VeraCrypt with PIM/keyfile seems to be ignored
I probably do a stupid mistake but I could not find out which one it is. The problem: hashcat only find the password on partition/volume with nothing else (pim/key file).

Story/a part of the history:
I tested a bit with VeraCrypt and created some partition/volume encrypted with password and:
a) custom PIM
b) 2 key files
c) custom PIM and 2 key files
and as a result of the problems a fourth one:
d) normal, only password.

Every partition was encrypted with the same password. The first 512 byte of every partition was extracted and given to hashcat to recover the password. The basic command for a) is:
hashcat64.exe -a 3 -m 13751 [VeraCrypt header] [mask] -o [outputfile] --potfile-path=[potfile] --veracrypt-pim=[pim number] -O -w 4
For key file "--veracrypt-keyfiles=[file1],[file2]" (or "veracrypt-keyf" as suggested from example of help text) was used.

Initially I run every algorithm (13711-13773) over the header of a) to c) in every configuration (no pim/keyf, pim, keyf, pim and keyf), but hashcat found nothing. It is possible to mount the volumes with VeraCrypt without any problem.
After I tested a bit, I add d), ignored the last case (pim and keyf) and reduced the "hash-type" to 13751 because I used AES with SHA256 to create the partitions/volumes.

Now hashcat is able to recover the password, but only for d), however in every case. Thus hashcat find password for d) even if pim or keyf is present. So it seems that hashcat ignores the parameter. To be sure I'm using the right parameter I used copy+paste from help.
I am aware of that hashcat complains about no optimized kernel, thus I removed -O without luck. And I moved the pim/keyf parameter directly after "-m 13751" but nothing changed.

I am not sure what I am doing wrong. I hope you can understand me and my problem and probably even help me. Thank you in advanced.

And just one side question because I already writing this post:
Are there any special constrains for VeraCrypt (besides extracting the right byte and using correct "hash-type")? An example to know what I mean: it's problematic with UTF-16 based hashes and chars above U+000FF because hashcat inserts zero bytes. Thus mask "?b?b" probably does not do what it is meant to do by the user.

- hashcat 5.1.0
- GeForce GTX 1060 with current driver

Messages In This Thread
VeraCrypt with PIM/keyfile seems to be ignored - by BotPass - 03-04-2019, 07:13 PM