01-27-2017, 10:23 AM
(This post was last modified: 01-27-2017, 10:29 AM by ButterToast1134.)
Code:
In order to crack TrueCrypt volumes, you will need to feed hashcat with the correct binary data file. Where this data lives depends on the type of volume you are dealing with.
The rules are as follows:
for a TrueCrypt boot volume (i.e. the computer starts with the TrueCrypt Boot Loader) you need to extract 512 bytes starting with offset 31744 (62 * 512 bytes). This is true for TrueCrypt 7.0 or later. For TrueCrypt versions before 7.0 there might be different offsets.
Explanation for this is that the volume header (which stores the hash info) is located at the last sector of the first track of the system drive. Since a track is usually 63 sectors long (1 sector is 512 bytes), the volume header is at sector 63 - 1 (62).
if TrueCrypt uses a hidden partition, you need to skip the first 64K bytes (65536) and extract the next 512 bytes.
dd if=hashcat_ripemd160_AES_hidden.raw of=hashcat_ripemd160_AES_hidden.tc bs=1 skip=65536 count=512
else:
if you are cracking a single TrueCrypt file instead of a physical disk, you need the first 512 Bytes of the file.
in case of a physical disk you need to copy the last 512 bytes of the *first logical volume*.
You can extract the binary data from the raw disk, for example, with the Unix utility dd (e.g. use a block size of 512 and a count of 1).
You need to save this hash data into a file and simply use it as your hashlist with hashcat.
The hashcat wiki lists some TrueCrypt example hashes (e.g. -m 6211, -m 6221, -m 6231 or -m 6241 depending on the exact TrueCrypt settings that were used when setting up the TrueCrypt volume). If you want to test/crack those example “hashes”, as always, use the password “hashcat” (without quotes).This is what I was going by from the Hashcat FAQ.
Mine isn't hidden. So I was going by the first step.
EDIT: Here is the Hex of the file i created.
Also comparing my file to the example hash for truecrpyt it looks like it should be the right thing.