Veracrypt boot mode SHA512

[LK4RMA]

Hello all,

Recent version of Veracrypt use by default AES256, XTS with SHA512 (even on boot-mode).

I have run several tests and I'm unable to bruteforce Veracrypt boot volume disk with the default parameters.


13721 | Veracrypt SHA512 + XTS 512 bit (Legacy) -> Work for default container, but not for boot mode !

29461 | Veracrypt SHA256 + XTS 512 bit + boot-mode -> Not working with SHA512


The only boot mode that ressemble is 29461. But it is SHA256 and not SHA512.

I think we need 13721 in boot mode, or 29461 in SHA512 !


Am I the only one ?


Thanks for your help !

[b8vr]

Hello all,

Recent version of Veracrypt use by default AES256, XTS with SHA512 (even on boot-mode).

I have run several tests and I'm unable to bruteforce Veracrypt boot volume disk with the default parameters.


13721 | Veracrypt SHA512 + XTS 512 bit (Legacy) -> Work for default container, but not for boot mode !

29461 | Veracrypt SHA256 + XTS 512 bit + boot-mode -> Not working with SHA512


The only boot mode that ressemble is 29461. But it is SHA256 and not SHA512.

I think we need 13721 in boot mode, or 29461 in SHA512 !


Am I the only one ?


Thanks for your help !

Are you cracking on a binary or a hash? 13721 is for binaries, 29461 is for hashes. If you're trying to crack a hash made from vc boot default settings you should use mode 29421, and for a binary it's 13721. These modes work for both bootable and non-bootable.

[vexfriendship]

Do you have a binary or a hash that you are cracking?

tunnel rush

[LK4RMA]

Hello all,

Recent version of Veracrypt use by default AES256, XTS with SHA512 (even on boot-mode).

I have run several tests and I'm unable to bruteforce Veracrypt boot volume disk with the default parameters.


13721 | Veracrypt SHA512 + XTS 512 bit (Legacy) -> Work for default container, but not for boot mode !

29461 | Veracrypt SHA256 + XTS 512 bit + boot-mode -> Not working with SHA512


The only boot mode that ressemble is 29461. But it is SHA256 and not SHA512.

I think we need 13721 in boot mode, or 29461 in SHA512 !


Am I the only one ?


Thanks for your help !

Are you cracking on a binary or a hash? 13721 is for binaries, 29461 is for hashes. If you're trying to crack a hash made from vc boot default settings you should use mode 29421, and for a binary it's 13721. These modes work for both bootable and non-bootable.

Hello ! Sorry for the late answer !

Thank you very much ! I understand now the difference between "binary data" and "hash" mode ^^

I used binary data for my tests. I followed the instruction on the wiki for boot mode (dumping 512 bytes starting with offset 31744 ).
I understand now that to get a hash I need to use the script Veracrypt2Hashcat.py.

Therefore I used Veracrypt2Hashcat.py on the raw encrypted partition (with offset mode set to "bootable").

I tried 29421 and others without success for now. But I think I'm doing something wrong. I'll keep experiementing !

Thanks !

[LK4RMA]

I confirm that for Boot Mode the hashmode 29421 don't seem to work.
13721 on the binary don't work either.

I used Veracrypt (version 1.25.7), default PIM, default setup (AES, SHA512, boot-mode)
Extracted the RAW encrypted partition with FTK Imager and converted it to hash format using Veracrypt2Hashcat.py.

Here is my hash (Password : Qwerty)

$veracrypt$219d1c590db37a3a2b612005beeae46843820e112ffe05c8ea58ed35675602285ba49dad26f6355598018a374576ad591a95af44b3de6eccadd8115defb6d75a$8b200c84118aa26079b9715a71107086a545bec9a9f84e7e92c2af0bc06dd4ae9774d43825c1f0146370692e5aabda88e62bcb456d6aacd4e29e3960b93546cbfb873d94a5b210be28e74cf113bafa97288e4280198d383b87a102c0f9ecca789a9722cfb06044718919dd3219d6b6250c7e613d8460b0c0cbde4ac24ecaf817aca14439ba2bab6d039a42b4ed6b5eb0fbf1053418a2afc76f4ac054dc8a6c32b9b65629fc10a49da880abae3225ec3a708b8bfa98277f7eb9353706b3490bf787cda5932f015658b5b656ff3317b8f9562370ec4ad0ee285beaa9cc507b9b302da883cc20c26fdad7dce158d230af3d5bf70e2833ac7b50d62247490b9235029df3a14efe8f9d8120e633b3a398973617908c1ba708291cfb5248cbdbf0e0bc43bee64d731021c254a87360c914194f089769689efa6c17c5b0da9b819e64561e6405c7e549c8f014dd79d6748a190488e5e98faffae9a753de55ef992dcf68b268de3c113903e908244c4d2516d3d66b7da18774baf6cbb2b919934e2e652c832f6b5682de90e60f9e93c145d3d22caa52689f16e84e38816b7b5940871bf2a75cc02c540ee6f4832cd1f80ec7e6746dd3d43932121f11a56a9abe4139c165

Maybe a special hash format in "boot-mode" is required ?
(There is no "boot-mode" with SHA512..)

Thank you very much for your help..

[Snoopy]

need some time for preparing a testsetup, so be patient, will write back tomorrow

[Snoopy]

TLDR;
okay got it
mode 29421 up to 29423 are capable of cracking
you need to extract the data from the physical disk, not the partition and then extract the needed hash with
veracrypt2hashcat.py --offset bootable

to verify:

i used hxd to extract the first 5mb from the physical disk and also the first 5 mb of the windows-partition after installing and encrypting the windows system with veracrypt, default setup

then i used these two binary-data files with Veracrypt2Hashcat.py and all possible offset options, gaining 8 different hashes (2 are empty), running hashcat agaings these hashes and sucessfull cracked "Qwerty"

the funny thing is, hashcat already tells, that all of these hashes, except for one (see mssing error for line 6), seems not "right"

Code:

Hashfile 'vera-hashes.txt' on line 1 (partit...0000000000008a01a301b901000055aa): Insufficient entropy exception
Hashfile 'vera-hashes.txt' on line 2 (partit...f826f926fa26fb26fc26fd26fe26ff26): Insufficient entropy exception
Hashfile 'vera-hashes.txt' on line 3 (partit...f868f968fa68fb68fc68fd68fe68ff68): Insufficient entropy exception
Hashfile 'vera-hashes.txt' on line 4 (partit...f8a6f9a6faa6fba6fca6fda6fea6ffa6): Insufficient entropy exception
Hashfile 'vera-hashes.txt' on line 5 (hdd_0:...000000000000000000000000000055aa): Insufficient entropy exception
Hashfile 'vera-hashes.txt' on line 7 (hdd_hi...00000000000000000000000000000000): Insufficient entropy exception
Hashfile 'vera-hashes.txt' on line 8 (hdd_bo...00000000000000000000000000000000): Insufficient entropy exception

[LK4RMA]

TLDR;
okay got it
mode 29421 up to 29423 are capable of cracking
you need to extract the data from the physical disk, not the partition and then extract the needed hash with
veracrypt2hashcat.py --offset bootable

to verify:

i used hxd to extract the first 5mb from the physical disk and also the first 5 mb of the windows-partition after installing and encrypting the windows system with veracrypt, default setup

then i used these two binary-data files with Veracrypt2Hashcat.py and all possible offset options, gaining 8 different hashes (2 are empty), running hashcat agaings these hashes and sucessfull cracked "Qwerty"

the funny thing is, hashcat already tells, that all of these hashes, except for one (see mssing error for line 6), seems not "right"

Code:

Hashfile 'vera-hashes.txt' on line 1 (partit...0000000000008a01a301b901000055aa): Insufficient entropy exception
Hashfile 'vera-hashes.txt' on line 2 (partit...f826f926fa26fb26fc26fd26fe26ff26): Insufficient entropy exception
Hashfile 'vera-hashes.txt' on line 3 (partit...f868f968fa68fb68fc68fd68fe68ff68): Insufficient entropy exception
Hashfile 'vera-hashes.txt' on line 4 (partit...f8a6f9a6faa6fba6fca6fda6fea6ffa6): Insufficient entropy exception
Hashfile 'vera-hashes.txt' on line 5 (hdd_0:...000000000000000000000000000055aa): Insufficient entropy exception
Hashfile 'vera-hashes.txt' on line 7 (hdd_hi...00000000000000000000000000000000): Insufficient entropy exception
Hashfile 'vera-hashes.txt' on line 8 (hdd_bo...00000000000000000000000000000000): Insufficient entropy exception

Thank you very much !! It's working now !!
I didn't expect the hash to be extracted from the beginning of the physical partition.
I thought I had to skip the EFI partition.

For my part I used a VM, so I needed to convert the vdi snapshot to RAW.
Used Veracrypt2Hashcat on the RAW partition and it's good !!

Thank you so much !!
Back to work hehe