Veracrypt Non-System Drive
#1
Hey guys,

I have a work computer that I took out of storage needing access to some old work files that are pretty important. The problem is I encrypted the drive i used to store files and can't remember the password I used.  I have a rough idea of what it would be, and have compiled a password list of about 6k entries. 

I am armed with the pw list, hashcat and DD for windows.  

I have successfully encrypted a USB with veracrypt and cracked it with hashcat.

I have been unsuccessful in cracking a veracrypt whole disk encryption for a non system drive.

My problem is trying to figure out which location to use when extracting the hash, because i don't think I am using the right command/location.  My options seem to be:

dd if=\\.\Volume{cbdc7c52-bba5-11e7-814f-806e6f6e6963} of=c:\users\anthony\desktop\hash1.tc bs=512 count=1

dd if=\\?\Device\Harddisk1\DR1 of=c:\windows\system32\hashcat\hdhash2.tc bs=512 count=1 
dd if=\\?\Device\Harddiskvolume3 of=c:\users\anthony\desktop\hdhash3.tc bs=512  count=1  
dd if=\\?\Device\Harddisk1\Partition1 of=c:\users\anthony\desktop\hdhash4.tc bs=512  count=1 


Any help on this would be greatly appreciated.  Here is the ouput for dd --list and the drive im trying to crack is drive D:/

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All

C:\Windows\system32>dd2 --list
rawwrite dd for windows version 1.0beta1 WIN64.
Written by John Newbigin <jnewbigin@chrysocome.
This program is covered by terms of the GPL Ver

Win32 Available Volume Information
\\.\Volume{cbdc7c51-bba5-11e7-814f-806e6f6e6963
link to \\?\Device\HarddiskVolume1
fixed media
Mounted on \\.\c:

\\.\Volume{cbdc7c52-bba5-11e7-814f-806e6f6e6963
link to \\?\Device\HarddiskVolume3
fixed media
Mounted on \\.\d:

\\.\Volume{0b33d1aa-bba6-11e7-9a32-8de8b5e049e3
link to \\?\Device\HarddiskVolume5
fixed media
Mounted on \\.\g:

\\.\Volume{cbdc7c55-bba5-11e7-814f-806e6f6e6963
link to \\?\Device\CdRom0
CD-ROM
Mounted on \\.\e:


NT Block Device Objects
\\?\Device\CdRom0
size is 2147483647 bytes
\\?\Device\Harddisk0\Partition0
link to \\?\Device\Harddisk0\DR0
Fixed hard disk media. Block size = 512
size is 250059350016 bytes
\\?\Device\Harddisk0\Partition1
link to \\?\Device\HarddiskVolume1
\\?\Device\Harddisk0\Partition2
link to \\?\Device\HarddiskVolume2
Fixed hard disk media. Block size = 512
size is 11103371264 bytes
\\?\Device\Harddisk1\Partition0
link to \\?\Device\Harddisk1\DR1
Fixed hard disk media. Block size = 512
size is 1000204886016 bytes
\\?\Device\Harddisk1\Partition1
link to \\?\Device\HarddiskVolume3
Fixed hard disk media. Block size = 512
size is 1000201740288 bytes
\\?\Device\Harddisk2\Partition0
link to \\?\Device\Harddisk2\DR3
Fixed hard disk media. Block size = 512
size is 500074283008 bytes
\\?\Device\Harddisk2\Partition1
link to \\?\Device\HarddiskVolume5
Fixed hard disk media. Block size = 512
size is 500072353280 bytes

Virtual input devices
/dev/zero (null data)
/dev/random (pseudo-random data)
- (standard input)

Virtual output devices
- (standard output)
/dev/null (discard the data)

C:\Windows\system32>

What do you guys think?
Reply
#2
Here are a couple things you can try:

1. Put the SATA hard drive in a USB enclosure and then connect it via USB cable and run DD to see what path name you get.

2. If you have a The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) Linux VM, try getting the binary data out of the path that it sees the external USB drive on and save it to a file.


https://hashcat.net/wiki/doku.php?id=fre...pt_volumes
Reply
#3
(11-16-2017, 08:23 PM)logistix111 Wrote: Here are a couple things you can try:

1. Put the SATA hard drive in a USB enclosure and then connect it via USB cable and run DD to see what path name you get.

2. If you have a The-Distribution-Which-Does-Not-Handle-OpenCL-Well (The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)) Linux VM, try getting the binary data out of the path that it sees the external USB drive on and save it to a file.


https://hashcat.net/wiki/doku.php?id=fre...pt_volumes

So far I've ran almost all the paths, having about 5 different hashes and brute forcing each hash.  I'm wondering if I am taking the right chunk of data for the hash.

I will have to look into a USB enclosure, I like the idea.  Thank you

I can spin up a The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) vm, although I'm somewhat of a noob when it comes to linux commands and couldn't find much documentation on the matter.
Reply