I want to try and compare the performance to my commercial apps, but Ive got a problem extracting the correct input hash for hashcats truecrypt boot mode. What is exactly necessary? I read "first 512 bytes of HD" or "severel MB of the HD" ... In the the fst sector I see nothing else than the (plain text) bootloader. Do you mean the first 512 bytes of the encrypted system partition? I can't imagine because as I know only the truecrypt header is encrypted with the users passwords; the partition is encrypted with the master key, which resides in the encrypted head, which resides not within the partition ... d'oh.
so... I would much appreciate if you could explain where to extract the hash
09-19-2013, 03:56 PM (This post was last modified: 09-19-2013, 04:27 PM by Rolf.)
Howdy.
You need to feed the last 512 bytes (sector) of the first logical drive track to oclhc.
You can use any hex editor you want for this purpose.
I've used WinHEX and WinXP under a VM to verify everything works.
WinHEX is good because it can provide you with additional information, which eases the dumping process.
The virtual disk had 63 sectors per track, so I dumped the last one and fed it to oclhc, password was found.
I've provided the dumps, everything should be obvious once you load em into a hex editor.
The password is 'biscotte'
Last thing: I am not a storage media expert, so I might have made a mistake somewhere.
Hi, I have a similar problem and some more questions.
The first problem I come across is how to get the hash from the truecrypt device. I tried WinHex but I don't know which part exactly I need to use, also I am unsure of which method I used for creating (Ripe or sha). Even with your iso example (neither the iso nor a txt file with text from iso) I dont get a proper input for hashcat, so what did you do?