TCBrute icon indicating copy to clipboard operation
TCBrute copied to clipboard

Published 20 hours ago verified publisher icon IsNull

Reading full encrypted disk volumes

Open coconutingreece opened this issue 10 years ago • 5 comments

Hi,

first of all: Great work! I am so glad that there seems to be a possibility to recover my password for my TrueCrypt-Disk!

Unfortunately I have an issue about selecting the target volume: I do not have a .tc-file container but a completely encrypted hard disk. As windows does not mount such a disk it does not have a drive letter assigned. So, I tried to specify the target volume like " ?\Volume{8e251433-6fe9-155a-b719-ec6e7a6e6f889}" as this is what "mountvol" tells about the disk. This throws the following error: "ERROR: Can't find Target Volume @ "?\Volume{...}""

Maybe I just do not enter the volume id the right way. But if TCBrute misses the feature of recovering passwords for completely encrypted disks I would be very glad to propose this for a future version.

Thank you very much!

coconutingreece avatar Jul 21 '14 15:07 coconutingreece

Hi there,

Fully encrypted disks are not yet supported.

I do not have a .tc-file container but a completely encrypted hard disk.

For this case the [Select Partition] button exisits in the Target-Volume section, which allows you to select your entire encrypted drive. (But this button is greyed out for now since extraction of the Volume-Header was not working properly.)

IsNull avatar Jul 22 '14 18:07 IsNull

A workaround could be to extract the first 512 Bytes from your partition manually and dump/save it in a file. Then u can use this file with TCBrute.

TCBrute does only read the first 512 Bytes (which is the size of the true-crypt volume header) from a container and then tries to decrypt it. The actual data is not required to crack the password.

IsNull avatar Jul 22 '14 18:07 IsNull

Hi IsNull,

thank you very much for your help! Too bad that this case is not supported, yet.

I will try to extract the first bytes from the hard disk's partition manually (no clue about that by now) and report what worked out. So others may benefit from my problem.

Thank you again!

coconutingreece avatar Jul 22 '14 19:07 coconutingreece

Hi again, I am not sure if copying the first bytes and bruteforcing them works out.

To test this, I copied the first bytes of a TC container file using dd. I am able to mount this incomplete copy in TC (gladly, I still know the password for this container file). But when I use TCBrute with the copied file and the correct password in a .txt-file it says "Password not found withhin this wordlist."

First I thought, dd might not be the appropriate way to copy the container's header but as TC is able to mount this copied file, I am not sure what went wrong here. Maybe the header differs in any way.

By now I recovered the password by thinking. The brain is a powerful tool :-D

coconutingreece avatar Jul 24 '14 09:07 coconutingreece

Hm strange. You probably would have to include few more bytes (+1 Byte or twice the header size) and try again...

By now I recovered the password by thinking. The brain is a powerful tool :-D

Nice :-)

IsNull avatar Jul 31 '14 09:07 IsNull