Get hash algorithm ...
 
Notifications
Clear all

Get hash algorithm and PIM from veracrypt encrypted device

11 Posts
4 Users
0 Likes
1,389 Views
(@matt777)
Posts: 9
Active Member
Topic starter
 

The last time I cracked a veracrypt encrypted disk was about 2 years ago. I know that it was possible to read the hash algorithm from an encrypted disk. That means: make a backup of this disk and there is a number next to the actual hash which reflects the used hash algorithm (e.g. 1 = Blowfish, etc.). But I can't find any documentation on the internet. can someone tell me where this "number" is exactly and how the assignment to the hash algorithm was? Also the PIM I mean you could somehow read outtor (free version)

 
Posted : 14/07/2022 2:51 pm
(@mykulh)
Posts: 11
Active Member
 

Matt, 

it sounds like you are talking about the EFI/Full Disk bootable version of VeraCrypt you should have an EFI folder with the boot loaders, there will be a config file called "DcsProp", it is XML based and has all the information you need, as long as the information has been saved. 

The file is nicely explained on their GitHub page:

https://github.com/veracrypt/VeraCrypt-DCS/blob/master/Library/VeraCryptLib/DcsProp

Hope this helps.

M.

 

 
Posted : 15/07/2022 8:16 am
(@matt777)
Posts: 9
Active Member
Topic starter
 
Posted by: @mykulh

Matt, 

it sounds like you are talking about the EFI/Full Disk bootable version of VeraCrypt you should have an EFI folder with the boot loaders, there will be a config file called "DcsProp", it is XML based and has all the information you need, as long as the information has been saved. 

The file is nicely explained on their GitHub page:

https://github.com/veracrypt/VeraCrypt-DCS/blob/master/Library/VeraCryptLib/DcsProp

Hope this helps.

M.

 

Lovely, thanks. This is exactly what i was looking for. I guess, there is co chance to get informations about the encryption algorithm (i.e. AES, Twofish, etc)?

 

Edit: oh btw, line 51 is the actual used PIM?

This post was modified 7 months ago by Matt777
 
Posted : 15/07/2022 11:39 am
(@user-crypt)
Posts: 3
New Member
 

Hello, , if you managed to dump the ram while veracrypt was mounted active, you have a small chance of cracking it. Otherwise it is very difficult to crack the password on windows boot loader or linux veracrypt, there is
password
pim
key file

There is a function to activate the key file in the boot loader
Veracrypt also resists the most powerful quantum attacks
you can look on this forum there are interesting discussions on this subject:

https://sourceforge.net/p/veracrypt/discussion/general/

 
Posted : 16/07/2022 2:53 am
(@matt777)
Posts: 9
Active Member
Topic starter
 

@user-crypt I've got a list of already used passwords and some sort of pattern is clearly visible. Like adding one of four possible appends everytime at the end (birthdate and other specific strings). So i build a wordlist with this stuff on my own and try some rules. L61 has the integer '1', so it's AES - he's not a it guy so i'm guessing he is using veracrypt in default mode which is SHA512 + XTS 512 bit and matches with the integer '1' (AES). There is no ram file or even a live system anymore, so that's all i've got. But yeah, hash rate is very low with thos veracrypt algorithms.

This post was modified 7 months ago by Matt777
 
Posted : 18/07/2022 6:33 am
(@matt777)
Posts: 9
Active Member
Topic starter
 

Fun Fact: According to this thread, there is some hashcat magic possible while only knowing the hash algorithm. In my case, the full disk encryption is using SHA512 while the encryption algorithm is unknown. XTS 1536 is "always" the option (but at the cost of 1/3 speed) in case the encryption algorithm unidentified. In this specific example, one solution could be SHA512 + XTS 1536, which means hashcat hash mode 13723.

 
Posted : 19/07/2022 3:49 pm
(@user-crypt)
Posts: 3
New Member
 

@matt777 Yes, have you considered using a key file to open the veracrypt operating system? if the system is encrypted then maybe a memory card, usb or other encrypted file. there is a method for that

 
Posted : 19/07/2022 4:07 pm
(@chris8)
Posts: 2
New Member
 

Do you have a big enough password list? I suggest that you use a large list of 1000 billion passwords and you will arrive at brute force, it is important to choose the user's language carefully. What language password list are you looking for? I have large password list databases.

 
Posted : 19/07/2022 4:35 pm
(@matt777)
Posts: 9
Active Member
Topic starter
 

@user-crypt What do you mean with keyfile? Sure thing you can encrypt a device with veracrypt with a password AND a keyfile - i know. But i don't think this is the case here. It should be a "simple" password with default PIM. I dont think there is such a thing like a keyfile/usb stick for decrypting the device.

 

@chris8 I don't brute force the system, i'm not that desperate. I got something like 15 already used plain password and i try those with different rules like OneRuleToRuleThemAll, best64 or pentagrule. Only small patterns are clearly visible which are used in some passwords like adding the same two or four numbers at the end of the password (but not everytime!). The password could be german or english. I appreciate any help!

 

Btw, i just tested the "SHA512 + XTS 1536 should work"-theory with a test volume container (AES + SHA 512 = default veracrypt encryption settings). I can confirm this, hash mode 13723 did it in hashcat.

This post was modified 7 months ago by Matt777
 
Posted : 20/07/2022 5:44 am
(@chris8)
Posts: 2
New Member
 

@matt777 I have several lists of passwords to test, here is a small list of 10 millions. I have others let me know

https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt

 
Posted : 21/07/2022 11:57 pm
Page 1 / 2
Share:
Share to...