How to find the password for a hidden partition of a single TrueCrypt file?
#1
Question 
Hi!

I really need help, already triple checked How do I extract the hashes from TrueCrypt volumes? but can't find anywhere which 512 bytes do I need to find the password for a hidden partition of a single TrueCrypt file.

I am quite friendly with hashcat but stuck even with the first step.

Please, I lost access to the family archive backup! Sad
Reply
#2
best recommendation in such cases is always to try to generate a new very similar file/partition with TrueCrypt with known password (maybe even similar password compared to what expect) and try to crack this.

If you are able to crack your sample, the target hash should work exactly the same way (ideally just the password changes)
Reply
#3
Thanks, it will save a lot of time!

But my tc file is 3 TBs... the problem which 512 bytes to take and tbh how...
Reply
#4
Hi Costas,

as mentioned in your quoted URL you need the sector following the first 65536 bytes of the file, i.e. you need the 128th sector. Thus skip sector 0 to 127 and use the 128th.

Using a hex editor you need the 512 bytes starting with byte 65537 up to byte 66048 of the file.
Reply
#5
yeah and I also do not agree that testing is a waste of time or you can save time by just asking and take everything for granted. Verify it ! check if the claim about this sector is correct by generating a fresh sample hash.

The more confident you (yourself) are about the right 512 bytes and the correct way to crack a sample, the better it is.

It's always worse to spend several dozens/hundreds of hours on an uncrackable hash than just try to create a sample within a few minutes and know exactly what is going on and how a correct cracking process would look like. It's not a waste and you shouldn't be too lazy when it comes to getting confident with the right input and output and cracking steps.
Reply
#6
(07-17-2019, 12:39 PM)mkcon Wrote: as mentioned in your quoted URL you need the sector following the first 65536 bytes of the file, i.e. you need the 128th sector. Thus skip sector 0 to 127 and use the 128th.


Using a hex editor you need the 512 bytes starting with byte 65537 up to byte 66048 of the file.

Keep in mind that there is "offset 0"; starting byte will be at offset 65536 (0x10000) up to 66047 (0x101FF)
Reply
#7
Rainbow 
Thanks a lot for a help, it was easy as abc:

1. I downloaded dd for windows from http://www.chrysocome.net//dd

2. My file backup.tc was on drive f so I run:
    dd if=f:\backup.tc of=f:\backup  bs=1 skip=65536 count=512

3. And finally since I remember that my password was simple 8 digits:
    hashcat64.exe -m 6211 -a 3 backup ?d?d?d?d?d?d?d?d

Voila, I got the password in just 2 seconds Smile
Reply