How to get the hash code for simple Veracrypt folder
#1
Hi everyone,

I am completely new at this so please forgive me if what I ask seems trivial.

I have been trying to use hashcat to retrieve the password of a simple veracrypt folder I created and forgot.

I have an idea of the phrase and numbers I used and there is a finite number of permutations to it so I think it will be a fairly simple task to get it once I manage to figure out how to use hashcat.

I have two questions really:

First question:

How can I get the first 512 bytes of the hash [b]of the file in question in binary form?[/b]

My main problem at the moment is that I can't figure out how to get the hash of the folder/file. I have read everything I could find but still can't figure this out and I have no programming experience.

I understand that the correct way to do this is to get the first 512 bytes of the file. If I understand correctly, veracrypt hashes should be quoted in binary form instead of hex. The quote from the FAQ if Hashcat says "In all other cases (files, non-booting partitions) you need the first 512 Bytes of the file or partition."

From there on, I have no idea how to begin. I am trying to do this from a machine running Windows 10. I have tried to use powershell to get the hash but can't figure out how to get the first 512 bytes of the file or how to get or to return the hash in binary form.

All explanations of how to extract this refer to DD. I downloaded DD for windows to try and do that (http://www.chrysocome.net/dd). But I have no idea what the syntax of the command to get the correct hash should be. I am not even sure if the DD I downloaded is the correct one.

Second question:

Are my thinking and syntax (for hashcat) correct for getting back my password once I have figured out the correct hash?

I created the veracrypt folder so I know its encryption is "13721 | VeraCrypt SHA512 + XTS 512 bit".

My plan once I figure out how to extract the correct hash code is to use the following command in hashcat:

(I will be doing this through command prompt in Windows 10)

hashcat.exe -m 13721 -a 1 C:\Hash1.txt C:\Wordlist1.txt C:\Wordlist2.txt

C:\Hash1.txt - This is the text file where I will paste the hashcode of the veracrypt folder (once I figure out how to extract it).
C:\Wordlist1.txt - This is the text file where I will place the list of words, numbers, and characters I know I used in the password
C:\Wordlist2.txt – This is just another copy of the same word list, as above, as I do not remember the order in which I combined the words.

If I got this right, the -a 1 command is for a combinator attack which will try different combination of all the words, numbers, characters etc. from the two lists.

Please forgive my ignorance.

Any help and guidance would be GREATLY appreciated.

Thanks for your help!
Reply
#2
1. yeah, you can use that dd windows port. You can see how other users used it:
- https://hashcat.net/forum/thread-8493-po...l#pid45361
- https://hashcat.net/forum/thread-8098-po...l#pid43441

but you also need to use the correct parameters as mentione in the FAQ: https://hashcat.net/wiki/doku.php?id=fre...pt_volumes (therefore it depends on what type of volume/partition/container/disk/file it is)

2. -a 1 combines one word from the first dict with another one of the second dict. only 2 words combined, each and every word from the first dict combined with each and every word from the second dictionary file
Reply
#3
Hi Phil,

That was very helpful, thanks a lot!

I got the hash now and attempted to use hashcat on it but I keep getting a "No hashes loaded" error.

The hash I got is in Chinese characters it seems. Not sure if that is normal or if I am missing something. Others that have extracted veracrypt hashes mentioned mentioned they get "weird special characters" (that's from the forum post you recommended - https://hashcat.net/forum/thread-8098-po...l#pid43441).

I use the following command on hashcat:

hashcat.exe -m 13721 -a 1 C:\Hash1.txt C:\Wordlist1.txt C:\Wordlist2.txt

The paths for the files are definitely correct, my windows 10 machine is set up to include the file extention *.txt, so thats not the problem. The only thing I can think of that might be causing it is the hascode itself...

Could the output from DD have been in an incompatible format somehow?

Thanks again for the help!
Reply
#4
you could just simple open the file manager ("explorer.exe") and go to that folder to see if it has the correct file size (and double check the file name + extension).

Normally there also comes some error message before the "No hashes loaded" message, if there is some problem with the file... so it would make sense that you post the whole output of hashcat.

You could also try to run the example hash from https://hashcat.net/wiki/example_hashes just to make sure that the example/test works.


In general I would highly recommend that you also try to create your own example/test VeraCrypt volume/container/file/disk that you generate similar to your target VeraCrypt volume and maybe even with a similar password ... and you try to crack this test "hash" with hashcat afterwards (this way you can make sure that you are doing everything correctly from the extraction to the successful cracking of the "hash").
It's always recommended to spend this little time (just a few minutes maybe) to create a similar example/test and try to see if everything is working with that one.... without risking to waste very, very much time and other resources on the target itself, and maybe you did something slightly wrong which could make the "hash" uncrackable.

Of course, if you do this... you must be very careful to not confuse the target hash with the test hash and of course make backups beforehand of all the other files/volumes etc... do not risk to lose any important data while doing so... always keep backups and carefully distinguish tests from the original "hashes" and volumes/partitions/disks.

Good luck cracking
Reply