truecrypt identify type of crypt
#1
Brick 
https://hashcat.net/wiki/doku.php?id=example_hashes
i need to brute .tc file, how to know what the ID i need?
1
Reply
#2
Since TrueCrypt/VeraCrypt volumes have no header information, determining what kind of encryption was used is probably not possible. I *think* that you have to already know what kind of encryption it was. If you don't know, you'd have to carry out the attack using each type?
~
Reply
#3
Thumbs Up 
(03-23-2019, 12:11 AM)royce Wrote: Since TrueCrypt/VeraCrypt volumes have no header information, determining what kind of encryption was used is probably not possible. I *think* that you have to already know what kind of encryption it was. If you don't know, you'd have to carry out the attack using each type?
okay, thank you for responce
1
Reply
#4
You can have a try with https://www.passware.com/encryption-analyzer/
Reply
#5
This can not work simply because encrypted data = random data
Reply
#6
Yeah, I think that Passware's Encryption Analyzer can make a good guess that headerless files with high randomness as probably "an encrypted container of some kind", but won't be able to say whether a specific TrueCrypt encryption algorithm was used.
~
Reply
#7
(03-23-2019, 11:59 AM)Mem5 Wrote: You can have a try with https://www.passware.com/encryption-analyzer/

tnanks, but did not help
1
Reply
#8
That's a feature of truecrypt, not a bug.

The idea of not telling the world that "this disk is encrypted with truecrypt KDF x and encryption y" is a feature of so-called Plausible Deniability that you could in theory say this disk only contains random data etc. It's of course not a pefect mechanism, because there are still some bytes (header/footer) that might look less random (but they shouldn't).
It's also not realy a perfect protection (like when using a better/different encryption scheme or more iterations in the key derivation function etc) and more an obfuscation thing.... but you, and even truecrypt and veracrypt themself do not know what encryption was used.

They just try ALL possibilities until one matches.

Hashcat can do the same with the 1536 bit (ALL) hash types for truecrypt (see -m 6213, -m 6223 and -m 6233).
Of course you need to test these 3 because hashcat doesn't test RIPEMD160, SHA512 and Whirlpool at the same time.

... but already 3 is much less than trying all hash types.

btw. there is a further hash type -m 6243 which is only used for boot disks and they are easily detectable (because if you boot from that disk, you would see the boot loader). That means that if you do not see the boot loader, it won't be an encrypted disk wiith truecrypt boot-mode.

BTW: normally users remember the settings they use or just try the default one (that was used at the time of the encryption/setup)... because users rarely change the default settings (but it could of course happen IF the user things it's important to set a stronger encryption and KDF function).

Trying all three hash types one after the other (or with a shell/bat script) should be quite easy and if the password is within your dict file, one of the 3 commands should show you the cracked password.

I also always recommend doing some tests with a (or more) new volumes that you create yourself with known password with e.g. one of the 3 KDFs (RIPEMD160, SHA512 or Whirlpool) and see if either -m 6213, -m 6223 or -m 6233 cracks the hash.
Reply