Veracrypt - how to get hash and crack it
#1
Photo 
Hello
While encrypting the disk using Veracrypt, I was asked to reboot and after rebooting I cannot access the system.
I tried various password options, but without success.
I booted The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) from usb and can access both drives without any password. Is this OK? After all, if they are encrypted, why do I have access to all the data from the other system?

I would also like to regain access from the installed system, which is Windows 10. I see that some people have succeeded in breaking passwords using hashcat, but I have not succeeded so far.

I use the command: 
Code:
dd if=/dev/sdb of=Veracrypt.hash bs=512 skip=62 count=1
to get the hash and 
Code:
hashcat -m 13722 -a 0 --veracrypt-pim-start=xxx--veracrypt-pim-stop=xxx Veracrypt.hash dict.txt
for brute force.

Can anyone tell me step by step how to do this?

Windows 10 system, 2 ssd drives, encryption algorithms AES, SHA-512. encrypted whole system. veracrypt.hash is binary file and I don't know how to check is it correct and how to handle it.
Reply
#2
(02-11-2024, 05:18 PM)kacp3r Wrote: Hello
While encrypting the disk using Veracrypt, I was asked to reboot and after rebooting I cannot access the system.
I tried various password options, but without success.
I booted The-Distribution-Which-Does-Not-Handle-OpenCL-Well (The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)) from usb and can access both drives without any password. Is this OK? After all, if they are encrypted, why do I have access to all the data from the other system?

I would also like to regain access from the installed system, which is Windows 10. I see that some people have succeeded in breaking passwords using hashcat, but I have not succeeded so far.

I use the command: 
Code:
dd if=/dev/sdb of=Veracrypt.hash bs=512 skip=62 count=1
to get the hash and 
Code:
hashcat -m 13722 -a 0 --veracrypt-pim-start=xxx--veracrypt-pim-stop=xxx Veracrypt.hash dict.txt
for brute force.

Can anyone tell me step by step how to do this?

Windows 10 system, 2 ssd drives, encryption algorithms AES, SHA-512. encrypted whole system. veracrypt.hash is binary file and I don't know how to check is it correct and how to handle it.

I don't quite understand how you are able to access the drives without any passwords when booting The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) from usb..... but I guess you supplied a password when encrypting the disk before it asked for a reboot, correct? And for some reason it does not decrypt using the supplied password? Correct?
If so, I suspect you may have hit a wrong key when either creating the password or supplying the password after reboot...

Regarding the attack: The dd command looks correct, but check the dd you created, with a hexeditor like xxd. Does it look encrypted or is it all zeroes?

Your hashcat attack seems ok. Mode 13721 should work if you used the standards when encrypting the disk. The PIM arguments are only needed if you supplied a PIM during creation.

Did you encrypt it as a system disk and not as a partition? If you dd the first sector of the disk, does that look encrypted when viewed in a hexeditor?
Reply
#3
(02-12-2024, 02:24 AM)b8vr Wrote: I don't quite understand how you are able to access the drives without any passwords when booting The-Distribution-Which-Does-Not-Handle-OpenCL-Well (The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)) from usb..... but I guess you supplied a password when encrypting the disk before it asked for a reboot, correct? And for some reason it does not decrypt using the supplied password? Correct?
If so, I suspect you may have hit a wrong key when either creating the password or supplying the password after reboot...

Regarding the attack: The dd command looks correct, but check the dd you created, with a hexeditor like xxd. Does it look encrypted or is it all zeroes?

Your hashcat attack seems ok. Mode 13721 should work if you used the standards when encrypting the disk. The PIM arguments are only needed if you supplied a PIM during creation.

Did you encrypt it as a system disk and not as a partition? If you dd the first sector of the disk, does that look encrypted when viewed in a hexeditor?

Hey, thanx for replay.
I've used Veracrypt GUI and set password on the field and confirmed it. I also set PIM. Just click next, next and was asking from reboot. I'm pretty sure it was asking from Veracrypt. After reboot I can see only Acer logo on screen and prompt for password. Password I set in Veracrypt GUI doesn't work any more. Probably I make same mistake during providing it: small letter instead of capital and so on. That's why I prepared dictionary with many options.

I don't know why I have access from live system. I think is a huge bug because when I start live system I don't have to provide any password. Just default password for The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)... and I have full access to drives. Just cannot copy some files and it could be some system files. Others like text files, pictures, video and so I may do whatever I want.

I encrypted as a system and it looks like encrypted (please check attachment).https://ibb.co/R6s6t52
Reply
#4
(02-12-2024, 10:12 AM)kacp3r Wrote:
(02-12-2024, 02:24 AM)b8vr Wrote: I don't quite understand how you are able to access the drives without any passwords when booting The-Distribution-Which-Does-Not-Handle-OpenCL-Well (The-Distribution-Which-Does-Not-Handle-OpenCL-Well (The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali))) from usb..... but I guess you supplied a password when encrypting the disk before it asked for a reboot, correct? And for some reason it does not decrypt using the supplied password? Correct?
If so, I suspect you may have hit a wrong key when either creating the password or supplying the password after reboot...

Regarding the attack: The dd command looks correct, but check the dd you created, with a hexeditor like xxd. Does it look encrypted or is it all zeroes?

Your hashcat attack seems ok. Mode 13721 should work if you used the standards when encrypting the disk. The PIM arguments are only needed if you supplied a PIM during creation.

Did you encrypt it as a system disk and not as a partition? If you dd the first sector of the disk, does that look encrypted when viewed in a hexeditor?

Hey, thanx for replay.
I've used Veracrypt GUI and set password on the field and confirmed it. I also set PIM. Just click next, next and was asking from reboot. I'm pretty sure it was asking from Veracrypt. After reboot I can see only Acer logo on screen and prompt for password. Password I set in Veracrypt GUI doesn't work any more. Probably I make same mistake during providing it: small letter instead of capital and so on. That's why I prepared dictionary with many options.

I don't know why I have access from live system. I think is a huge bug because when I start live system I don't have to provide any password. Just default password for The-Distribution-Which-Does-Not-Handle-OpenCL-Well (The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali))... and I have full access to drives. Just cannot copy some files and it could be some system files. Others like text files, pictures, video and so I may do whatever I want.

I encrypted as a system and it looks like encrypted (please check attachment).https://ibb.co/R6s6t52

I guess you are probably not using an english/american keyboard, so have a look at the option --keyboard-layout-mapping and see if hashcat contain any keyboard layout that match your country. When creating a veracrypt boot drive, the password given is always saved as if it were english/american keyboard layout.
Reply