Sorry but: TrueCrypt USB-Drive
#1
I know. I'm sorry. Here I go:

What I've done:
  1. Created an encrypted USB-Drive (2GB) with TrueCrypt 7.1a. Password is 123456789. No options changed.
  2. Created an dd dump of the USB-Drive
Than I used John the Ripper first:
  1. Used truecrypt2john.py to get the hashes: got 6 Hashes, 3 normal, 3 hidden (why?)
  2. Used John with -mask=12345678?d to crack the password.
  3. Got password 123456789 for the first hidden hash (why?). Nonetheless everything fine so far.
Now the hashcat part:
  1. fdisk -l /dev/sdc1 to get the size of my USB-Drive in bytes
  2. sudo dd if=/dev/sdc1 of=./banana/512.dd bs=1 skip=1993276928 count=512 to get the last 512 bytes according to https://hashcat.net/wiki/doku.php?id=fre...pt_volumes
  3. hashcat -m 6211 ./banana/512.dd -a 3 12345678?d  to crack the password. But nothing is found. Hashcat even tries 123456789 but doesn't recognize it as password.
  4. tried to run hashcat with hashes produced by truecrypt2john.py. Same result.
What am I doing wrong?

I even tried to crack the examples from https://hashcat.net/wiki/doku.php?id=example_hashes, but they work flawlessly. Password is hashcat. Got that.

So I think somethings wrong with my attempt to get the password hashes.
I've also tried:
  • First 512 bytes of USB-Drive
  • First and last 512 bytes of /dev/sdc instead /dev/sdc1
  • complete dd image of USB-Drive


Any hints on what i'm doing wrong?

Using hashcat 4.1.0 on Ubuntu 16.4.
#2
Not sure why you tried skip=1993276928. According to the FAQ you need the first 512 bytes of /dev/sdc1.

Is your password 0123456789 or 123456789? Are you using a hidden volume?
#3
(02-27-2018, 03:39 PM)undeath Wrote: Not sure why you tried skip=1993276928. According to the FAQ you need the first 512 bytes of /dev/sdc1.

Is your password 0123456789 or 123456789? Are you using a hidden volume?
According to https://hashcat.net/wiki/doku.php?id=fre...pt_volumes
Rule 3.II:
Quote:in case of a physical disk you need to copy the last 512 bytes of the *first logical volume*.

First 512 bytes would be Rule 3.I for a single TC file. Which is not what I have or am I wrong?
Also tried both without any success.

password is 123456789 no leading 0

I used "Standard TrueCrypt volume", although the truecrypt2john.py script somehow got an hash for a hidden volume, which is also the hash, that resulted in the right password with John the Ripper.
#4
oh, I think I misread that for "first". Are you sure you are using the correct hash mode? I don't know what Truecrypt's default settings are.