hashcat Forum

Full Version: TrueCrypt system drive and non-system partition
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
I was experimenting with TrueCrypt on a computer and during my weeks away from that computer I ending up forgetting the TrueCrypt password.

In Win7 64 I created two different TrueCrypt 7.1 standard (not hidden) volumes(?) using the default AES encryption algorithm. I believe I used either RIPEMD-160 or SHA-512 as the hash algorithm, I'm leaning towards SHA-512.

On SDA, I encrypted the entire system drive. On SDB, I encrypted a single non-system partition.

I believe my password was 10 characters and I remember some characters that will let me make a mask to significantly narrow down the possibilities.

Using 'dd', I pulled the first 512 bytes from every partition (for example, dd if=/dev/sdb3 of=/hashSDB3 bs=512 count=1), I also did dd on the straight device name (i.e. if=/dev/sdb).

To be comprehensive, I've been running 6211, 6221, 6231, and 6241 against my hash copies with a mask. I use at least one custom charset, referencing a .hcchr file containing the characters (UTF-8 file format). My charset(s) are just a small number of latin upper and lower letters, along with digits 0 to 9, and the special characters associated with digits 0 to 9.

As a test, in Linux, I used TrueCrypt to encrypt a different non-system partition on SDB and pulled the hash using the above dd command. I ran hashcat (in Linux, too) with 6211 and the password was found.

I've been trying to have the same luck with my Windows created volumes over the last few days and have had no success.


Could I be copying the hash wrong for my Windows created volumes? Not enough bytes? Do I need to use dd or can I just run hashcat directly against /dev/SDA, etc.?

Could I be having a character encoding issue do to creation in Win7 and working in Linux with UTF-8 charsets? In Linux, I ran my Linux-created non-system partition (mentioned above) against charset .hcchrs that were saved with 1252 encoding and another time with 8859-1 encoding and was still successful in recovering the password.

Booting SDA (the encrypted system drive) does show me the TrueCrypt prompt, but I still wonder if I might have damaged my disk during recent travel.

I have my TrueCrypt Rescue Disk, too. Not sure if there is some way to recover a hash from the disk. I've tried what I believe to be my password and a few variations after doing a boot to the rescue disk. I've had no luck.

I have a Nvidia 600 series. I'm using cudaHashcat-1.30 in Linux.

Any suggestions would be very appreciated. Thank you.
"Latin letters" is somewhat ambiguous and since you mention codepages I take it you did use characters outside the 7-bit ASCII space?

If so, I'd recommend creating a test TC volume using Windows, with just a single non-ASCII character and see what codepage you need in Linux to open (or crack) it. Using just one character you should be able to crack it regardless of codepage using an 8-bit BF of 1-4 bytes. After that you'll be a tad wiser.