Truecrypt - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Misc (https://hashcat.net/forum/forum-15.html) +--- Forum: General Talk (https://hashcat.net/forum/forum-33.html) +--- Thread: Truecrypt (/thread-9270.html) Pages:
1
2
|
Truecrypt - 3di - 05-30-2020 Hi, I created a hidden File in 2010. I always thought I would never forget my password, but I learned this could happen :-). Now I'm curious what's on this file, it appears like some kind of Time capsule from recent to my future me. It has always fascinated me how encryption and things like this worked, those tings evolved from Cesar's time till now — but Unfortunately my Skills in using tools like hashcat are not so great, so I'm asking you if you know where to find a step-by-step tutorial how to proceed in brute forcing my vault. So Guys Please excuse the question asked on such a low level, but thanks for any help! Best Regards. 3di RE: Truecrypt - pbies - 05-31-2020 There are two ways: 1. Dictionary - so you should have text file with list of passwords, one for each line, and use command: Code: hashcat64 -m CODE -a 0 -w 3 container_filename.tc password_dict.txt Code depends on the encryption used to create container. 2. Brute force: Code: hashcat64 -m CODE -a 3 -w 3 --session myses --increment-min=1 -i container_filename.tc mask ?b?b?b?b... which is all ASCII characters and you choose how long could be the password by adding ?b ?d... digits ?s... symbols RE: Truecrypt - philsmd - 05-31-2020 yeah, in the help output: Code: hashcat --help you will see all the TrueCrypt hash types (several variants depending on bit length and hash used + variants for boot volumes) BTW: the 1536 bit can be used to crack 512 bit, 1024 bit and 1536 bit encryption... Therefore it's kind of a "catch-all" for a specific hashing variant, if you do not know the bit length (this reduces the possibilities to boot volumes, RIPEMD160 hashing, SHA512 hashing or to the WHIRLPOOL hashing algorithm (3 variants + boot volume, and it's easy to see if an encrypted disk is showing the TrueCrypt boot loader normally... so normally either 1 or 3 possibilites... if you know the hashing algo for sure, it's even easier to chose). Instead of only dictionary attack (without rules) or mask attack ("brute-force") which (the latter) is very difficult to do with slow hash types like TrueCrypt, I would recommend rule based attacks: https://hashcat.net/wiki/doku.php?id=rule_based_attack a medium set of good password candidates (just a few thousands or tens/hundred of thousands) with some very well working (efficient in terms of cracking ratio) rules: Code: hashcat -m 6213 -a 0 -w 3 -r my_custom.rules my_tc.dump my_custom.dict BTW: if you are unsure how to extract my_tc_dump, just have a look here: https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#how_do_i_extract_the_hashes_from_truecrypt_volumes It will explain how to extract the bytes needed from the volume/container/file/disk (dd.exe also exists for windows, on linux/macOS dd is either already installed or can be installed via package managers apt/brew) ... and the best advice at the end: always try to make backups and save your data before messing around... but then also try to make a test disk similar to your other/old disk with a known password and try to test everything (including extraction of the needed bytes, the cracking with rules etc) with this new example TrueCrypt volume RE: Truecrypt - 3di - 06-04-2020 Hi Guys, thanks for your detailed explanations, i didn’t expect so much information in the first run – so thanks again 😊. I read and tried for several days, but now I'm not over getting some error messages. I learned (at least it's a little)
Code: dd if=hashcat_ripemd160_AES_hidden.raw of=hashcat_ripemd160_AES_hidden.tc bs=1 skip=65536 count=512
Code: hashcat64 -m CODE -a 3 -w 3 --session myses --increment-min=1 -i container_filename.tc mask ?b?b?b?b?b?b?b?b
Best Regards, and thanks for your help so far. 3di RE: Truecrypt - 3di - 06-14-2020 Hi, (05-31-2020, 08:46 AM)philsmd Wrote: you will see all the TrueCrypt hash types......... (05-31-2020, 04:06 AM)pbies Wrote: There are two ways............ Could you please have a look? I'm dying from trying with no luck. Thanks Best Regards! 3di RE: Truecrypt - philsmd - 06-15-2020 just one simple thing you could and should do. create a similar container with known password (it could be similar to the one you are trying to crack, just remember always that this is just a test and your target container and hash should be backuped and not confused with this example run) and try to crack it. You will see exactly how the extraction and cracking works by following the steps in the FAQ and trying to crack it with the 1536 bit options. If you do not know the hashing algorithm, you would need to try cracking the extracted bytes with all the 1536 bits variations for TrueCrypt. one after the other The custom dict is just a list of password you come up with, one password per line. In the case of the example hash from https://hashcat.net/wiki/example_hashes it would need to contain (one of the many lines of the custom dictionary file) the password: hashcat RE: Truecrypt - 3di - 06-18-2020 (06-15-2020, 08:52 AM)philsmd Wrote: just one .... Thanks a lot, I'm now able to run the attack. First i tried to bruteforce crack the a sample hash with a ?b?b... mask. Unfortunately it told me it'll take longer than 10 years. Same for my Truecrypt Archive. How could i optimize, the topic in faq didn't help me? Code: hashcat64 -m 6233 -a 3 -w 3 --session myses --increment-min=1 -i "D:\Meins\Hash\hashcat_whirlpool_twofish-serpent.tc" ?b?b?b?b?b?b?b Code: The wordlist or mask that you are using is too small. Code: Session..........: myses Thanks again! Regards 3di RE: Truecrypt - philsmd - 06-18-2020 What do you mean by "I'm now able to run the attack" ? Are you able to crack hashes that you have generated as a test ? Did you try to crack the example hash from https://hashcat.net/wiki/example_hashes ? I don't think brute-force is a good strategy here. I would suggest to use dictionary-based or rule-based attacks with slow hashes like TrueCrypt. It's a much more clever in most of the cases, except from some minor special cases e.g. if the password was generated randomly (for instance by a password manager) and is known to be random chars. see https://hashcat.net/wiki/doku.php?id=rule_based_attack and the examples with -a 0 -r from above. You would need to come up with a good list of candidate passwords that you use as you dictionary and a couple of rules that mangle the passwords in the dictionary RE: Truecrypt - 3di - 06-18-2020 Hi philsmd, Thanks for your reply! (06-18-2020, 12:50 PM)philsmd Wrote: What do you mean by "I'm now able to run the attack" ? I tried to breakt the sample Hash (TrueCrypt 5.0+ Whirlpool + Twofish-Serpent, PW: hashcat) via Bruteforce but unfortunately it didn't solve it, hashcat told me "Time.Estimated...: Next Big Bang (> 10 years)" and i gave up waiting after 24h as the calculationg time didn't drop below that. The Password "hashcat" is 8 digits, mine was about 18 digits, so it might take 4-5 Next Big Bangs :-). (06-18-2020, 12:50 PM)philsmd Wrote: I don't think brute-force is a good strategy here. I would suggest to use dictionary-based or rule-based attacks with slow hashes like TrueCrypt. It's a much more clever in most of the cases, except from some minor special cases e.g. if the password was generated randomly (for instance by a password manager) and is known to be random chars. Maybe I'll try this for the next run, unfortunately i already tried thousands of passwords and iterations of it via an other tool (OTFBrutus). I wasn't expecting this long calculating times, is there something wrong, or do i have to deal with it as its part of truecrypts security? Best Regards und Thanks! 3di RE: Truecrypt - undeath - 06-18-2020 If your password is truely 18 chars and you don't remember anything useful about it, give up. |