Veracrypt system disk encryption
#1
I have a disk containing two encrypted partitions and a Veracrypt bootloader.

I have looked at https://hashcat.net/wiki/frequently_aske...pt_volumes

However I am not sure if

Code:
for a TrueCrypt boot volume (i.e. the computer starts with the TrueCrypt Boot Loader) you need to extract 512 bytes starting with offset 31744 (62 * 512 bytes). This is true for TrueCrypt 7.0 or later. For TrueCrypt versions before 7.0 there might be different offsets.

or

Code:
in case of a physical disk you need to copy the last 512 bytes of the *first logical volume*.

is the correct option in my case? 

Is there any way to figure out which hash format I have on my hands, or do I just have to guess?

The default settings for system encryption in Veracrypt is:
[Image: 68kgcnq.png]

Not sure which hash format this translates to in Hashcat?
Reply
#2
(04-21-2017, 01:04 PM)jallis Wrote: The default settings for system encryption in Veracrypt is:
[Image: 68kgcnq.png]

Does hashcat actually support this default hash format for volumes in Veracrypt? I notice it says SHA-256 in the image above, but all Hashcat hashes seems to be SHA-512? (https://hashcat.net/wiki/doku.php?id=example_hashes)

EDIT/UPDATE:
I successfully cracked my FDE, with default Veracrypt settings.

The hash is located at offset 31744 from the start of the *disk* (The Veracrypt bootloader is at offset 0), and is 512 bytes long.
The hashmode for hashcat was 13761.
Reply
#3
great !
what was the exact command that u were using to extract the raw data?
Reply
#4
(05-04-2017, 03:09 PM)kiara Wrote: great !
what was the exact command that u were using to extract the raw data?

I did it in a hex-editor, but it can easily be done using dd in linux:

dd if=/dev/sdb of=Veracrypt.hash bs=512 skip=62 count=1

(replace /dev/sdb with your disk(image))
Reply