Posts: 3
Threads: 1
Joined: Jul 2019
07-16-2019, 08:04 PM
Hi!
I really need help, already triple checked
How do I extract the hashes from TrueCrypt volumes? but can't find anywhere which 512 bytes do I need to find the password for a
hidden partition of a
single TrueCrypt file.
I am quite friendly with hashcat but stuck even with the first step.
Please, I lost access to the family archive backup!
Posts: 2,267
Threads: 16
Joined: Feb 2013
best recommendation in such cases is always to try to generate a new very similar file/partition with TrueCrypt with known password (maybe even similar password compared to what expect) and try to crack this.
If you are able to crack your sample, the target hash should work exactly the same way (ideally just the password changes)
Posts: 3
Threads: 1
Joined: Jul 2019
Thanks, it will save a lot of time!
But my tc file is 3 TBs... the problem which 512 bytes to take and tbh how...
Posts: 18
Threads: 1
Joined: Jul 2014
Hi Costas,
as mentioned in your quoted URL you need the sector following the first 65536 bytes of the file, i.e. you need the 128th sector. Thus skip sector 0 to 127 and use the 128th.
Using a hex editor you need the 512 bytes starting with byte 65537 up to byte 66048 of the file.
Posts: 2,267
Threads: 16
Joined: Feb 2013
07-17-2019, 01:10 PM
(This post was last modified: 07-17-2019, 01:11 PM by philsmd.)
yeah and I also do not agree that testing is a waste of time or you can save time by just asking and take everything for granted. Verify it ! check if the claim about this sector is correct by generating a fresh sample hash.
The more confident you (yourself) are about the right 512 bytes and the correct way to crack a sample, the better it is.
It's always worse to spend several dozens/hundreds of hours on an uncrackable hash than just try to create a sample within a few minutes and know exactly what is going on and how a correct cracking process would look like. It's not a waste and you shouldn't be too lazy when it comes to getting confident with the right input and output and cracking steps.
Posts: 164
Threads: 5
Joined: Mar 2018
(07-17-2019, 12:39 PM)mkcon Wrote: as mentioned in your quoted URL you need the sector following the first 65536 bytes of the file, i.e. you need the 128th sector. Thus skip sector 0 to 127 and use the 128th.
Using a hex editor you need the 512 bytes starting with byte 65537 up to byte 66048 of the file.
Keep in mind that there is "offset 0"; starting byte will be at offset 65536 (0x10000) up to 66047 (0x101FF)
Posts: 3
Threads: 1
Joined: Jul 2019
07-22-2019, 11:59 AM
Thanks a lot for a help, it was easy as abc:
1. I downloaded dd for windows from
http://www.chrysocome.net//dd
2. My file backup.tc was on drive f so I run:
dd if=f:\backup.tc of=f:\backup bs=1 skip=65536 count=512
3. And finally since I remember that my password was simple 8 digits:
hashcat64.exe -m 6211 -a 3 backup ?d?d?d?d?d?d?d?d
Voila, I got the password in just 2 seconds