+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Deprecated; Previous versions (https://hashcat.net/forum/forum-29.html)
+--- Forum: Old oclHashcat Support (https://hashcat.net/forum/forum-38.html)
+--- Thread: Extracting binary data from TrueCrypt Boot Volume and Cracking (/thread-4586.html)
Extracting binary data from TrueCrypt Boot Volume and Cracking - Shady_Wushu - 08-04-2015
I've recently been asked to give a shot at cracking a TrueCrypt boot volume. Having never done so before, I just wanted to sanity check what I've done.
To extract the binary data needed for the crack, I ran the following:
dd if=/dev/sdc of=/path/to/file.tc bs=1 skip=31744 count=512
Since this is a boot volume, the data should be at offset 31744 - according to the Wiki, the last sector of the first track. We're extracting 512 bytes to give to cudaHashcat.
To crack it, we would then run:
./cudaHashcat64.bin -a 0 -m 6241 /path/to/file.tc /path/to/wordlists/
Assuming I was given the correct information and that the volume uses RIPEMD-160 and AES.
Like I said, since this is the first TrueCrypt volume I've run, I just want to make sure I did this right. Thanks all.
RE: Extracting binary data from TrueCrypt Boot Volume and Cracking - Shady_Wushu - 08-04-2015
I already realized the error I made. dd should be:
dd if=/dev/sdc of=/path/to/file.tc bs=512 skip=62 count=1
I reversed count and bs, and skip should be number of sectors rather than bytes.
RE: Extracting binary data from TrueCrypt Boot Volume and Cracking - atom - 08-05-2015
The resulting data should be the same, or not?
RE: Extracting binary data from TrueCrypt Boot Volume and Cracking - Shady_Wushu - 08-05-2015
I thought skip uses the ibs rather than the bs, and ibs defaults to 512. I could be wrong though.
RE: Extracting binary data from TrueCrypt Boot Volume and Cracking - Shady_Wushu - 08-05-2015
So I'm sure I have the right dd command for a boot volume now. However, it turns out this is simply an encrypted physical drive, not a system drive - why you'd do that to a 2 TB external USB is beyond me, but thats the situation I'm in. According to the wiki, I need to grab the last sector of the first logical volume. However, there is no partition table in a TrueCrypt encrypted disk, at least not in front of the encryption. How do I go about finding a logical volume if fdisk simply tells me there is no partition table?
RE: Extracting binary data from TrueCrypt Boot Volume and Cracking - Shady_Wushu - 08-05-2015
Figured it out, just pulled the first 512 on the disk.