Do i use the proper extracted data from my encrypted Truecrypt HDD for hashcat?
#1
Hi @all,

first of all english is not my mother tongue.

In september 2019 I had a motorcyle accident with Traumatic Brain Injury (tbi), broken upper leg and impressions fracture lumbar vertebra nr. 4 (? i don't know if its the proper translation but something in my lower spin was injured) and ~1 and 1/2 months coma.

Due to the tbi i have no memories of the accident.
I lost the passwords to my encripted external hard drive created with Truecrypt and i do not know which version i had when encripting the external HDD but i know i could decrypt it with TrueCrypt 7.1a. I believe i created it with TrueCrypt 7.x in 2014-2016. I did not write the password down or saved it somewhere.
I justed pluged in the external HDD, open TrueCrypt and entered my password.
I believe i know parts of it because it used several other passwords combined to one long string. This string is at least 30 or 45 characters long.

After i was able to leave hospital and reha i tried to use TrueCrypt that was installed on my pc with the passwords i believed to be rigth, but no luck. Then i created a java program that would do the entering and checking for success automatically with a list of string (i m a developer myself), no luck. Then i heard about hashcat and read a bit in the internet then i tried my luck with hashcat, but so far i had no luck, obviously.


Encrypted external HDD info
  • probably encrypted with TrueCrypt 7.x in 2014 - 2016
  • Encryption algorithm AES-TWOFISH-SERPANT or SERPANT-TWOFISH-AES
  • Hash Algorithm SHA-512 or RIPEMD-160

Hashcat
  • used modes in the beginning RIPEMD-160 XTS 6211,6212,6213 and SHA-512 XTS 6221,6222, 6223
  • latet only RIPEMD-160 XTS 6213 and SHA-512 XTS 6223
  • e.g. hastcat.exe -a 3 -w 3 -m 6213 data_to_hack masks.file -o outputfile

Extracted data_to_hack(DATA)
  • I extracted those DATA from my external HDD by using "rawwrite dd for windows version 0.5.".
  • dd if=\\?\Device\HarddiskVolume10 of=blackToshiba.txt count=200


Tests

I do no have another HDD so i was using a 32GB usb stick, encrypted it with TrueCrypt 7.1a with both algorithm mentioned above, extracted the DATA in the same way as written above, and it worked.
But it is not a HDD, and i do not exactly know if i used TrueCrypt 7.1a for encrypting so not exactly the same.

Questions

Just to be on the save side, i need confirmation that i used the correct data for hashcat even if do not know if encryption was done with TrueCrypt 7.1a or 7.x. or even 6.x - which i doubt but m not sure.
Do i m using the proper DATA?
Is the count=200 enough or do i need more?
Did i extract the correct data that is needed for my external HDD?

If i do not, can you point me to the correct way, please?


Yours
Anthony
Reply
#2
Maybe it got lost during christmas times.

"If i do not, can you point me to the correct way, please?"

Yours
Anthony
Reply
#3
As explained here https://hashcat.net/wiki/doku.php?id=fre...pt_volumes, you need the first 512 bytes of the encrypted partition.

Code:
dd if=[FILE] of=[OUTPUT] bs=512 count=1

The following tip is pure gold: make a test case. Simply install Truecrypt on your working machine/virtual machine, plug in a small USB, encrypt it with a easy-to-remember-pwd, extract the first 512 bytes and try to crack it.
Take note of what algo/hashing you selected in order to select afterwards with the correct modus.

Try it multiple times, play around. Once you successfully completed all the steps, you get confident, and you can begin cracking the real case.
Reply
#4
(01-11-2022, 10:53 AM)Banaanhangwagen Wrote: As explained here https://hashcat.net/wiki/doku.php?id=fre...pt_volumes, you need the first 512 bytes of the encrypted partition.

Code:
dd if=[FILE] of=[OUTPUT] bs=512 count=1

The following tip is pure gold: make a test case. Simply install Truecrypt on your working machine/virtual machine, plug in a small USB, encrypt it with a easy-to-remember-pwd, extract the first 512 bytes and try to crack it.
Take note of what algo/hashing you selected in order to select afterwards with the correct modus.

Try it multiple times, play around. Once you successfully completed all the steps, you get confident, and you can begin cracking the real case.

i think this ist the best aproach. install this old truecryptversion you used back then and just encrypt a small usb-stick, write down which settings are used by default, i think back then they used ripemd-160 before switching to sha

for a normal / wizard driven encrypted partition, hc needs the first sector of that partition NOT the DISK, i use an hexeditor like HXD to extract these under windows, or linux dd

as i see dd for win uses the same options, so 
bs=512 count=1
should do the trick

for the rest i think building up a dictionary with your used passes or phrases (or parts of them) and using some of the external hashcat tools like combinator, combipow to generate combinations of your passes will help, after generating you could combine them even further with rules, but first of all i would starting with building a personalized dict
Reply
#5
Until now i was using

Code:
dd if=[FILE] of=[OUTPUT] count=200

That gives me 200kb of extracted data (A).

Using

Code:
dd if=[FILE] of=[OUTPUT] bs=512 count=1

gives me a 1kb file (B).

Comparing those two files, file A contains the data from file B.
Testing with usb stick using data from A and B data files provided in a success match using HC.  Thus delievered the test password.

So, the data i was using until now seems to be correct, just more data than needed.
Thus, I just have to addapt the password masks further, right?
Reply