Posts: 2
Threads: 1
Joined: Sep 2016
Hello
i want to extract the hashes from TrueCrypt USB-volumes and in the FAQ is written:
Quote:3.2. in case of a physical disk you need to copy the last 512 bytes of the *first logical volume*.
FAQ
And i found:
Quote:....or, and this is what you acctually want to do, just dd the first 512 bytes of the encrypted partition to a seperate file.....
TrueCrypted non-system drives
What is now correct? The first or the last 512 bytes?
The USB-Stick has no hidden partition. True Crypt 7.0a.
Thank you
Magier
Posts: 5,185
Threads: 230
Joined: Apr 2010
The use of the last 512 byte goes back to the mbr placement on the first in case of a booting partition. Not sure how it is with a non booting partition. It could be the first 512 byte because there's no mbr. You should simply try out. Create such a disk and crack your own disc. It will be either the first or the last 512 byte.
Posts: 259
Threads: 13
Joined: Jun 2016
(09-03-2016, 11:40 PM)Magier Wrote: Hello
i want to extract the hashes from TrueCrypt USB-volumes and in the FAQ is written:
Quote:3.2. in case of a physical disk you need to copy the last 512 bytes of the *first logical volume*.
FAQ
And i found:
Quote:....or, and this is what you acctually want to do, just dd the first 512 bytes of the encrypted partition to a seperate file.....
TrueCrypted non-system drives
What is now correct? The first or the last 512 bytes?
The USB-Stick has no hidden partition. True Crypt 7.0a.
Thank you
Magier
look for one of my post i joined a link that perhaps will guide u on how to do so
Posts: 2
Threads: 1
Joined: Sep 2016
(09-05-2016, 09:32 AM)atom Wrote: The use of the last 512 byte goes back to the mbr placement on the first in case of a booting partition. Not sure how it is with a non booting partition. It could be the first 512 byte because there's no mbr. You should simply try out. Create such a disk and crack your own disc. It will be either the first or the last 512 byte.
Thanks. That is what i have tried out.
Code:
dcfldd if=/dev/sdb1 of=HashcatTest_sdb1_First.dd bs=512 count=1 conv=noerror,sync status=progress
dcfldd if=/dev/sdb1 of=HashcatTest_sdb1_Last.dd bs=512 skip=124999 conv=noerror,sync status=progress
dcfldd if=/dev/sdb1 of=HashcatTest_sdb1_All.dd bs=512 conv=noerror,sync status=progress
Only in HashcatTest_sdb1_All.dd i found the Passwort.
Posts: 259
Threads: 13
Joined: Jun 2016
(09-05-2016, 09:09 PM)Magier Wrote: (09-05-2016, 09:32 AM)atom Wrote: The use of the last 512 byte goes back to the mbr placement on the first in case of a booting partition. Not sure how it is with a non booting partition. It could be the first 512 byte because there's no mbr. You should simply try out. Create such a disk and crack your own disc. It will be either the first or the last 512 byte.
Thanks. That is what i have tried out.
Code:
dcfldd if=/dev/sdb1 of=HashcatTest_sdb1_First.dd bs=512 count=1 conv=noerror,sync status=progress
dcfldd if=/dev/sdb1 of=HashcatTest_sdb1_Last.dd bs=512 skip=124999 conv=noerror,sync status=progress
dcfldd if=/dev/sdb1 of=HashcatTest_sdb1_All.dd bs=512 conv=noerror,sync status=progress
Only in HashcatTest_sdb1_All.dd i found the Passwort.
congratz!