Hidden TC volume: program to bruteforce wordlist for hidden volume password?

Discussion in 'privacy technology' started by Pritchard, Dec 10, 2010.

Thread Status:
Not open for further replies.
  1. Pritchard

    Pritchard Registered Member

    Joined:
    Dec 10, 2010
    Posts:
    4
    I'm trying to recover a partially-remembered password for a hidden TrueCrypt volume. The password for the standard, non-hidden outer volume is remembered, but the password for the hidden volume was partially forgotten.

    I generated a .txt wordlist of about 150,000 possible passwords.

    Does anyone know of a program which can take this wordlist and run it against the TC container as a hidden volume password?

    The program tcbrute (http://securityvision.ch/) works well for standard volumes. However, it does not function for hidden volumes. [Even if a word in the wordlist is the correct password for a hidden volume, tcbrute does not recognize that it has succeeded and will continue checking for a password which opens the standard, non-hidden outer volume].

    I noticed 2 similar threads in recent months:
    https://www.wilderssecurity.com/showthread.php?t=282121
    https://www.wilderssecurity.com/showthread.php?t=283329

    However, in both these situations, it appears to be for standard, outer volumes, rather than for the hidden, inner volume. I have not found other programs which can test hidden volume passwords.

    Thank you.
     
  2. tateu

    tateu Registered Member

    Joined:
    Dec 10, 2010
    Posts:
    60
    Location:
    Los Angeles, CA USA
    I'm in the middle of working on one. The command line version seems to be fully working, except for security tokens. The GUI version is only about 80% done.

    I'll try to put up a version for you to play with when I get home later (maybe 4-6 hours?).

    What kind of CPU do you have? Intel? MultiCore?

    Do you know which hash method you used? This can significantly speed up the process.


    Some speed results:

    1 Thread running on a Dual Quad Core Xeon X5550 @2.67GHz machine
    15 passwords per second - the hash method is unknown so it has to try RipedMD, SHA512 and Whirlpool
    24 passwords per second - just trying RipeMD
    101 passwords per second - just trying SHA512
    71 passwords per second - just trying Whirlpool

    16 Threads running on a Dual Quad Core Xeon X5550 @2.67GHz machine
    160 passwords per second - the hash method is unknown so it has to try RipedMD, SHA512 and Whirlpool
    270 passwords per second - just trying RipeMD
    810 passwords per second - just trying SHA512
    630 passwords per second - just trying Whirlpool


    It's not pretty, it runs from the command line:

    OTFBrutus.exe -i "C:\TrueCryptFile.tc" -d "C:\Wordlist.txt" -h "-4" -m "-4" -c "-4" -v 1 -b 0 -t 16 -s 0 -e 0

    -i = The input file/device
    __a TrueCrypt file "C:\TrueCrypt.tc"
    __a partition "\\?\GLOBALROOT\Device\Harddisk0\Partition1"
    __a backup header "C:\TrueCrypt.header"
    __a system rescue disc "C:\RescueDisc.iso"

    -d = Path to your word list
    -h = Hash method to use (RipdeMD, etc.)
    -m = Encryption Mode (XTS, LRW, etc.)
    -c = Encryption Cipher (AES, Twofish, etc.)
    -v = Which volume: Standard = 0, Hidden = 1
    -b = Is this a system encryption volume
    -t = The number of threads to run simultaneously (This should be set to the number of cores in your system)
    -s = Where to start in the word list
    -e = Where to end in the word list (0 = end of file)

    If I can get it ready for you test, I'll put up a few more specific details about it's use.
     
  3. markedmanner

    markedmanner Registered Member

    Joined:
    Nov 1, 2009
    Posts:
    134
    those that make sure that they use a password like: z"x?.PCK|%>q2:6$[c;*8%^}5>6?n,-(SUKl\H+Q7LN:&-au=5Yj9m`Yo-yjP/qfnClt!2oEBp,o)f%B6%j~@kxx.P_>I.>cP?;M5QrH:Fre$5CTtzbkMhQ7A_O-eR will make a tool like this useless. I mean how long would it take to bruteforce that password?
     
  4. tateu

    tateu Registered Member

    Joined:
    Dec 10, 2010
    Posts:
    60
    Location:
    Los Angeles, CA USA
    And cracking a password like that is not the point of a tool like this. The OP forgot part of his/her password and has narrowed it down to about 150,000 possibilities. A tool like this can help in that type of situation.
     
  5. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
    tateu, welcome to the forum! Are you a coder?
     
  6. tateu

    tateu Registered Member

    Joined:
    Dec 10, 2010
    Posts:
    60
    Location:
    Los Angeles, CA USA
    Cutting_Edgetech, thanks. And yes, I can do a little programming here and there. Nothing fantastic, usually just small utilities for my own personal use or in house at work. I release a few things occasionally: some plugins for AviSynth, the original commandline OTFExplorer for TrueCrypt v4.x volumes.

    And I should have a version of the commandline brute-forcer available sometime soonish. I'm just cleaning up a few last minute details with it.
     
  7. Pritchard

    Pritchard Registered Member

    Joined:
    Dec 10, 2010
    Posts:
    4
    Hi tateu -

    Thanks, the application you're working on sounds good.

    You created it specifically to check for hidden volumes only, not standard volumes?

    In answer to your questions:
    - Intel
    - RipeMD

    The wordlist I generated is a standard .txt file. Each word is separated by a carriage return. It works fine for other programs I've found which batchfile words to truecrypt.

    The speed you mention (password attempts/second) is very fast compared to what I've seen. As an example, tcbrute checking for standard, non-hidden volume passwords runs at around 3-4 words/second for me.

    Please let me know when you have something we can test out, and I'll be happy to give you feedback on how it goes.

    Thanks.
     
  8. tateu

    tateu Registered Member

    Joined:
    Dec 10, 2010
    Posts:
    60
    Location:
    Los Angeles, CA USA
    It can check standard, hidden or system volumes. You tell it which via a command line parameter.

    -v 0 Standard Volume
    -v 1 Hidden Volume
    -v 2 System Volume
    -v 3 Hidden Volume Legacy Format

    Here is the command line version. Unfortunately the GUI version isn't ready and I probably won't have time to finish it until after New Year's and the command line version is a little complex...Please see OTFBrutus.txt, OTFBrutus_Options.txt and OTFBrutus_Sample.bat for usage. They are included in the zip file.

    Binary
    http://www.tateu.net/software/dl.php?f=OTFBrutus_bin
    Source Code
    http://www.tateu.net/software/dl.php?f=OTFBrutus_src

    There are two things that make OTFBrutus faster than TCBrute. The first reason is that I use the open source Crypto++ library to run the hash algorithms through PKCS5_PBKDF2_HMAC. I found that the Crypto++ library is a little faster (especially with SHA512) than the TrueCrypt library (which is used by TCBrute). And second, with OTFBrutus, you can select which hash algorithms that you want to try. TCBrute always tries them all. If you look at my speed tests a few posts above this one, you can see that trying just SHA512 (810 p/s) is significantly faster than trying RipedMD, SHA512 and Whirlpool (only 160 p/s). And again, those numbers are from a machine that can run 16 simultaneous threads.

    So, if you are 100% sure that you used RipeMD, your commandline might look like this:

    a Partition hosted volume
    OTFBrutus.exe -i "\\?\GLOBALROOT\Device\Harddisk1\Partition1" -d "C:\word_list.txt" -h 0 -m -2 -c -2 -v 1 -t 2

    -i is the input partition or file
    -d is the input word list. It also has a simple password generator, you can read about that in the supplied text files.
    -h 0 specifies to use only RipeMD
    -m -2 specifies to use only current Encryption Modes
    -c -2 specifies to use only current Encryption Algorithms
    -v 1 specifies to try the Hidden Volume
    -t 2 specifies to run 2 threads simultaneously (you should set this to however many CPU cores you have installed)

    and if you ran this on an old Single Core Pentium 4 machine you would see output like this:
    Code:
    OTFBrutus v0.1.0.0
    Attempting to read the Hidden Volume from a Device hosted Container:
            \\?\GLOBALROOT\Device\Harddisk1\Partition1
    Using a custom word list:
            C:\word_list.txt
    containing:
            600 passwords
    Cipher:
            AES
            Serpent
            Twofish
            AES-Twofish
            AES-Twofish-Serpent
            Serpent-AES
            Serpent-Twofish-AES
            Twofish-Serpent
    Hash:
            Ripemd160
    Mode:
            XTS
    
    Percent      Duration      TimeLeft       Speed      Count
         5%       0:00:01       0:00:36     15.56/s         31
    Good luck and feel free to ask any questions you need to for clarification on useage or whatever.
     
  9. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    I'm very excited to see your new program! It sounds amazing. I am so tired of poking along at 4pw/sec with my stupid batchfiles. Thanks so much for making this available. I'll try out your code as soon as I get the chance.
     
  10. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Most batchfile-based methods merely run an unmodified version of TC against a wordlist, so they check every combination of hashes, algorithms, etc., including both standard and hidden volumes, just as TC does when you attempt to mount a volume, which is part of the reason why that approach is so slow.
    It sounds like you've already tried that method without success. Did you test the procedure using a short word list and a test container with a known hidden volume password, just to ensure that it was working properly?
     
  11. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
    Glad to see you joined the forum. Its always good to see new talent!
     
  12. Pritchard

    Pritchard Registered Member

    Joined:
    Dec 10, 2010
    Posts:
    4
    Tateu -

    Thanks for the program and the explanations. I'll test it out now. If I have any questions, I'll post them in the next few days in this forum. Otherwise, I'll get back to you with feedback soon enough. Thanks again.

    Dantz -
    I have used other programs to recover standard, non-hidden volume TC passwords. Currently, the most effective I know of is tcbrute. As I wrote, unfortunately none of them are able to test hidden volume passwords. I tested the programs I have seen with a test volume and short word list, and they all fail to recognize the correct hidden volume password.

    They are also significantly slower than the speeds tateu's application apparently reaches, even when testing all hash algorithms.

    Thanks again. I will post back with questions or feedback.
     
  13. tateu

    tateu Registered Member

    Joined:
    Dec 10, 2010
    Posts:
    60
    Location:
    Los Angeles, CA USA
    Well, I lied. I was supposed to just laze around the house today and catch up on some TV but I've been stuck (happily?) in front of the computer for 10 hours getting the GUI version ready. And I think it is...

    It still needs some polish but it appears to work. I'm sure it has some bugs here and there, I haven't played with it as much as the command line version.

    http://www.tateu.net/software/dl.php?f=OTFBrutusGUI_bin
    http://www.tateu.net/software/dl.php?f=OTFBrutusGUI_src

    And some screen shots:
    http://www.tateu.net/images/OTFBrutusGUI_v.0.1.0.0_bin01.jpg
    http://www.tateu.net/images/OTFBrutusGUI_v.0.1.0.0_bin02.jpg
     
    Last edited: Dec 12, 2010
  14. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    I've finally had a chance to try out tateu's new program. The interface is surprisingly flexible, far more so than I would have expected, and the program itself runs very quickly for a TrueCrypt bruteforcer. You can select which hashes, algorithms, etc. you want to include in the test, so if you happen to know which ones were used to create the volume then you can significantly reduces the number of combinations that need to be tested. You can even choose how many separate threads you want to run, and I assume the optimal number would be whatever it takes to push the CPU utilization up to 100%. Two threads seemed to work best with my Core 2 Duo processor, as adding more threads caused no further speed improvement.

    After the operation has completed a summary screen displays the test parameters plus various final statistics such as the number of passwords tested, duration of the test, speed of operation, and of course the password itself (if found).

    During my first test I used the default hash and encryption algorithm settings for TC v7.0, along with a precomputed wordlist. According to the summary screen, the program processed 32 pw/sec until it found my password.

    I then selected only the hash and encryption algorithms that I knew were used to create my test file, which brought the search speed up to 52 pw/sec. Wow! This is far higher than anything I've been able to achieve using batchfiles and an unmodified copy of TC.

    A fairly flexible password generator is also included. I was able to set up a pattern based on the known characters and length of my 'lost' test password, after which the program was able to calculate all of the possible character combinations itself rather than using my precalculated wordlist. Another handy feature is the program's ability to successfully test each password against the first 512-bytes of the header rather than requiring the presence of the entire volume.

    As far as I am aware this new program blows all other publicly-available TrueCrypt brute forcers out of the water in terms of both speed and flexibility. Altogether it's a very impressive piece of work, and I'd like to send a big thank you to tateu for making this program available. I'm sure it will help many users recover their partially-forgotten TrueCrypt passwords.

    I'll be performing more comprehensive testing in the near future and will report back if I find any other noteworthy features/limitations/etc.

    Bugs and/or usability issues:
    I wish the tooltips would stay open a little longer, particularly the ones that describe how to set up the password patterns. Mine disappear after just a few seconds. Alternatively, it would be nice to see that information included in a separate help/documentation section.

    edit: I just noticed that the information I was seeking is included in the "OTFBrutusGUI.txt" file that's included in the zip archive.
     
    Last edited: Dec 13, 2010
  15. tateu

    tateu Registered Member

    Joined:
    Dec 10, 2010
    Posts:
    60
    Location:
    Los Angeles, CA USA
    I'm glad to hear it works and thanks for the review.

    I wish the tooltips stayed open longer too. That is a function of the GUI library, wxWidgets, and the stable version I am compiling against doesn't have a setting for that. The development version does, so I need look into how it's done. And it really needs a help file but I am not the most organized person in the world and so not usually very good at putting those together.

    Eventually, I'd like to incorporate settings for FreeOTFE and DiskCryptor. I also need to add Security Token support, but I don't have one so I have to no way to test it.

    Hopefully someone out there with a partially forgotten password finds it helpful.

    There is an updated version available at the same links. The main change is that I added a Select Devices Dialog.

    v0.1.0.3
    http://www.tateu.net/software/dl.php?f=OTFBrutusGUI_bin
    http://www.tateu.net/software/dl.php?f=OTFBrutusGUI_src

    v0.1.0.3 - 2010-12-13
    Fix Select Devices Dialog to correctly read GPT formatted parition tables

    v0.1.0.2 - 2010-12-12
    Added Select Devices Button and Dialog
    Added days calculation to time left and elapsed
    Significantly sped up counting of dictionary words
    Fixed some bugs with start and end index
    Some bugs fixed with time elapsed/remaing calculation
    Added hidden (source code only) option to use Crypto++ or TrueCrypt PKCS methods

    v0.1.0.0 - 2010-12-11
    Initial Release
     
  16. tateu

    tateu Registered Member

    Joined:
    Dec 10, 2010
    Posts:
    60
    Location:
    Los Angeles, CA USA
  17. realoddie

    realoddie Registered Member

    Joined:
    Dec 15, 2010
    Posts:
    11
    Is this program any good if use a key file
     
  18. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Keyfiles are supported. If one or more keyfiles are required in order to decrypt a TrueCrypt volume then you should click on Add Keyfiles and list their pathnames before you begin your search.
     
  19. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    For Truecrypt, is it possible to grab the Hash for offline cracking?
     
  20. realoddie

    realoddie Registered Member

    Joined:
    Dec 15, 2010
    Posts:
    11
    @ tateu , dantz

    you look like an expert so here my question " what the use of the header specially the first 512 bytes
     
  21. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    The only value information I could find on harvesting the password file (hash/key) was for an assessment on Truecrypt 6.0.

    Security Assesment of Truecrypt - 6.0-6.1 - Sogeti ESEC Lab

    If the hash or key can be harvested from memory then offline cracking would be much faster.

    Is a memory dump sufficient to harvest the hash/password of Truecrypt or would something like firewire DMA be necessary?
     
  22. tateu

    tateu Registered Member

    Joined:
    Dec 10, 2010
    Posts:
    60
    Location:
    Los Angeles, CA USA
    In that case it is almost instant. The volume key can be read directly from memory while a volume is mounted or from a memory dump file created while a volume is mounted. There are already products out there that do this and they can start decrypting your data within a few minutes. If someone has physical access to your machine while it is running with a mounted Truecrypt (and for that matter, any other drive drive encryption program's) volume, all bets are off. Drive encryption programs such as TrueCrypt, BitLocker, PGP Desktop, etc. are really able to protect your data while a drive is mounted.

    you might want to read the TrueCrypt manual about that. Maybe it has some info that can help.
     
    Last edited: Dec 17, 2010
  23. realoddie

    realoddie Registered Member

    Joined:
    Dec 15, 2010
    Posts:
    11
    what could get from the manual
    a\ any change on the first 512 byte will corrput the header no way to mount until repair
    b\ any change on the bytes from 65536 will corrumpt the hidden vlume header

    my question again if the header courrpted and the algorithme cracked ..., no header and plain text how any one could crack such a file it could be random data how the cracker know the encryption with out the header want the answer from any one read write algorithme before

    stupid question but there something behind that
     
  24. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Along the same lines as what I think you're describing, I've read posts from several somewhat devious users who have deliberately replaced their volume headers with different ones in order to make their data impossible to decrypt, even when the correct password is used. This can easily be done using the TrueCrypt interface.

    If the header can't be used to decrypt the data then you would have to attack the cipher (such as AES256 or Serpent) head-on. I don't know of any person, group or government that can do that, although I suppose you never know.
     
  25. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    In Truecrypt I click "mount".
    I am presented with a password verification screen.
    I assume the volume is not yet mounted until the password is verified.
    The hash of the password has to be loaded into memory for a comparison to take place, no?
    Memory dump the hash for offline cracking, easy as pi. :D
     
Loading...
Thread Status:
Not open for further replies.