Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 19 May 2015 22:23:45 +0100
From: Demian Smith <>
Subject: Re: Advise on best approach (truecrypt pw based on pdf

Not all hope is lost, so?

So, what I did was:

attach the external device to usb and verify it's "path" via lsblk
and/or truecryp. This led to
sdb                    8:16   0 465.7G  0 disk
└─sdb1             8:17   0 465.7G  0 part

I than do:
[demian@...nymous:~/.bin/JtR/run]$ ./truecrypt_volume2john /dev/sdb1 >

which results in the attached hash file.

I had tried the same on a usb key, as well running truecrypt2john versus
the partition on sdb1, which then had been "cracked"...

If I create a hashfile on /dev/sdb instead, I get

john --session=wl --wordlist=/home/wpd_for_mark_second.txt ~/no_partition
Warning: detected hash type "tc_aes_xts", but the string is also
recognized as "tc_ripemd160"
Use the "--format=tc_ripemd160" option to force loading these as that
type instead
Loaded 6 password hashes with 6 different salts (tc_aes_xts, TrueCrypt
AES256_XTS [SHA512 128/128 SSE4.1 2x /RIPEMD160/WHIRLPOOL])
Loaded hashes with cost 1 (hash algorithm [1:SHA512 2:RIPEMD160
3:Whirlpool]) varying from 1 to 3
Will run 4 OpenMP threads

If I force ripemd w/ --format=tc_ripemd160:


Loaded 2 password hashes with 2 different salts (tc_ripemd160, TrueCrypt
AES256_XTS [RIPEMD160 32/64])

Will run 4 OpenMP threads

while the hashfile itself looks different ...

i did look into the doc folder but could not spot anything related to
truecrypt, I hope I did not just miss it...

Also, I hope I just made a mistake somewhere on the lines of generating
the hashes, maybe ...

Thanks for keeping my hopes up,
'It's no measure of mental health to be well adjusted
to a profoundly sick society.'

Sinéad O'Connor

 ★ On 15/05/19 09:00 p.m. Magnum wrote ★
> On 2015-05-19 20:35, Demian Smith wrote:
>> I right now run the two filters on the first txt file I create from the
>> suspect pdf and will then go back to incremental, as the Markov mode -
>> in my case - does not appear to be producing useful candidates.
>> Thanks again for all the effort, I'm pretty sure this is a layer 8 issue
>> right now :s
> Maybe we should revert to verifying your truerypt_volume2john
> invocation/results.
> Please recap what you had, what you did and what you got. Were you
> feeding truecrypt_volume2john a file or a device special node? Was there
> any output on stderr? How does your "hash" file look? I still wonder why
> you got two "hashes".
> magnum

View attachment "hash" of type "text/plain" (6418 bytes)

View attachment "hash_nopart" of type "text/plain" (6406 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.