Posts: 2
Threads: 1
Joined: Apr 2022
I found an old backup recently, which is comprised of a TrueCrypt Archive, split in 7 parts of 600MB each.
I don't know which encryption was used and no clue about the password. However, I'd like to at least try to crack it.
I read through the wiki a bit but it appears the assumption is always present that one has to know what encryption was used before attempting to use hashcat.
However, what should I do if that is not known?
Posts: 374
Threads: 0
Joined: Nov 2017
Not knowing the type of encryption could pose a problem, I would suggest extracting the hash and seeing if hashcat can autodetect which mode it is. If it cannot safely match the type of truecrypt volume, you may need to do a little more digging into the hash whether it will supply any more details/hints about which type it may be.
https://hashcat.net/wiki/doku.php?id=fre...pt_volumes
Posts: 119
Threads: 1
Joined: Apr 2022
(04-24-2022, 09:17 PM)ApoY2k Wrote: I found an old backup recently, which is comprised of a TrueCrypt Archive, split in 7 parts of 600MB each.
I don't know which encryption was used and no clue about the password. However, I'd like to at least try to crack it.
I read through the wiki a bit but it appears the assumption is always present that one has to know what encryption was used before attempting to use hashcat.
However, what should I do if that is not known?
When cracking TrueCrypt containers like that, which are not bootable, you have several modes available in hashcat. But you can actually focus on just three. If you run hashcat in mode 6213, it will also cover 6211 and 6212. This is true for all the TrueCrypt (and VeraCrypt) modes. So you can focus on 6213, 6223 and 6233.
I can't remember which is default mode, but I think it's 6211 or 6221, so you could also just focus on those.
Posts: 2
Threads: 1
Joined: Apr 2022
(04-25-2022, 12:37 PM)b8vr Wrote: When cracking TrueCrypt containers like that, which are not bootable, you have several modes available in hashcat. But you can actually focus on just three. If you run hashcat in mode 6213, it will also cover 6211 and 6212. This is true for all the TrueCrypt (and VeraCrypt) modes. So you can focus on 6213, 6223 and 6233.
I can't remember which is default mode, but I think it's 6211 or 6221, so you could also just focus on those.
So I would just run hashcat three times with either modes and hope for the best basically? (after extracting the hashes for each mode)
Posts: 890
Threads: 15
Joined: Sep 2017
first of all, splitted archive? are we talking about zip or somehing similar?
you will need to extract this archive beforehand and then extract the very first 512 bytes of the truecrypt volume/container, it doesnt matter, you can also extract the first megabyte hashcat will readin just the first 512 bytes
more or less yes, but start with 621* modes as ripemd160 was the veracrypt default back then
as already stated, mode 6213 will cover all possible combinations for ripemd160 but for the cost of speed