(11-24-2020, 10:41 PM)undeath Wrote: Using the entire volume is entirely unsupported. You should extract the required header as described here: https://hashcat.net/wiki/doku.php?id=fre...pt_volumes
I had read this page already but thanks for re-affirming!
I was bogged down because of
Quote:if TrueCrypt uses a hidden partition, you need to skip the first 64K bytes (65536) and extract the next 512 bytes.
[...]
[*]in all other cases (files, non-booting partitions) you need the first 512 Bytes of the file or partition.
That's also why I emphasized container in the title of the thread.
Indeed, what's written there seems to be true not just for partitions but also containers!
I did the following:
Code:
dd if=2012-test4.tc of=2012-text4-hash-hidden bs=1 skip=65536 count=512and indeed it finds the correct password. I cannot update the Wiki unfortunately but I think that would be good to update since it's confusing.
What's left is my bonus question (which now becomes even more interesting when you say "Using the entire volume is entirely unsupported"): How come that hashcat finds the right password for the wrong hash mode? Can this be coincidence?
EDIT: Ok, I understand. 6213 can also be used for 6211 (https://hashcat.net/forum/thread-8596.html)