(02-11-2024, 05:18 PM)kacp3r Wrote: Hello
While encrypting the disk using Veracrypt, I was asked to reboot and after rebooting I cannot access the system.
I tried various password options, but without success.
I booted The-Distribution-Which-Does-Not-Handle-OpenCL-Well (The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)) from usb and can access both drives without any password. Is this OK? After all, if they are encrypted, why do I have access to all the data from the other system?
I would also like to regain access from the installed system, which is Windows 10. I see that some people have succeeded in breaking passwords using hashcat, but I have not succeeded so far.
I use the command:
to get the hash andCode:dd if=/dev/sdb of=Veracrypt.hash bs=512 skip=62 count=1
for brute force.Code:hashcat -m 13722 -a 0 --veracrypt-pim-start=xxx--veracrypt-pim-stop=xxx Veracrypt.hash dict.txt
Can anyone tell me step by step how to do this?
Windows 10 system, 2 ssd drives, encryption algorithms AES, SHA-512. encrypted whole system. veracrypt.hash is binary file and I don't know how to check is it correct and how to handle it.
I don't quite understand how you are able to access the drives without any passwords when booting The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) from usb..... but I guess you supplied a password when encrypting the disk before it asked for a reboot, correct? And for some reason it does not decrypt using the supplied password? Correct?
If so, I suspect you may have hit a wrong key when either creating the password or supplying the password after reboot...
Regarding the attack: The dd command looks correct, but check the dd you created, with a hexeditor like xxd. Does it look encrypted or is it all zeroes?
Your hashcat attack seems ok. Mode 13721 should work if you used the standards when encrypting the disk. The PIM arguments are only needed if you supplied a PIM during creation.
Did you encrypt it as a system disk and not as a partition? If you dd the first sector of the disk, does that look encrypted when viewed in a hexeditor?