking a single TrueCrypt file instead of a physical disk, you need the first 512 Bytes of the file.
- in case of a physical disk you need to copy the last 512 bytes of the *first logical volume*.
You need to save this hash data into a file and simply use it as your hashlist with hashcat.
The hashcat wiki lists some TrueCrypt example hashes (e.g. -m 6211, -m 6221, -m 6231 or -m 6241 depending on the exact TrueCrypt settings that were used when setting up the TrueCrypt volume). If you want to test/crack those example “hashes”, as always, use the password “hashcat” (without quotes).
The same procedure should also work for VeraCrypt volumes (but you need to adapt the hash mode to -m 137XY - see the --help output for all the supported hash mode for VeraCrypt and the correct values for X and Y).
How do I extract the hashes from VeraCrypt volumes?
The procedure to extract the important information from data encrypted with VeraCrypt follows the same steps/rules as for TrueCrypt: see How do I extract the hashes from TrueCrypt volumes?
It's important that you do not forget to adapt the hash mode (-m). For all supported hash modes for data encrypted with VeraCrypt, please have a glance at the --help output.