Hidden TC volume: program to bruteforce wordlist for hidden volume password?

I'm trying to recover a partially-remembered password for a hidden TrueCrypt volume. The password for the standard, non-hidden outer volume is remembered, but the password for the hidden volume was partially forgotten.

I generated a .txt wordlist of about 150,000 possible passwords.

Does anyone know of a program which can take this wordlist and run it against the TC container as a hidden volume password?

The program tcbrute (http://securityvision.ch/) works well for standard volumes. However, it does not function for hidden volumes. [Even if a word in the wordlist is the correct password for a hidden volume, tcbrute does not recognize that it has succeeded and will continue checking for a password which opens the standard, non-hidden outer volume].

I noticed 2 similar threads in recent months:
https://www.wilderssecurity.com/showthread.php?t=282121
https://www.wilderssecurity.com/showthread.php?t=283329

However, in both these situations, it appears to be for standard, outer volumes, rather than for the hidden, inner volume. I have not found other programs which can test hidden volume passwords.

Thank you.

 

I'm in the middle of working on one. The command line version seems to be fully working, except for security tokens. The GUI version is only about 80% done.

I'll try to put up a version for you to play with when I get home later (maybe 4-6 hours?).

What kind of CPU do you have? Intel? MultiCore?

Do you know which hash method you used? This can significantly speed up the process.


Some speed results:

1 Thread running on a Dual Quad Core Xeon X5550 @2.67GHz machine
15 passwords per second - the hash method is unknown so it has to try RipedMD, SHA512 and Whirlpool
24 passwords per second - just trying RipeMD
101 passwords per second - just trying SHA512
71 passwords per second - just trying Whirlpool

16 Threads running on a Dual Quad Core Xeon X5550 @2.67GHz machine
160 passwords per second - the hash method is unknown so it has to try RipedMD, SHA512 and Whirlpool
270 passwords per second - just trying RipeMD
810 passwords per second - just trying SHA512
630 passwords per second - just trying Whirlpool


It's not pretty, it runs from the command line:

OTFBrutus.exe -i "C:\TrueCryptFile.tc" -d "C:\Wordlist.txt" -h "-4" -m "-4" -c "-4" -v 1 -b 0 -t 16 -s 0 -e 0

-i = The input file/device
__a TrueCrypt file "C:\TrueCrypt.tc"
__a partition "\\?\GLOBALROOT\Device\Harddisk0\Partition1"
__a backup header "C:\TrueCrypt.header"
__a system rescue disc "C:\RescueDisc.iso"

-d = Path to your word list
-h = Hash method to use (RipdeMD, etc.)
-m = Encryption Mode (XTS, LRW, etc.)
-c = Encryption Cipher (AES, Twofish, etc.)
-v = Which volume: Standard = 0, Hidden = 1
-b = Is this a system encryption volume
-t = The number of threads to run simultaneously (This should be set to the number of cores in your system)
-s = Where to start in the word list
-e = Where to end in the word list (0 = end of file)

If I can get it ready for you test, I'll put up a few more specific details about it's use.

 

those that make sure that they use a password like: z"x?.PCK|%>q2:6$[c;*8%^}5>6?n,-(SUKl\H+Q7LN:&-au=5Yj9m`Yo-yjP/qfnClt!2oEBp,o)f%B6%j~@kxx.P_>I.>cP?;M5QrH:Fre$5CTtzbkMhQ7A_O-eR will make a tool like this useless. I mean how long would it take to bruteforce that password?

 

And cracking a password like that is not the point of a tool like this. The OP forgot part of his/her password and has narrowed it down to about 150,000 possibilities. A tool like this can help in that type of situation.

 

tateu, welcome to the forum! Are you a coder?

 

Cutting_Edgetech, thanks. And yes, I can do a little programming here and there. Nothing fantastic, usually just small utilities for my own personal use or in house at work. I release a few things occasionally: some plugins for AviSynth, the original commandline OTFExplorer for TrueCrypt v4.x volumes.

And I should have a version of the commandline brute-forcer available sometime soonish. I'm just cleaning up a few last minute details with it.

 

Hi tateu -

Thanks, the application you're working on sounds good.

You created it specifically to check for hidden volumes only, not standard volumes?

In answer to your questions:
- Intel
- RipeMD

The wordlist I generated is a standard .txt file. Each word is separated by a carriage return. It works fine for other programs I've found which batchfile words to truecrypt.

The speed you mention (password attempts/second) is very fast compared to what I've seen. As an example, tcbrute checking for standard, non-hidden volume passwords runs at around 3-4 words/second for me.

Please let me know when you have something we can test out, and I'll be happy to give you feedback on how it goes.

Thanks.

 

It can check standard, hidden or system volumes. You tell it which via a command line parameter.

-v 0 Standard Volume
-v 1 Hidden Volume
-v 2 System Volume
-v 3 Hidden Volume Legacy Format

Here is the command line version. Unfortunately the GUI version isn't ready and I probably won't have time to finish it until after New Year's and the command line version is a little complex...Please see OTFBrutus.txt, OTFBrutus_Options.txt and OTFBrutus_Sample.bat for usage. They are included in the zip file.

Binary
http://www.tateu.net/software/dl.php?f=OTFBrutus_bin
Source Code
http://www.tateu.net/software/dl.php?f=OTFBrutus_src

There are two things that make OTFBrutus faster than TCBrute. The first reason is that I use the open source Crypto++ library to run the hash algorithms through PKCS5_PBKDF2_HMAC. I found that the Crypto++ library is a little faster (especially with SHA512) than the TrueCrypt library (which is used by TCBrute). And second, with OTFBrutus, you can select which hash algorithms that you want to try. TCBrute always tries them all. If you look at my speed tests a few posts above this one, you can see that trying just SHA512 (810 p/s) is significantly faster than trying RipedMD, SHA512 and Whirlpool (only 160 p/s). And again, those numbers are from a machine that can run 16 simultaneous threads.

So, if you are 100% sure that you used RipeMD, your commandline might look like this:

a Partition hosted volume
OTFBrutus.exe -i "\\?\GLOBALROOT\Device\Harddisk1\Partition1" -d "C:\word_list.txt" -h 0 -m -2 -c -2 -v 1 -t 2

-i is the input partition or file
-d is the input word list. It also has a simple password generator, you can read about that in the supplied text files.
-h 0 specifies to use only RipeMD
-m -2 specifies to use only current Encryption Modes
-c -2 specifies to use only current Encryption Algorithms
-v 1 specifies to try the Hidden Volume
-t 2 specifies to run 2 threads simultaneously (you should set this to however many CPU cores you have installed)

and if you ran this on an old Single Core Pentium 4 machine you would see output like this:

Code:

OTFBrutus v0.1.0.0
Attempting to read the Hidden Volume from a Device hosted Container:
        \\?\GLOBALROOT\Device\Harddisk1\Partition1
Using a custom word list:
        C:\word_list.txt
containing:
        600 passwords
Cipher:
        AES
        Serpent
        Twofish
        AES-Twofish
        AES-Twofish-Serpent
        Serpent-AES
        Serpent-Twofish-AES
        Twofish-Serpent
Hash:
        Ripemd160
Mode:
        XTS

Percent      Duration      TimeLeft       Speed      Count
     5%       0:00:01       0:00:36     15.56/s         31

Good luck and feel free to ask any questions you need to for clarification on useage or whatever.

 

I'm very excited to see your new program! It sounds amazing. I am so tired of poking along at 4pw/sec with my stupid batchfiles. Thanks so much for making this available. I'll try out your code as soon as I get the chance.

 

Most batchfile-based methods merely run an unmodified version of TC against a wordlist, so they check every combination of hashes, algorithms, etc., including both standard and hidden volumes, just as TC does when you attempt to mount a volume, which is part of the reason why that approach is so slow.

It sounds like you've already tried that method without success. Did you test the procedure using a short word list and a test container with a known hidden volume password, just to ensure that it was working properly?

 

Glad to see you joined the forum. Its always good to see new talent!

 

Tateu -

Thanks for the program and the explanations. I'll test it out now. If I have any questions, I'll post them in the next few days in this forum. Otherwise, I'll get back to you with feedback soon enough. Thanks again.

Dantz -

I have used other programs to recover standard, non-hidden volume TC passwords. Currently, the most effective I know of is tcbrute. As I wrote, unfortunately none of them are able to test hidden volume passwords. I tested the programs I have seen with a test volume and short word list, and they all fail to recognize the correct hidden volume password.

They are also significantly slower than the speeds tateu's application apparently reaches, even when testing all hash algorithms.

Thanks again. I will post back with questions or feedback.

 

Well, I lied. I was supposed to just laze around the house today and catch up on some TV but I've been stuck (happily?) in front of the computer for 10 hours getting the GUI version ready. And I think it is...

It still needs some polish but it appears to work. I'm sure it has some bugs here and there, I haven't played with it as much as the command line version.

http://www.tateu.net/software/dl.php?f=OTFBrutusGUI_bin
http://www.tateu.net/software/dl.php?f=OTFBrutusGUI_src

And some screen shots:
http://www.tateu.net/images/OTFBrutusGUI_v.0.1.0.0_bin01.jpg
http://www.tateu.net/images/OTFBrutusGUI_v.0.1.0.0_bin02.jpg

 

I've finally had a chance to try out tateu's new program. The interface is surprisingly flexible, far more so than I would have expected, and the program itself runs very quickly for a TrueCrypt bruteforcer. You can select which hashes, algorithms, etc. you want to include in the test, so if you happen to know which ones were used to create the volume then you can significantly reduces the number of combinations that need to be tested. You can even choose how many separate threads you want to run, and I assume the optimal number would be whatever it takes to push the CPU utilization up to 100%. Two threads seemed to work best with my Core 2 Duo processor, as adding more threads caused no further speed improvement.

After the operation has completed a summary screen displays the test parameters plus various final statistics such as the number of passwords tested, duration of the test, speed of operation, and of course the password itself (if found).

During my first test I used the default hash and encryption algorithm settings for TC v7.0, along with a precomputed wordlist. According to the summary screen, the program processed 32 pw/sec until it found my password.

I then selected only the hash and encryption algorithms that I knew were used to create my test file, which brought the search speed up to 52 pw/sec. Wow! This is far higher than anything I've been able to achieve using batchfiles and an unmodified copy of TC.

A fairly flexible password generator is also included. I was able to set up a pattern based on the known characters and length of my 'lost' test password, after which the program was able to calculate all of the possible character combinations itself rather than using my precalculated wordlist. Another handy feature is the program's ability to successfully test each password against the first 512-bytes of the header rather than requiring the presence of the entire volume.

As far as I am aware this new program blows all other publicly-available TrueCrypt brute forcers out of the water in terms of both speed and flexibility. Altogether it's a very impressive piece of work, and I'd like to send a big thank you to tateu for making this program available. I'm sure it will help many users recover their partially-forgotten TrueCrypt passwords.

I'll be performing more comprehensive testing in the near future and will report back if I find any other noteworthy features/limitations/etc.

Bugs and/or usability issues:
I wish the tooltips would stay open a little longer, particularly the ones that describe how to set up the password patterns. Mine disappear after just a few seconds. Alternatively, it would be nice to see that information included in a separate help/documentation section.

edit: I just noticed that the information I was seeking is included in the "OTFBrutusGUI.txt" file that's included in the zip archive.

 

I'm glad to hear it works and thanks for the review.

I wish the tooltips stayed open longer too. That is a function of the GUI library, wxWidgets, and the stable version I am compiling against doesn't have a setting for that. The development version does, so I need look into how it's done. And it really needs a help file but I am not the most organized person in the world and so not usually very good at putting those together.

Eventually, I'd like to incorporate settings for FreeOTFE and DiskCryptor. I also need to add Security Token support, but I don't have one so I have to no way to test it.

Hopefully someone out there with a partially forgotten password finds it helpful.

There is an updated version available at the same links. The main change is that I added a Select Devices Dialog.

v0.1.0.3
http://www.tateu.net/software/dl.php?f=OTFBrutusGUI_bin
http://www.tateu.net/software/dl.php?f=OTFBrutusGUI_src

v0.1.0.3 - 2010-12-13
Fix Select Devices Dialog to correctly read GPT formatted parition tables

v0.1.0.2 - 2010-12-12
Added Select Devices Button and Dialog
Added days calculation to time left and elapsed
Significantly sped up counting of dictionary words
Fixed some bugs with start and end index
Some bugs fixed with time elapsed/remaing calculation
Added hidden (source code only) option to use Crypto++ or TrueCrypt PKCS methods

v0.1.0.0 - 2010-12-11
Initial Release

 

Small update:

http://www.tateu.net/software/dl.php?f=OTFBrutusGUI_bin
http://www.tateu.net/software/dl.php?f=OTFBrutusGUI_src

0.1.0.4 - 2010-12-14
Added the ability to save the custom password pattern to a word list file

 

Is this program any good if use a key file

 

Keyfiles are supported. If one or more keyfiles are required in order to decrypt a TrueCrypt volume then you should click on Add Keyfiles and list their pathnames before you begin your search.

 

For Truecrypt, is it possible to grab the Hash for offline cracking?

 

@ tateu , dantz

you look like an expert so here my question " what the use of the header specially the first 512 bytes

 

The only value information I could find on harvesting the password file (hash/key) was for an assessment on Truecrypt 6.0.

Security Assesment of Truecrypt - 6.0-6.1 - Sogeti ESEC Lab

If the hash or key can be harvested from memory then offline cracking would be much faster.

Is a memory dump sufficient to harvest the hash/password of Truecrypt or would something like firewire DMA be necessary?

 

In that case it is almost instant. The volume key can be read directly from memory while a volume is mounted or from a memory dump file created while a volume is mounted. There are already products out there that do this and they can start decrypting your data within a few minutes. If someone has physical access to your machine while it is running with a mounted Truecrypt (and for that matter, any other drive drive encryption program's) volume, all bets are off. Drive encryption programs such as TrueCrypt, BitLocker, PGP Desktop, etc. are really able to protect your data while a drive is mounted.

you might want to read the TrueCrypt manual about that. Maybe it has some info that can help.

 

what could get from the manual
a\ any change on the first 512 byte will corrput the header no way to mount until repair
b\ any change on the bytes from 65536 will corrumpt the hidden vlume header

my question again if the header courrpted and the algorithme cracked ..., no header and plain text how any one could crack such a file it could be random data how the cracker know the encryption with out the header want the answer from any one read write algorithme before

stupid question but there something behind that

 

Along the same lines as what I think you're describing, I've read posts from several somewhat devious users who have deliberately replaced their volume headers with different ones in order to make their data impossible to decrypt, even when the correct password is used. This can easily be done using the TrueCrypt interface.

If the header can't be used to decrypt the data then you would have to attack the cipher (such as AES256 or Serpent) head-on. I don't know of any person, group or government that can do that, although I suppose you never know.

 

In Truecrypt I click "mount".
I am presented with a password verification screen.
I assume the volume is not yet mounted until the password is verified.
The hash of the password has to be loaded into memory for a comparison to take place, no?
Memory dump the hash for offline cracking, easy as pi.