hashcat Forum Support hashcat v
Extract hash from veracrypt encryption

Threaded Mode
Extract hash from veracrypt encryption
zerozero Offline
Junior Member
**
Posts: 2
Threads: 1
Joined: Apr 2024
#1
04-05-2024, 02:18 PM
Client asked me if i can crack his drive(he remembers most of the password, but forgot few characters), which is encrypted with veracrypt. It asks for a password and PIM(pim wasnt set, so its just the default value) upon booting. 
Im having trouble understanding on how can i extract the hash from this type of encryption with dd. 

Veracrypt + boot mode + hidden (im not sure which hash algo he used, i believe its the default one)
I tried this
dd if=\\?\Device\Harddisk1\Partition0 of=hash.tc bs=1 skip=65536 count=512

and it said "Error reading file: 87 The parameter is incorrect"

So my question is where am i failing at? 

I tried following this, but im not sure if im approaching this correctly
https://hashcat.net/wiki/doku.php?id=fre...pt_volumes
Find
Reply
b8vr Offline
Member
***
Posts: 119
Threads: 1
Joined: Apr 2022
#2
04-05-2024, 07:12 PM
(04-05-2024, 02:18 PM)zerozero Wrote: Client asked me if i can crack his drive(he remembers most of the password, but forgot few characters), which is encrypted with veracrypt. It asks for a password and PIM(pim wasnt set, so its just the default value) upon booting. 
Im having trouble understanding on how can i extract the hash from this type of encryption with dd. 

Veracrypt + boot mode + hidden (im not sure which hash algo he used, i believe its the default one)
I tried this
dd if=\\?\Device\Harddisk1\Partition0 of=hash.tc bs=1 skip=65536 count=512

and it said "Error reading file: 87 The parameter is incorrect"

So my question is where am i failing at? 

I tried following this, but im not sure if im approaching this correctly
https://hashcat.net/wiki/doku.php?id=fre...pt_volumes

So just to be clear, it's a system drive? It's bootable? In that case use veracrypt2hashcat.py
It's located in the tools folder of hashcat 6.2.6
It can be run like:
veracrypt2hashcat.py --offset=bootable path-to-drive
The algo is found in a file called dcsprop located in the EFI folder of the boot partition.
Then use mode 294xx to attack with.
If you want to stick with dd, I think your path is incorrect. Is it on windows? Then it's \\.\physicaldriveX
Find
Reply
zerozero Offline
Junior Member
**
Posts: 2
Threads: 1
Joined: Apr 2024
#3
04-06-2024, 01:19 PM (This post was last modified: 04-06-2024, 01:23 PM by zerozero.)
Yes, it's system drive + bootable

So im guessing i have to use this offset - bootable
So the command looks like this now "veracrypt2hashcat.py --offset=bootable \\.\physicaldrive1"

It returned a hash.

However the algo, im not sure how to access the dcsprop, because i can't open EFI folder. Do i have to mount it ?
Find
Reply
b8vr Offline
Member
***
Posts: 119
Threads: 1
Joined: Apr 2022
#4
04-06-2024, 03:45 PM
You can open it in a forensic tool, like FTK or similar.
Find
Reply