Brute force PIM of a VeraCrypt file container, known key file and algorithm
#1
Exclamation 
Hello, community.

I was trying to crack a VeraCrypt file container encrypted with PBKDF2+SHA512, AES-TWOFISH-SERPENT, PIM set to 2, with no password but a key file. When I was trying to iterate through the PIM value from 1 to 2(brute-force the PIM value with the same key file), there are always some undesired behaviors/messages. After a lot of unsuccessful tries and many searches over the internet, I found it is almost impossible to figure out this by myself. Please lend your wisdom and guide me to find the correct way to solve this problem.

I have tried a lot of different combinations, the following parameters are of most common,


./hashcat.bin -d 1 -D 1 -w 2 -m 13723 -a 0 --veracrypt-pim-start=1 --veracrypt-pim-stop=2 --session=512session --restore-file-path=512session-rec.txt --status ats-sha512kf blank --veracrypt-keyfiles=key2.txt -o PBKDF2-HMAC-SHA512-15xxbits-recHash.txt --outfile-format=1,2,3,4
hashcat (v6.0.0) starting...

OpenCL API (OpenCL 2.1 LINUX) - Platform #1 [Intel(R) Corporation]
==================================================================
* Device #1: AMD Ryzen 3xxx x-Core Processor, 32055/32119 MB (8029 MB allocatable), xMCU

OpenCL API (OpenCL 2.0 AMD-APP (3137.0)) - Platform #2 [Advanced Micro Devices, Inc.]
=====================================================================================
* Device #2: gfx803, skipped

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 64

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP
* Uses-64-Bit

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 65 MB

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

Session..........: 512session                 
Status...........: Exhausted
Hash.Name........: VeraCrypt SHA512 + XTS 1536 bit
Hash.Target......: ats-sha512kf
Time.Started.....: Sun Jul 26 17:40:23 2020 (0 secs)
Time.Estimated...: Sun Jul 26 17:40:23 2020 (0 secs)
Guess.Base.......: File (blank)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:        0 H/s (0.00ms) @ Accel:64 Loops:250 Thr:1 Vec:4
Recovered........: 0/1 (0.00%) Digests
Progress.........: 0
Rejected.........: 0
Restore.Point....: 0
Restore.Sub.#1...: Salt:0 Amplifier:0-0 Iteration:0-250
Candidates.#1....: [Copying]
Hardware.Mon.#1..: N/A
Started: Sun Jul 26 17:40:18 2020
Stopped: Sun Jul 26 17:40:25 2020




Hashcat -d 1 -D 2 -w 2 -a 3 -m 13723 --VeraCrypt-pim-start=1 --VeraCrypt-pim-stop=2 --VeraCrypt-keyfiles key2.txt --status ats-sha512kf -o output.txt --outfile-format 1,2,3,4

The outputs are almost the same:

Hashcat (v6.0.0) starting...

OpenCL API (OpenCL 2.1 AMD-APP (3075.12)) - Platform #1 [Advanced Micro Devices, Inc.]
======================================================================================
* Device #1: Ellesmere, 4032/4096 MB (3264 MB allocatable), 32MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 64

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP
* Uses-64-Bit

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 626 MB

Starting attack in stdin mode...

Session..........: Hashcat
Status...........: Running
Hash.Name........: VeraCrypt SHA512 + XTS 1536 bit
Hash.Target......: ats-sha512kf
Time.Started.....: Fri Jul 24 16:56:19 2020 (10 secs)
Time.Estimated...: Fri Jul 24 16:56:29 2020 (0 secs)
Guess.Base.......: Pipe
Speed.#1.........:        0 H/s (0.00ms) @ Accel:4 Loops:31 Thr:64 Vec:1
Recovered........: 0/1 (0.00%) Digests
Progress.........: 0
Rejected.........: 0
Restore.Point....: 0
Restore.Sub.#1...: Salt:0 Amplifier:0-0 Iteration:0-31
Candidates.#1....: [Copying]
Hardware.Mon.#1..: Util:  0% Core: 330MHz Mem:1750MHz Bus:16

Session..........: Hashcat
Status...........: Running
Hash.Name........: VeraCrypt SHA512 + XTS 1536 bit
Hash.Target......: ats-sha512kf
Time.Started.....: Fri Jul 24 16:56:19 2020 (20 secs)
Time.Estimated...: Fri Jul 24 16:56:39 2020 (0 secs)
Guess.Base.......: Pipe
Speed.#1.........:        0 H/s (0.00ms) @ Accel:4 Loops:31 Thr:64 Vec:1
Recovered........: 0/1 (0.00%) Digests
Progress.........: 0
Rejected.........: 0
Restore.Point....: 0
Restore.Sub.#1...: Salt:0 Amplifier:0-0 Iteration:0-31
Candidates.#1....: [Copying]
Hardware.Mon.#1..: Util:  0% Core: 301MHz Mem:1750MHz Bus:16

ATTENTION! Read timeout in stdin mode. The password candidates input is too slow:
* Are you sure that you are using the correct attack mode (--attack-mode or -a)?
* Are you sure that you want to use input from standard input (stdin)?
* If so, are you sure that the input from stdin (the pipe) is working correctly and is fast enough?


The questions are:
1. Why it ignores the key file? Is there something wrong with my arguments?

2. I have read the VeraCrypt document, which indicates VeraCrypt can read up-to 1K Bytes from the beginning of a key file, but the message "Maximum password length supported by kernel: 64", Is it means if the key file is bigger than 64 Bytes, then Hashcat will not works?

3. I had cracked some short VeraCrypt passwords with my current hardware(on either CPU or GPU). If I would like to crack some VeraCrypt passwords longer than 64 characters, are there any hardware or/and software or methods that can overcome this limitation? (hash mode 13723 / 13733  "Maximum password length supported by kernel: 64")

4. According to my test, Hashcat supports to brute-force a VeraCrypt file container without the need to extract the hashes/header 1st. Will this cause some negative effects, like speed slow down?



PS:
Testing bench1: AMD Ryzen 3xxx with an AMD RX470 graphic card and Windows 10 x64 plus newest graphic drivers.
Testing bench2: AMD Ryzen 3xxx with an AMD RX470 graphic card and Linux x64 fully updated plus ROCm 3.5.1 and Intel OpenCL CPU driver.

Congratulations on the new 6.1.0 release!
Reply
#2
Can't answer all your questions but here are some comments:
Command line one and two are equivalent and will produce the output you posted. Command line three will definitely produce a different output. For all hashcat attacks you should specify a wordlist/mask. For -a3 hashcat will use a default mask, wordlist attacks will simply hang (because they expect input on stdin) like in the output you posted.

Since your command lines are broken I'm not sure if question #1 still applies. Though I don't know if hashcat will test for empty passwords at all, even with a wordlist attack.

4. I didn't know veracrypt itself ships a veracrypt cracker but it is very likely much slower than hashcat.
Reply
#3
(07-28-2020, 02:46 PM)undeath Wrote: Can't answer all your questions but here are some comments:
Command line one and two are equivalent and will produce the output you posted. Command line three will definitely produce a different output. For all hashcat attacks you should specify a wordlist/mask. For -a3 hashcat will use a default mask, wordlist attacks will simply hang (because they expect input on stdin) like in the output you posted.

Since your command lines are broken I'm not sure if question #1 still applies. Though I don't know if hashcat will test for empty passwords at all, even with a wordlist attack.

4. I didn't know veracrypt itself ships a veracrypt cracker but it is very likely much slower than hashcat.


It's my honour to have a reply from such an experienced forum member, Thank you! According to your words "For all hashcat attacks you should specify a wordlist/mask." Is it means if I would like to brute-force the PIM along with a key file, I should also provide a blank wordlist?  I have found some console logs from my previous tries, one trying to use a blank world list with -a 0 mode and tries to iterate through PIM value, but from the output, there seems to be no luck:


./hashcat.bin -d 1 -D 1 -w 2 -m 13723 -a 0 --veracrypt-pim-start=1 --veracrypt-pim-stop=2 --session=512session --restore-file-path=512session-rec.txt --status ats-sha512kf blank --veracrypt-keyfiles=key2.txt -o PBKDF2-HMAC-SHA512-15xxbits-recHash.txt --outfile-format=1,2,3,4
hashcat (v6.0.0) starting...

OpenCL API (OpenCL 2.1 LINUX) - Platform #1 [Intel(R) Corporation]
==================================================================
* Device #1: AMD Ryzen 3xxx x-Core Processor, 32055/32119 MB (8029 MB allocatable), xMCU

OpenCL API (OpenCL 2.0 AMD-APP (3137.0)) - Platform #2 [Advanced Micro Devices, Inc.]
=====================================================================================
* Device #2: gfx803, skipped

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 64

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP
* Uses-64-Bit

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 65 MB

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

Session..........: 512session                 
Status...........: Exhausted
Hash.Name........: VeraCrypt SHA512 + XTS 1536 bit
Hash.Target......: ats-sha512kf
Time.Started.....: Sun Jul 26 17:40:23 2020 (0 secs)
Time.Estimated...: Sun Jul 26 17:40:23 2020 (0 secs)
Guess.Base.......: File (blank)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:        0 H/s (0.00ms) @ Accel:64 Loops:250 Thr:1 Vec:4
Recovered........: 0/1 (0.00%) Digests
Progress.........: 0
Rejected.........: 0
Restore.Point....: 0
Restore.Sub.#1...: Salt:0 Amplifier:0-0 Iteration:0-250
Candidates.#1....: [Copying]
Hardware.Mon.#1..: N/A
Started: Sun Jul 26 17:40:18 2020
Stopped: Sun Jul 26 17:40:25 2020


It seems Hashcat did treat the blank as a password, but have not tried the key file and the pim options. Is it means it is impossible to use Hashcat in this scenario? This may be an issue and should fire an issue to developers, but I think that should only be done after I have more familiar with this software.


"4. I didn't know veracrypt itself ships a veracrypt cracker but it is very likely much slower than hashcat."

I was saying the Hashcat could break VeraCrypt file container without the need to extract the hash. You could give Hashcat an encrypted file container with a size of 100MB or 1024MB, and it could do the job.

Have a nice day!
Reply