Questions -> FAQ -> extract the hashes from TrueCrypt volumes
#1
Hello

i want to extract the hashes from TrueCrypt USB-volumes and in the FAQ is written:

Quote:3.2. in case of a physical disk you need to copy the last 512 bytes of the *first logical volume*.
FAQ

And i found:

Quote:....or, and this is what you acctually want to do, just dd the first 512 bytes of the encrypted partition to a seperate file.....

TrueCrypted non-system drives

What is now correct? The first or the last 512 bytes?

The USB-Stick has no hidden partition. True Crypt 7.0a.

Thank you
Magier
#2
The use of the last 512 byte goes back to the mbr placement on the first in case of a booting partition. Not sure how it is with a non booting partition. It could be the first 512 byte because there's no mbr. You should simply try out. Create such a disk and crack your own disc. It will be either the first or the last 512 byte.
#3
(09-03-2016, 11:40 PM)Magier Wrote: Hello

i want to extract the hashes from TrueCrypt USB-volumes and in the FAQ is written:

Quote:3.2. in case of a physical disk you need to copy the last 512 bytes of the *first logical volume*.
FAQ

And i found:

Quote:....or, and this is what you acctually want to do, just dd the first 512 bytes of the encrypted partition to a seperate file.....

TrueCrypted non-system drives

What is now correct? The first or the last 512 bytes?

The USB-Stick has no hidden partition. True Crypt 7.0a.

Thank you
Magier


look for one of my post i joined a link that perhaps will guide u on how to do so
#4
(09-05-2016, 09:32 AM)atom Wrote: The use of the last 512 byte goes back to the mbr placement on the first in case of a booting partition. Not sure how it is with a non booting partition. It could be the first 512 byte because there's no mbr. You should simply try out. Create such a disk and crack your own disc. It will be either the first or the last 512 byte.

Thanks. That is what i have tried out.

Code:
dcfldd if=/dev/sdb1 of=HashcatTest_sdb1_First.dd bs=512 count=1       conv=noerror,sync status=progress
dcfldd if=/dev/sdb1 of=HashcatTest_sdb1_Last.dd  bs=512 skip=124999   conv=noerror,sync status=progress
dcfldd if=/dev/sdb1 of=HashcatTest_sdb1_All.dd   bs=512               conv=noerror,sync status=progress

Only in HashcatTest_sdb1_All.dd i found the Passwort.
#5
(09-05-2016, 09:09 PM)Magier Wrote:
(09-05-2016, 09:32 AM)atom Wrote: The use of the last 512 byte goes back to the mbr placement on the first in case of a booting partition. Not sure how it is with a non booting partition. It could be the first 512 byte because there's no mbr. You should simply try out. Create such a disk and crack your own disc. It will be either the first or the last 512 byte.

Thanks. That is what i have tried out.

Code:
dcfldd if=/dev/sdb1 of=HashcatTest_sdb1_First.dd bs=512 count=1       conv=noerror,sync status=progress
dcfldd if=/dev/sdb1 of=HashcatTest_sdb1_Last.dd  bs=512 skip=124999   conv=noerror,sync status=progress
dcfldd if=/dev/sdb1 of=HashcatTest_sdb1_All.dd   bs=512               conv=noerror,sync status=progress

Only in HashcatTest_sdb1_All.dd i found the Passwort.

congratz!