Crack old TrueCrypt backup without knowing encryption
#1
I found an old backup recently, which is comprised of a TrueCrypt Archive, split in 7 parts of 600MB each.

I don't know which encryption was used and no clue about the password. However, I'd like to at least try to crack it.

I read through the wiki a bit but it appears the assumption is always present that one has to know what encryption was used before attempting to use hashcat.

However, what should I do if that is not known?
Reply
#2
Not knowing the type of encryption could pose a problem, I would suggest extracting the hash and seeing if hashcat can autodetect which mode it is. If it cannot safely match the type of truecrypt volume, you may need to do a little more digging into the hash whether it will supply any more details/hints about which type it may be.

https://hashcat.net/wiki/doku.php?id=fre...pt_volumes
Reply
#3
(04-24-2022, 09:17 PM)ApoY2k Wrote: I found an old backup recently, which is comprised of a TrueCrypt Archive, split in 7 parts of 600MB each.

I don't know which encryption was used and no clue about the password. However, I'd like to at least try to crack it.

I read through the wiki a bit but it appears the assumption is always present that one has to know what encryption was used before attempting to use hashcat.

However, what should I do if that is not known?

When cracking TrueCrypt containers like that, which are not bootable, you have several modes available in hashcat. But you can actually focus on just three. If you run hashcat in mode 6213, it will also cover 6211 and 6212. This is true for all the TrueCrypt (and VeraCrypt) modes. So you can focus on 6213, 6223 and 6233.

I can't remember which is default mode, but I think it's 6211 or 6221, so you could also just focus on those.
Reply
#4
(04-25-2022, 12:37 PM)b8vr Wrote: When cracking TrueCrypt containers like that, which are not bootable, you have several modes available in hashcat. But you can actually focus on just three. If you run hashcat in mode 6213, it will also cover 6211 and 6212. This is true for all the TrueCrypt (and VeraCrypt) modes. So you can focus on 6213, 6223 and 6233.

I can't remember which is default mode, but I think it's 6211 or 6221, so you could also just focus on those.

So I would just run hashcat three times with either modes and hope for the best basically? (after extracting the hashes for each mode)
Reply
#5
first of all, splitted archive? are we talking about zip or somehing similar?

you will need to extract this archive beforehand and then extract the very first 512 bytes of the truecrypt volume/container, it doesnt matter, you can also extract the first megabyte hashcat will readin just the first 512 bytes

more or less yes, but start with 621* modes as ripemd160 was the veracrypt default back then

as already stated, mode 6213 will cover all possible combinations for ripemd160 but for the cost of speed
Reply