Hi,
How to handle Truecrypt hidden containers (not hidden partitions/OS)?
I created a test file (TC 7.1a) with RIPEMD-AES as outer container and RIPEMD-Serpent-Twofish-AES as hidden container.
I can successfully get the outer container:
However, the inner container fails:
If course, in the first case, the password list contains the password of the outer container but not the hidden and in the second case, it contains the password of he hidden container only.
Is anything special required to handle hidden TrueCrypt containers?
Bonus: The careful reader should have found something seemingly impossible to happen: is the hash mode for XTS 1536 bit (i.e. Triple Encryption such as Serpent-AES-Twofish). However, the outer container is only AES, so the hash mode is wrong! How come that hashcat still finds the correct password for the outer container although the hash mode is wrong?
Thanks!
How to handle Truecrypt hidden containers (not hidden partitions/OS)?
I created a test file (TC 7.1a) with RIPEMD-AES as outer container and RIPEMD-Serpent-Twofish-AES as hidden container.
I can successfully get the outer container:
Code:
hashcat --status -m 6213 -a 0 -w 3 2012/2012-test4.tc 2012/dict.txt
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 1.2 ) - Platform #1 [Intel(R) Corporation]
=============================================================
* Device #1: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz, skipped
* Device #2: Intel(R) HD Graphics 4000, 1336/1400 MB (350 MB allocatable), 16MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 64
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 99 MB
Dictionary cache built:
* Filename..: 2012/dict.txt
* Passwords.: 11
* Bytes.....: 200
* Keyspace..: 11
* Runtime...: 0 secs
The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework
Approaching final keyspace - workload adjusted.
2012/2012-test4.tc:KYTaNF5aXnrKakHQaTJL
Session..........: hashcat
Status...........: Cracked
Hash.Name........: TrueCrypt RIPEMD160 + XTS 1536 bit
Hash.Target......: 2012/2012-test4.tc
Time.Started.....: Tue Nov 24 04:32:40 2020 (1 sec)
Time.Estimated...: Tue Nov 24 04:32:41 2020 (0 secs)
Guess.Base.......: File (2012/dict.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........: 18 H/s (4.33ms) @ Accel:64 Loops:16 Thr:8 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 11/11 (100.00%)
Rejected.........: 0/11 (0.00%)
Restore.Point....: 0/11 (0.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:1984-1999
Candidates.#2....: 02938483 -> KYTaNF5aXnrKakHQaTJL
Started: Tue Nov 24 04:32:38 2020
Stopped: Tue Nov 24 04:32:42 2020
However, the inner container fails:
Code:
hashcat --status -m 6213 -a 0 -w 3 2012/2012-test4.tc 2012/dict.txt
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 1.2 ) - Platform #1 [Intel(R) Corporation]
=============================================================
* Device #1: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz, skipped
* Device #2: Intel(R) HD Graphics 4000, 1336/1400 MB (350 MB allocatable), 16MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 64
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 99 MB
Dictionary cache built:
* Filename..: 2012/dict.txt
* Passwords.: 11
* Bytes.....: 140
* Keyspace..: 11
* Runtime...: 0 secs
The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Name........: TrueCrypt RIPEMD160 + XTS 1536 bit
Hash.Target......: 2012/2012-test4.tc
Time.Started.....: Tue Nov 24 04:33:07 2020 (1 sec)
Time.Estimated...: Tue Nov 24 04:33:08 2020 (0 secs)
Guess.Base.......: File (2012/dict.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........: 18 H/s (4.33ms) @ Accel:64 Loops:16 Thr:8 Vec:1
Recovered........: 0/1 (0.00%) Digests
Progress.........: 11/11 (100.00%)
Rejected.........: 0/11 (0.00%)
Restore.Point....: 11/11 (100.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:1984-1999
Candidates.#2....: 02938483 ->
Started: Tue Nov 24 04:33:05 2020
Stopped: Tue Nov 24 04:33:09 2020
If course, in the first case, the password list contains the password of the outer container but not the hidden and in the second case, it contains the password of he hidden container only.
Is anything special required to handle hidden TrueCrypt containers?
Bonus: The careful reader should have found something seemingly impossible to happen:
Code:
-m 6213
Thanks!