Step by step guide for a noob?
#1
Hi guy's 
I'm wondering is there a step by step guide anywhere for a complete noob to hashcat? 
I'm running Windows 10 and trying to open an encrypted USB that was encrypted with Veracrypt.
I've just downloaded hashcat and can't figure it out at all

Thanks in advance
Conor

Edit: I've got it running in cmd and trying to figure out the correct command I've tried "hashcat.exe -a 3 -m 13751 hashlist.txt" 
for -a 3 (bruit force attack) -m 13751 (for veracrypt SHA256) [not sure if 512bit or other] and hashlist.txt is my list of hashes that I don't fully understand I just created it with 10 versions of a 3 letter word that I think is in the password.
I'm not sure how/if I need to designate a location as it's a USB I'm trying to open how do I tell it to look in a specific drive letter?
Reply
#2
What command do I use to generate my hash list using dd when my disk is a USB in drive G:?
Reply
#3
Try to follow this explanation: https://hashcat.net/wiki/doku.php?id=fre...pt_volumes

Below that section it says:
"The procedure to extract the important information from data encrypted with VeraCrypt follows the same steps/rules as for TrueCrypt"
Reply
#4
I've been looking at that page and I understand that I need the first 512 Bytes from my encrypted USB but I can't seem to get dd to work any tutorials on it all start off with C: --list to find the location but that does nothing on mine for some reason. I'm not sure if I have the correct dd downloaded or what, also in the tutorials everyone seems to run it from cmd and I can't get it to run from there but opening it directly opens a cmd like window.
I think I've a newer version of it and it opens it own cmd I just can't figure out the commands or get any useful lost of them 🤦
Reply
#5
Okay, then i think it will look something like this:

Code:
dd if=a.raw of=b.vc bs=1 count=512

where, a.raw is the veracrypt volume and b.vc is the file that you will be using with hashcat

edit:
i belive that this will dump those first 512 bytes to b.vc that is located in the same folder as dd
Reply
#6
well I finally got my hash list sorted by doing the following and since i haven't been able to find a step by step guide i thought I'll make this into one

Step One
Downloaded dd from http://www.chrysocome.net/downloads/dd-0.5.zip and extracted it to my desktop

Step Two
Aquired my volume ID by using Command prompt and doing the following
C:\users\user> cd desktop {hit enter} to change to the desktop
C:\users\user\Desktop>dd --list {hit enter} to bring up my list of volumes
copied the volume id for G: which was "\\.\Volume{9a610e62-8820-11eb-9e67-34e6d76acc4f}\" (NOTE: LAST "\" HAS BEEN REMOVED IN FOLLOWING SCRIPT)

Step Three
entered the following code to create the hash file named hash.txt on my desktop
C:\Users\user\Desktop>dd if=\\.\Volume{9a610e62-8820-11eb-9e67-34e6d76acc4f} of=C:\Users\user\desktop\hash.txt bs=512 count=1

Step Four
Downloaded Hashcat here https://hashcat.net/hashcat/
and extracted it directly to C: using 7Zip (win RaR or others wont work)

Step Five
Opened Hashcat in command prompt by doing the following
C:\Users\user>cd c:\ {to navigate back to C:}
C:\>cd hashcat-6.1.1 {to open Hashcat folder}
C:\hashcat-6.1.1>dir {to display Hashcat Directory}

Step Six
Run the following to do a {-a 3 (bruit force attack) -m 13751 (for veracrypt SHA256) location of hash C:\Users\user\desktop\hash.txt}
c:\hashcat-6.1.1>hashcat.exe -a 3 -m 13751 C:\Users\user\desktop\hash.txt


Currently running in the background so hopefully it'll succeed and I'll get the password for this test drive before I try my real drive

Edit this is what's displayed does it look correct to those in the know? or is something wrong?

c:\hashcat-6.1.1>hashcat.exe -a 3 -m 13751 C:\Users\user\desktop\hash.txt
hashcat (v6.1.1) starting...

* Device #1: CUDA SDK Toolkit installation NOT detected.
            CUDA SDK Toolkit installation required for proper device support and utilization
            Falling back to OpenCL Runtime

* Device #1: WARNING! Kernel exec timeout is not disabled.
            This may cause "CL_OUT_OF_RESOURCES" or related errors.
            To disable the timeout, see: https://hashcat.net/q/timeoutpatch
nvmlDeviceGetFanSpeed(): Not Supported

OpenCL API (OpenCL 1.2 CUDA 9.1.201) - Platform #1 [NVIDIA Corporation]
=======================================================================
* Device #1: GeForce GTX 980M, 3392/4096 MB (1024 MB allocatable), 12MCU

OpenCL API (OpenCL 1.2 ) - Platform #2 [Intel(R) Corporation]
=============================================================
* Device #2: Intel(R) Iris(TM) Pro Graphics 5200, 1565/1629 MB (407 MB allocatable), 40MCU
* Device #3: Intel(R) Core(TM) i7-4980HQ CPU @ 2.80GHz, skipped

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 64

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
* Slow-Hash-SIMD-LOOP

Watchdog: Temperature abort trigger set to 90c

Initializing backend runtime for device #2...
Reply
#7
Ok that failed but im getting somewhere this is what came up when i run Hashcat can anyone help with the error messages?
Also the hash.txt file that has been created is showing as chinese characters (I've noticed it mentioned before) is it supposed to be like that or do i need to use something else to convert it to binary?


[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

Cracking performance lower than expected?

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>

Session..........: hashcat
Status...........: Running
Hash.Name........: VeraCrypt SHA256 + XTS 512 bit
Hash.Target......: C:\Users\user\desktop\hash.txt
Time.Started.....: Sat Mar 20 20:15:43 2021 (2 mins, 58 secs)
Time.Estimated...: Sat Mar 20 20:39:40 2021 (20 mins, 59 secs)
Guess.Mask.......: ?1 [1]
Guess.Charset....: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined
Guess.Queue......: 1/15 (6.67%)
Speed.#1.........:        0 H/s (0.18ms) @ Accel:8 Loops:15 Thr:1024 Vec:1
Speed.#2.........:        0 H/s (0.00ms) @ Accel:16 Loops:15 Thr:8 Vec:1
Speed.#*.........:        0 H/s
Recovered........: 0/1 (0.00%) Digests
Progress.........: 7/62 (11.29%)
Rejected.........: 0/7 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:7-8 Iteration:423195-423210
Restore.Sub.#2...: Salt:0 Amplifier:0-0 Iteration:0-15
Candidates.#1....: p -> p
Candidates.#2....: [Generating]
Hardware.Mon.#1..: Temp: 60c Util: 37% Core:1126MHz Mem:1598MHz Bus:8
Hardware.Mon.#2..: N/A

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>

Session..........: hashcat
Status...........: Running
Hash.Name........: VeraCrypt SHA256 + XTS 512 bit
Hash.Target......: C:\Users\user\desktop\hash.txt
Time.Started.....: Sat Mar 20 20:15:43 2021 (4 mins, 54 secs)
Time.Estimated...: Sat Mar 20 20:39:06 2021 (18 mins, 29 secs)
Guess.Mask.......: ?1 [1]
Guess.Charset....: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined
Guess.Queue......: 1/15 (6.67%)
Speed.#1.........:        0 H/s (0.18ms) @ Accel:8 Loops:15 Thr:1024 Vec:1
Speed.#2.........:        0 H/s (0.00ms) @ Accel:16 Loops:15 Thr:8 Vec:1
Speed.#*.........:        0 H/s
Recovered........: 0/1 (0.00%) Digests
Progress.........: 13/62 (20.97%)
Rejected.........: 0/13 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:13-14 Iteration:2130-2145
Restore.Sub.#2...: Salt:0 Amplifier:0-0 Iteration:0-15
Candidates.#1....: k -> k
Candidates.#2....: [Generating]
Hardware.Mon.#1..: Temp: 59c Util: 56% Core:1126MHz Mem:1598MHz Bus:8
Hardware.Mon.#2..: N/A

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>

Session..........: hashcat
Status...........: Running
Hash.Name........: VeraCrypt SHA256 + XTS 512 bit
Hash.Target......: C:\Users\user\desktop\hash.txt
Time.Started.....: Sat Mar 20 20:15:43 2021 (6 mins, 16 secs)
Time.Estimated...: Sat Mar 20 20:39:16 2021 (17 mins, 17 secs)
Guess.Mask.......: ?1 [1]
Guess.Charset....: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined
Guess.Queue......: 1/15 (6.67%)
Speed.#1.........:        0 H/s (0.18ms) @ Accel:8 Loops:15 Thr:1024 Vec:1
Speed.#2.........:        0 H/s (0.00ms) @ Accel:16 Loops:15 Thr:8 Vec:1
Speed.#*.........:        0 H/s
Recovered........: 0/1 (0.00%) Digests
Progress.........: 16/62 (25.81%)
Rejected.........: 0/16 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:16-17 Iteration:353025-353040
Restore.Sub.#2...: Salt:0 Amplifier:0-0 Iteration:0-15
Candidates.#1....: g -> g
Candidates.#2....: [Generating]
Hardware.Mon.#1..: Temp: 57c Util: 65% Core:1126MHz Mem:1598MHz Bus:8
Hardware.Mon.#2..: N/A

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>

Session..........: hashcat
Status...........: Running
Hash.Name........: VeraCrypt SHA256 + XTS 512 bit
Hash.Target......: C:\Users\user\desktop\hash.txt
Time.Started.....: Sat Mar 20 20:15:43 2021 (7 mins, 20 secs)
Time.Estimated...: Sat Mar 20 20:39:28 2021 (16 mins, 25 secs)
Guess.Mask.......: ?1 [1]
Guess.Charset....: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined
Guess.Queue......: 1/15 (6.67%)
Speed.#1.........:        0 H/s (0.19ms) @ Accel:8 Loops:15 Thr:1024 Vec:1
Speed.#2.........:        0 H/s (0.00ms) @ Accel:16 Loops:15 Thr:8 Vec:1
Speed.#*.........:        0 H/s
Recovered........: 0/1 (0.00%) Digests
Progress.........: 18/62 (29.03%)
Rejected.........: 0/18 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:18-19 Iteration:452070-452085
Restore.Sub.#2...: Salt:0 Amplifier:0-0 Iteration:0-15
Candidates.#1....: n -> n
Candidates.#2....: [Generating]
Hardware.Mon.#1..: Temp: 57c Util: 33% Core:1037MHz Mem:2505MHz Bus:8
Hardware.Mon.#2..: N/A

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>

Session..........: hashcat
Status...........: Running
Hash.Name........: VeraCrypt SHA256 + XTS 512 bit
Hash.Target......: C:\Users\user\desktop\hash.txt
Time.Started.....: Sat Mar 20 20:15:43 2021 (9 mins, 11 secs)
Time.Estimated...: Sat Mar 20 20:42:02 2021 (17 mins, 8 secs)
Guess.Mask.......: ?1 [1]
Guess.Charset....: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined
Guess.Queue......: 1/15 (6.67%)
Speed.#1.........:        0 H/s (0.19ms) @ Accel:8 Loops:15 Thr:1024 Vec:1
Speed.#2.........:        0 H/s (0.00ms) @ Accel:16 Loops:15 Thr:8 Vec:1
Speed.#*.........:        0 H/s
Recovered........: 0/1 (0.00%) Digests
Progress.........: 21/62 (33.87%)
Rejected.........: 0/21 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:21-22 Iteration:298980-298995
Restore.Sub.#2...: Salt:0 Amplifier:0-0 Iteration:0-15
Candidates.#1....: w -> w
Candidates.#2....: [Generating]
Hardware.Mon.#1..: Temp: 58c Util: 32% Core:1037MHz Mem:2505MHz Bus:8
Hardware.Mon.#2..: N/A

Session..........: hashcat
Status...........: Exhausted
Hash.Name........: VeraCrypt SHA256 + XTS 512 bit
Hash.Target......: C:\Users\user\desktop\hash.txt
Time.Started.....: Sat Mar 20 20:15:43 2021 (36 mins, 43 secs)
Time.Estimated...: Sat Mar 20 20:52:26 2021 (0 secs)
Guess.Mask.......: ?1 [1]
Guess.Charset....: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined
Guess.Queue......: 1/15 (6.67%)
Speed.#1.........:        0 H/s (0.19ms) @ Accel:8 Loops:15 Thr:1024 Vec:1
Speed.#2.........:        0 H/s (0.00ms) @ Accel:16 Loops:15 Thr:8 Vec:1
Speed.#*.........:        0 H/s
Recovered........: 0/1 (0.00%) Digests
Progress.........: 62/62 (100.00%)
Rejected.........: 0/62 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:61-62 Iteration:499995-499999
Restore.Sub.#2...: Salt:0 Amplifier:0-0 Iteration:0-15
Candidates.#1....: X -> X
Candidates.#2....: [Generating]
Hardware.Mon.#1..: Temp: 59c Util: 34% Core:1037MHz Mem:2505MHz Bus:8
Hardware.Mon.#2..: N/A

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Name........: VeraCrypt SHA256 + XTS 512 bit
Hash.Target......: C:\Users\user\desktop\hash.txt
Time.Started.....: Sat Mar 20 20:52:27 2021 (25 mins, 10 secs)
Time.Estimated...: Sat Mar 20 21:17:37 2021 (0 secs)
Guess.Mask.......: ?1?2 [2]
Guess.Charset....: -1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_, -4 Undefined
Guess.Queue......: 2/15 (13.33%)
Speed.#1.........:        1 H/s (0.31ms) @ Accel:4 Loops:31 Thr:1024 Vec:1
Speed.#2.........:        0 H/s (0.00ms) @ Accel:8 Loops:7 Thr:8 Vec:1
Speed.#*.........:        1 H/s
Recovered........: 0/1 (0.00%) Digests
Progress.........: 2232/2232 (100.00%)
Rejected.........: 0/2232 (0.00%)
Restore.Point....: 0/36 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:61-62 Iteration:499968-499999
Restore.Sub.#2...: Salt:0 Amplifier:0-0 Iteration:0-7
Candidates.#1....: Xa -> Xq
Candidates.#2....: [Generating]
Hardware.Mon.#1..: Temp: 61c Util: 43% Core:1126MHz Mem:2505MHz Bus:8
Hardware.Mon.#2..: N/A

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>
Reply
#8
(03-20-2021, 11:52 PM)Conir Wrote: Also the hash.txt file that has been created is showing as chinese characters (I've noticed it mentioned before) is it supposed to be like that or do i need to use something else to convert it to binary?

Yes, that is normal. It is just that the notepad (or any text editor of your choise) reads the file containing ones and zeroes and it converts it into plain text thinking that it is the correct way of displaying that file. The same would happen if you import that binary into a audio editor like Audacity, but then if you play it you will hear noise.


Quote:The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

Cracking performance lower than expected?

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

Those warnings are mostly realted to your hashrate this means that the cracking is being performed at lower hashrates than expected (caused by your hardware configuration or drivers), in other words, it will take some time to hashcat to hash a password and try it againist the veracrypt hash.



Finally, I suppose you have told hashcat to try to crack the hash using three custom charsets:
-1 ?l?d?u, -2 ?l?d, -3 ?l?d*!$@_,
 
And every time you see this message:
Quote:Approaching final keyspace - workload adjusted.

It means that hashcat has exhausted (or it is getting close to the last combinations it will try) all the possible combinations of that charset you have specified.
Reply
#9
Thanks hblender that's put my mind at ease about the chinese characters anyway 😌

I had run that with the code for 216 instead of 512 so run it again over night and it still came back exhausted 🤷🏻‍♂️

I'm just running c:\hashcat-6.1.1>hashcat.exe -a 3 -m 13751 C:\Users\user\desktop\hash.txt

To try bruit force it but I haven't added any charsets (thought it done the standard)
Would I be better to add a word list or do a combination attack? And how do I set what size the password is? (Think it's between 12-20 characters)
I think I remember the first 10 of the password is 4 words and then either 2 or 4 numbers but I may have changed e's to 3's in it or added an extra word on the end or after the first 4 words any ideas what kind of attack I could do to get the best results?
Reply
#10
ok I'm running this on my test drive that I know the password too and added the charset on the end to coincide with what I know about the password
c:\hashcat-6.1.1>hashcat.exe -a 3 -m 13721 C:\Users\user\desktop\hash.txt ?u?a?a?u?a?u?a?u?a?a?d?d

12 characters where (?u) are uppercase (?a) are lowercase and (?d) are numbers does that seem right or do i need anything extra?
Reply