Cracking encrypted veracrypt partition from windows laptop
I know there have been similar questions here, but unfortunately that doesn't help. I'm really starting to despair I have certainly spent more than 12 hours with it, but I can't get any further.
Here is my problem:
I encrypted my laptop's hard drive using Veracrypt's default settings. Now I want to find out the password with Hashcat. I followed these steps:
1. Encrypt the Windows system hard drive with the standard Veracrypt settings and an 6-digit password.
2. Start the laptop with a USB stick with K-a-l-i Linux Live
3. Open terminal in k-a-l-i an type "lsblk" to see all the partitions of my laptop. In my case "sda" is the harddisk with windows and "sda3" is about 237,8 GB, so this is the partition where windows is installed and the veracrypt encryption.
4. Open terminal in k-a-l-i and type the command "sudo dd if=/dev/sda3 of=veracrypthash skip=31744 bs=512 count=1 conv=noerror,sync status=progress" (I also did it just with "sda" but then hashcat says "no hashes loaded"....
5. The password hash was extracted then in the file "veracrypthash"
6. Create a wordlist using "crunch" including the password of my veracrypt encrypted drive and name it "veracrypt-wordlist.txt"
7. Run hashcat with "hashcat -a 0 -w 4 -m 13761 veracrypthash veracrypt-wordlist.txt
Hashcat starts and tries all passwords. Even though the correct password is in the dictionary, Hashcat cannot find the password. What am I doing wrong?!
Here is what I did so far:
1. Experiment with different hashmodes using -m
2. Create an image of the harddisk using an forensic duplicator and then get the password hash (maybe something went wrong in the dd step, so thats my fear)
3. Yeah I know this is a hashcat forum, but it's also not working with truecrack.
The password in the wordlist is 100% correct, it's "301290" and working fine when I'm starting my laptop. I'm using hashcat v6.2.5. I have a similar case at work where I have a PC whose hard drive was also encrypted with Veracrypt. My motivation is therefore very high to get the data.
It's a minor thing for sure, but I just have no explanation. It's also weird that the password hash looks Cyrptic in the text file. When I open the textfile in windows it says "$bitlocker...." at the beginnung. I also followed the instructions here but I was not successful --> https://linuxhint.com/get_data_encrypted_drive/
I really hope to find help here. If not here I really don't know what to do next.
I look forward to your tips.