Truecrypt hash (volume not boot)
#1
Hi,

I've a quick question I'm hoping somebody can help me with. I've a number of truecrypt containers I'd like to run some wordlist attacks against.

The first one I chose I ran a test using oclhashcat, the file, and the wordlist on the cli and it recovered the password after a few minutes. Result!!

However, I've been experimenting with Hashtopus (which really is good) and would like to be able to use it to crack these files. The problem with hashtopus (as I see it) is that you have to feed it hashes (or a file full of hashes) rather than actual files.

I played around with JohnTheRipper and used it truecrypt_volume2john function to extract the hash from the truecrypt file I already cracked. It was extracted in the format:

FILENAME:truecrypt_RIPEMD_160$VOULME_HASH:normal::::/PATH/FILENAME

I selected the VOLUME_HASH; ie all data between the dollar sign and the colon and placed it into a new text file. I then passed this to oclHashcat and it fired up and went about trying to crack it.

However, this time it exhausted all the possibilities in the dictionary and didn't find the password.

Does anybody have any ideas on what may be going on here please?
#2
hashcat does not support the truecrypt_volume2john format, so if you check your logs (if hashtopus even logs this information), you'll likely see that hashcat errored out with "no hashes loaded".

It sounds like hashtopus does not have a way to handle non-hash formats. However, this is not a hashtopus support forum, so you'll need to contact the developer directly about this issue.
#3
It's impossible to extract the hashing & encryption algorithm from a TC container, so you'll have to try combinations of all.
#4
Thanks for the replies. The reason that I thought the truecrypt_volume2john format would work is because the pdf2john format is used to extract the hashes for PDF files. I actually passed the result from truecrypt_volume2john to oclhascat directly on the cli and it did not error out with a "no hashes loaded". In fact it did load a single hash (no idea what it was though) and went though my dictionary and returned an "exhausted" result. This is why i found it puzzling.

While I know that this isn't a hashtopus support forum, if its ok, i'll post my work around here for those who do want to use it for truecrypt files. I haven't managed to get it to do a list of "hashes" yet, but it can process single files at a time. With your TC container, simply use a hex editor or dd to copy out the first 512 bytes of info from the file into a seperate .bin file and then upload that to hashtopus as a binary file type in the hashlists option. And that's it!

Thanks for the help though.
#5
There may not be any validation on TC formats then since it is just 512 arbitrary bytes. In which case Hashcat was working against the ASCII text you provided. Either way that's not how it's done.
#6
(04-07-2015, 04:21 PM)epixoip Wrote: There may not be any validation on TC formats then since it is just 512 arbitrary bytes. In which case Hashcat was working against the ASCII text you provided. Either way that's not how it's done.

Just to clarify this issue - hashtopus can import binary files. Just create new hashlist and as a format select "Binary file (single hash)"