Why doesn't the Example Hashes Match With the Hashes That I Extracted?
#1
Hi,

I am extracting the first 512 bytes of a VeraCrypt Volume using SHA512 + AES encryption (hash-mode=13721) locked with the password 'hashcat'; but when I compare the hash file that I extracted to the example hash-file on the Wiki page, I can see that they are different. According to the instructions, they should not be different.

The code I am executing to extract the hashes is as follows;
Code:
dd if=C:\Users\Hyper\Desktop\add of=C:\Users\Hyper\Desktop\hash.vc bs=512 count=1

I could not understand why the hashes differ.

Thank you
#2
what do you mean?

Did you create a new veracrypt file with random data ? of course they differ, because the data is different (and the "salt"/entropy/randomness used by the algorithm is different for each new encrypted file, explained below)

As long as it cracks correctly, there is no problem.

Hashcat uses (and needs!) the data to verify the decryption. The data is always different, because the algorithm involves some random inputs too (very simplied, this can be seen as some kind of salt to avoid known-ciphertext attacks).

It's just important that you do not confuse "hash" files with "raw" files. the hash files already have the extracted data, while the raw files are the original veracrypt files.

The instructions do NOT say that different veracrypt files (even ones with the same plain text data!) are always identical if the same password was used. This is your misunderstanding and it's not written like that in the hashcat wiki/faq, because it's wrong (all new encrypted files should be different, even if they use the same password and even if the underlying data is the same).

remember that if you create some new truecrypt or veracrypt files, you should always initialize them by writting some known data to the opened/decrypted file (otherwise the verification with data might fail because hashcat can't find any matching known string of the decrypted data if it wasn't formatted and there is some data written to the raw/plain file).
#3
I see. I misunderstood the instructions as two different VeraCrypt containers encrypted with the same password would have the same first 512 bytes and the example hashes were published in order to check if the extraction was correct.


In fact, the example hashes were given in order to test if the user-created command was serving the needs of the user.
Thank you for correcting me.