hashcat Forum
Crack old TrueCrypt backup without knowing encryption - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: Crack old TrueCrypt backup without knowing encryption (/thread-10740.html)



Crack old TrueCrypt backup without knowing encryption - ApoY2k - 04-24-2022

I found an old backup recently, which is comprised of a TrueCrypt Archive, split in 7 parts of 600MB each.

I don't know which encryption was used and no clue about the password. However, I'd like to at least try to crack it.

I read through the wiki a bit but it appears the assumption is always present that one has to know what encryption was used before attempting to use hashcat.

However, what should I do if that is not known?


RE: Crack old TrueCrypt backup without knowing encryption - slyexe - 04-25-2022

Not knowing the type of encryption could pose a problem, I would suggest extracting the hash and seeing if hashcat can autodetect which mode it is. If it cannot safely match the type of truecrypt volume, you may need to do a little more digging into the hash whether it will supply any more details/hints about which type it may be.

https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#how_do_i_extract_the_hashes_from_truecrypt_volumes


RE: Crack old TrueCrypt backup without knowing encryption - b8vr - 04-25-2022

(04-24-2022, 09:17 PM)ApoY2k Wrote: I found an old backup recently, which is comprised of a TrueCrypt Archive, split in 7 parts of 600MB each.

I don't know which encryption was used and no clue about the password. However, I'd like to at least try to crack it.

I read through the wiki a bit but it appears the assumption is always present that one has to know what encryption was used before attempting to use hashcat.

However, what should I do if that is not known?

When cracking TrueCrypt containers like that, which are not bootable, you have several modes available in hashcat. But you can actually focus on just three. If you run hashcat in mode 6213, it will also cover 6211 and 6212. This is true for all the TrueCrypt (and VeraCrypt) modes. So you can focus on 6213, 6223 and 6233.

I can't remember which is default mode, but I think it's 6211 or 6221, so you could also just focus on those.


RE: Crack old TrueCrypt backup without knowing encryption - ApoY2k - 04-25-2022

(04-25-2022, 12:37 PM)b8vr Wrote: When cracking TrueCrypt containers like that, which are not bootable, you have several modes available in hashcat. But you can actually focus on just three. If you run hashcat in mode 6213, it will also cover 6211 and 6212. This is true for all the TrueCrypt (and VeraCrypt) modes. So you can focus on 6213, 6223 and 6233.

I can't remember which is default mode, but I think it's 6211 or 6221, so you could also just focus on those.

So I would just run hashcat three times with either modes and hope for the best basically? (after extracting the hashes for each mode)


RE: Crack old TrueCrypt backup without knowing encryption - Snoopy - 04-25-2022

first of all, splitted archive? are we talking about zip or somehing similar?

you will need to extract this archive beforehand and then extract the very first 512 bytes of the truecrypt volume/container, it doesnt matter, you can also extract the first megabyte hashcat will readin just the first 512 bytes

more or less yes, but start with 621* modes as ripemd160 was the veracrypt default back then

as already stated, mode 6213 will cover all possible combinations for ripemd160 but for the cost of speed