Posts: 5
Threads: 1
Joined: Aug 2025
08-07-2025, 02:59 PM
Hello,
I am currently attempting to try out the new LUKS v2 support with Hashcat 7.0.0. However, I'm facing some issues.
I have used DD to capture the LUKS header and supplied that to the luks2hashcat.py script. The script produces a file with an expected hash that matches the example format. But when attempting to use it with Hashcat 7.0.0 I get the following error:
"* Token length exception: 1/1 hashes"
The command I used for testing (to see if it works) is as follows:
hashcat -m 34100 LUKS2Hash
Any help would be appreciated,
Thanks.
Posts: 5,200
Threads: 231
Joined: Apr 2010
If it's argon2i, that support was added in recent beta, use hashcat.net/beta
Posts: 5
Threads: 1
Joined: Aug 2025
(08-07-2025, 03:09 PM)atom Wrote: If it's argon2i, that support was added in recent beta, use hashcat.net/beta
Hello, thanks for your reply. I have just used the beta and received the same error.
Capture.PNG (Size: 9.23 KB / Downloads: 4)
Below is the first bit from the hash produced by the luks2hashcat.py script.
$luks$2$argon2i$sha256$aes$xts-plain64$512$m=984615,t=4,p=4$2...
Posts: 5,200
Threads: 231
Joined: Apr 2010
08-07-2025, 03:31 PM
(This post was last modified: 08-07-2025, 03:35 PM by atom.)
How you did run you the extraction script exactly? Looks like the data portion has been truncated
Posts: 5
Threads: 1
Joined: Aug 2025
(08-07-2025, 03:31 PM)atom Wrote: How you did you the extraction script exactly? Looks like the data portion has been truncated
I have purposely only included the first bit as the full hash is 512127 characters long.
In terms of the script usage I used the command below:
python3 luks2hashcat.py <File that contains the first 4096 Bytes of the LUKS v2 Container>
The file containing the first 4096 Bytes of the LUKS v2 Container was created using DD.
Posts: 5,200
Threads: 231
Joined: Apr 2010
Ah ok that is probably the problem, why 4096?
Posts: 5
Threads: 1
Joined: Aug 2025
(08-07-2025, 03:40 PM)atom Wrote: Ah ok that is probably the problem, why 4096?
I'm working off a E01 and not a physical drive, I did mount it in Linux but the script wouldn't except the container. I then did a bit of research on this forum where someone stated only the first 4096 bytes is required for the script/hashcat (Although the thread was talking about LUKS v1). I'm not 100% on the format hashcat accepts and the format of the example LUKS v2 hash provided on GitHub.
Posts: 5,200
Threads: 231
Joined: Apr 2010
08-07-2025, 03:51 PM
(This post was last modified: 08-07-2025, 03:55 PM by atom.)
It's usually 4096 anti-forensics blocks, people often confused that with bytes. So basically what you need is a size that allows reading the first encrypted sector, so that hashcat can do the decryption on that sector. Try 128mb instead of 4096, that should be large enough, but on the encrypted partition, not the virtual block device which ewfmount/xmount creates.
Posts: 5
Threads: 1
Joined: Aug 2025
(08-07-2025, 03:51 PM)atom Wrote: It's usually 4096 anti-forensics blocks, people often confused that with bytes. So basically what you need is a size that allows reading the first encrypted sector, so that hashcat can do the decryption on that sector. Try 128mb instead of 4096, that should be large enough, but on the encrypted partition, not the virtual block device which ewfmount/xmount creates.
That has worked. Something so simple haha.
Thanks for the help.
