Questions -> FAQ -> extract the hashes from TrueCrypt volumes

Questions -> FAQ -> extract the hashes from TrueCrypt volumes - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: General Talk (https://hashcat.net/forum/forum-33.html)
+--- Thread: Questions -> FAQ -> extract the hashes from TrueCrypt volumes (/thread-5833.html)

Questions -> FAQ -> extract the hashes from TrueCrypt volumes - Magier - 09-03-2016

Hello

i want to extract the hashes from TrueCrypt USB-volumes and in the FAQ is written:

Quote:3.2. in case of a physical disk you need to copy the last 512 bytes of the *first logical volume*.

FAQ

And i found:

Quote:....or, and this is what you acctually want to do, just dd the first 512 bytes of the encrypted partition to a seperate file.....

TrueCrypted non-system drives

What is now correct? The first or the last 512 bytes?

The USB-Stick has no hidden partition. True Crypt 7.0a.

Thank you
Magier

RE: Questions -> FAQ -> extract the hashes from TrueCrypt volumes - atom - 09-05-2016

The use of the last 512 byte goes back to the mbr placement on the first in case of a booting partition. Not sure how it is with a non booting partition. It could be the first 512 byte because there's no mbr. You should simply try out. Create such a disk and crack your own disc. It will be either the first or the last 512 byte.

RE: Questions -> FAQ -> extract the hashes from TrueCrypt volumes - kiara - 09-05-2016

(09-03-2016, 11:40 PM)Magier Wrote: Hello

i want to extract the hashes from TrueCrypt USB-volumes and in the FAQ is written:

Quote:3.2. in case of a physical disk you need to copy the last 512 bytes of the *first logical volume*.
FAQ

And i found:

Quote:....or, and this is what you acctually want to do, just dd the first 512 bytes of the encrypted partition to a seperate file.....

TrueCrypted non-system drives

What is now correct? The first or the last 512 bytes?

The USB-Stick has no hidden partition. True Crypt 7.0a.

Thank you
Magier

look for one of my post i joined a link that perhaps will guide u on how to do so

RE: Questions -> FAQ -> extract the hashes from TrueCrypt volumes - Magier - 09-05-2016

(09-05-2016, 09:32 AM)atom Wrote: The use of the last 512 byte goes back to the mbr placement on the first in case of a booting partition. Not sure how it is with a non booting partition. It could be the first 512 byte because there's no mbr. You should simply try out. Create such a disk and crack your own disc. It will be either the first or the last 512 byte.

Thanks. That is what i have tried out.

Code:
dcfldd if=/dev/sdb1 of=HashcatTest_sdb1_First.dd bs=512 count=1       conv=noerror,sync status=progress

dcfldd if=/dev/sdb1 of=HashcatTest_sdb1_Last.dd  bs=512 skip=124999   conv=noerror,sync status=progress

dcfldd if=/dev/sdb1 of=HashcatTest_sdb1_All.dd   bs=512               conv=noerror,sync status=progress

Only in HashcatTest_sdb1_All.dd i found the Passwort.

RE: Questions -> FAQ -> extract the hashes from TrueCrypt volumes - kiara - 09-06-2016

(09-05-2016, 09:09 PM)Magier Wrote:
(09-05-2016, 09:32 AM)atom Wrote: The use of the last 512 byte goes back to the mbr placement on the first in case of a booting partition. Not sure how it is with a non booting partition. It could be the first 512 byte because there's no mbr. You should simply try out. Create such a disk and crack your own disc. It will be either the first or the last 512 byte.

Thanks. That is what i have tried out.

Code:
dcfldd if=/dev/sdb1 of=HashcatTest_sdb1_First.dd bs=512 count=1 conv=noerror,sync status=progress dcfldd if=/dev/sdb1 of=HashcatTest_sdb1_Last.dd bs=512 skip=124999 conv=noerror,sync status=progress dcfldd if=/dev/sdb1 of=HashcatTest_sdb1_All.dd bs=512 conv=noerror,sync status=progress

Only in HashcatTest_sdb1_All.dd i found the Passwort.

congratz!