This tool extracts password hashes from TrueCrypt volumes for secure recovery and analysis.
Supported Tools:
Extract a John the Ripper hash from a TrueCrypt (or VeraCrypt-compatible) encrypted volume with truecrypt2john. For authorized recovery only.
truecrypt2john reads the header of a TrueCrypt-encrypted container or volume and produces a hash for recovering its password offline. TrueCrypt stores no plaintext signature; the first 512 bytes are the encrypted header, and the password plus key derivation must decrypt it to a recognizable structure. The tool packages those header bytes and the assumed cipher/PRF so a cracker can test passwords. It does not mount or decrypt the volume.
Input:
volume.tc / first 512 bytes of a TrueCrypt container
Output:
volume.tc:$truecrypt$<512-byte header in hex>
Does this also handle VeraCrypt?
The TrueCrypt header format is the basis for VeraCrypt, but VeraCrypt uses higher iteration counts and its own modes; use the VeraCrypt-specific handling/modes for those volumes.
Why does TrueCrypt cracking try multiple PRFs?
A TrueCrypt header gives no hint of which hash (RIPEMD-160/SHA-512/Whirlpool) and cipher were used, so the cracker must try each combination.
Which hashcat modes apply?
TrueCrypt volumes use hashcat modes 6211-6243 depending on cipher and PRF.