Trying to brute force TrueCrypt

I'm at wits end! I've been using several methods to try to brute force open a truecrypt container and none of them have worked.

I know 3 parts of the password that are correct, that's 18 characters out of 21 characters that are correct.

I've tried using Passware Password Recovery Kit and no luck at all. It's pretty crappy software actually, it's not going to crack open a container unless someone used a really weak password to begin with.

I've created a dictionary file of possible word combinations that I would like to try in various orders but i'm not finding any software that will allow me to do this.

For example: My password is 21 characters in length, broken up by 5 whole word/number character sets (02392398~ameret%berws).

02392398 the part of the password I remember correctly, all other characters I'm not sure of but I know they can be various words I've included in the custom dictionary file.

I've found scripts online but they've been buggy and have not worked at all.

If anyone can refer me to a brute force program or provide a working script that can be customized to load various words/sets together that would be great.

EX:

02392398+terema(word included in dictionary)-berws
02392398+terema(word included in dictionary)-flasui
02392398+ratates(word included in dictionary)-flasui

Any help I could get is greatly appreciated. Thanks.

 

If you're only missing the dictionary word and know the rest, your best bet will probably be Cain and Abel as I believe its latest incarnation will allow you to input your known parameters. If it's not Cain, maybe....no, I'm pretty sure.

 

I'm finding your explanation unclear. Please provide a maximally-specific template that explains how your password would be assembled. For example:

Example #1:
02392398 {Word} {Word} {Word} {Word} {Word}

"02392398" is hardcoded, and the words are from your custom dictionary. All combinations would be generated and added to the password list and then run through the bruteforcer. If example #1 is all you need then it would be quite simple to assemble the list of all possible combinations, either including or excluding duplicates, assuming that your wordlist isn't too massive. How many words are in your custom dictionary?

Also, I noticed you used ~ % + - in your examples. Are these symbols being used to separate the words? If so, give details. Perhaps you should add them to a separate dictionary. Or perhaps I misunderstand. Are they not used at all?

Example #2:
02392398 {Word} {Symbol} {Word} {Symbol} {Word} {Symbol} {Word} {Symbol} {Word}

You can specify more than one dictionary (and make each existing dictionary smaller) if you know that certain words or symbols should only go in certain slots:

Example #3:
02392398 {WordFromList1} {SymbolfromList1} {WordfromList1} {SymbolFromList1} {WordFromList2} {SymbolFromList2} {WordFromList2} {SymbolFromList2} {WordFromList2}

I have some scripts that might be useful, but I would prefer to tailor them to the circumstances before I post them.

 

There you go Ezio....Dantz is willing to help (as always).
We're lucky to have good people here.

 

Re-evaluating how you memorize things like passwords so you don't "forget" them could help preventing this.

For instance, if I use groups of 4 {abcd} {efgh} {ijkl} {mnop} {qrst} I will remember it for about 10 minutes, but tomorrow good luck.
It may have to do with short term memory versus Long term memory.

For me, to get the passwords into long term storage, I found grouping them in 5's forces the LTS mode.

In this way I haven't had to glance at the paper I have them written on once.

 

And yet again the OP gets useful answers but just disappears into a void, with no further comment or thanks.
Some people are just so rude.
Sigh

 

Hello, I have the same / similar problem, if you guys (especially dantz) are still following this up, maybe you could help me. I have not used the container for several months and I have had little knowledge of TC. My file has no extention, does it matter? Should I add .TC?

My TrueCrypt password consist of combination:

two strings out of the list below:
[string1], [string2], [string3], [string4], [string5], [string6], [string7]

and additionally none or any of characters below:
^ and @ and [space]

Examples:
^[string1]@[string2] or [string2] [string3]^ or [string3]@[string7] or [string3][string7]

Is there anything you could do to help me? I would be very grateful. I promise not to disappear martinrabson, I have subscribed to the thread.

 

It doesn't sound too difficult to build a wordlist that would cover most or all of the possibilities. However, what I don't understand is how you can be so sure of the password's layout while failing to offer any hints as to which strings or symbols you think you used in the password. I find myself wondering if this is just an exercise of some sort. Or are we going to crack somebody else's password?

Anyway, one question: Does the password use any strings or symbols more than once? Or should we exclude all duplicates?

 

Thanks for a quick reply. The way I compose my passwords is to have several random strings memorized and use them in combinations. For example:

pol098A@VUY9898
^VUY9898
anaTY pol098A etc.

Usually I use them daily so they stay in my memory. In this case I have not used the file for several months. I have tried many combinations I considered valid but none of them worked. And trying all combinations would take great amount of time.

To clarify, I know what characters are in all these strings, I just do not want to post it here, because each string is used by me all over the web as password for different services. If they are needed, I would have to first change my passwords everywhere.

Each string and character is used either once or not at all. I am quite sure (80%) one string / part of the password is the word "rascal" - not sure about the case of letters.

In theory it seems to me it could be relatively easy to break that password with a good script, however, I have no know-how whatsoever to create anything like this.

Two more things, it does not matter which Drive I select to mount the volume? The file had not extension. Does it matter? Should I add .TS in the end? Thanks!

 

Have you seen this thread? https://www.wilderssecurity.com/showthread.php?t=288616

In Post #16 tateu includes links to the latest version of his OTFBrutus TrueCrypt brute-forcing tool. If you already have a wordlist then you can just plug it in. I could probably build the wordlist for you, but it will be a little tricky due to the way your password is constructed.

Alternatively, tateu's program can generate and use an internal wordlist (password pattern) based on criteria that you provide. The feature isn't quite flexible enough to generate all of your potential passwords (as you describe them) in a single pass, but it's close. I think you could get it to work by doing multiple runs, with each one set up a little differently.

Based on what I know of your password construction, these are the runs I would expect you to use:
(# = symbol, S = string)

(For single-string passwords):
S
#S
S#
#S#

(For double-string passwords):
SS
#SS
S#S
SS#
#S#S
S#S#
#SS#
#S#S#

I think those combinations will cover everything, so that's just 12 separate runs. You might want to edit the list to exclude combinations like S, SS# and #SS if you don't ever use those patterns to assemble your passwords.

To set each one of these up, run tateu's OTFBrutus, select your TrueCrypt file, select "Password Pattern", then see Tateu's instructions (located in the accompanying text file). For example, to set up the run for "#S#S", your password pattern would look something like this (it's all on one line, so ignore the wordwrap):

[^@ ]{1}(string1|string2|string3|string4|string5|string6|string7){1}[^@ ]{1}(string1|string2|string3|string4|string5|string6|string7){1}

The output (word list) will look something like this:
^string1^string1
^string1^string2
^string1^string3
^string1^string4
^string1^string5
^string1^string6
^string1^string7
^string1@string1
^string1@string2
^string1@string3
^string1@string4
^string1@string5
^string1@string6
^string1@string7
^string1 string1
^string1 string2
^string1 string3
^string1 string4
^string1 string5
^string1 string6
^string1 string7
...etc. There are 441 entries in all.

Note that since we did not try to exclude duplicates, the wordlist ended up being much longer than it needed to be. You could reduce or eliminate the dupes by further customizing the individual password patterns and conducting more runs, but since the overall number of passwords that needs to be tested is going to be quite small (even including the dupes), it probably wouldn't be worth the extra effort. I would just let them run, dupes and all, and see how it goes.

Also note that you can generate and save your wordlist right after you set up the password pattern, without even running it against the TrueCrypt volume. This lets you test your password pattern and make any needed adjustments. I have to say, I'm very impressed with tateu's new program!

To speed up the brute-forcing operation you can uncheck any encryption algorithms that you didn't use when you created the TrueCrypt volume. For example, if you only used AES then uncheck all of the others. If you don't remember which algorithm you used but you know for sure that you didn't use cascades then un-check all of the combos such as AES-Twofish, AES-Twofish-Serpent, etc.

You can choose any free drive letter, and you don't have to stick with that letter. The next time you mount the volume you can choose a different letter if you so desire.

You meant ".tc", I assume. No, it's not necessary, but it can be handy if you want to be able to double-click on the file to open the volume. I put .tc extensions on all of my TrueCrypt file-hosted containers for just that purpose.

 

The speed increase gained from unchecking unneeded Encryption algorithms is usually pretty small. It's the Hash algorithms that really slow things down because they are looped in 1000-2000 iterations specifically to slow down brute forcing.

On my machine, unchecking all but 1 of the Encryption Algorithms only gives me a speed up of about 10 passwords per second, whereas unchecking Whirlpool gives me a speed up of about 53 p/s and unchecking RipeMD gives me a speed up of about about 230 p/s.

 

Here's how you should generate the list of passwords (with a lot of obviously incorrect possibilities).

Assume that the password has 5 possible positions:

P1 P2 P3 P4 P5

Each of those positions can be occupied by any of 11 possible strings:

String1, String2, String3, String4, String5, String6, String7, ^, @, [space]. []

Note that [] is a null set or empty matrix, meaning if it's placed in a position, it's basically like nothing is there.

Assuming this construction, you'll have a possible 11^5 (161,051) possible passwords, which should be manageable using tateu's program, so there's probably no need to eliminate the obviously wrong possibilities.


Now, how would I construct this list. I would probably use a program like Matlab and generate a giant 161,051 x 5 matrix. The first column would be constructed as such:

Repeat the first string 11^4 times, then repeat the second string 11^4 times, etc. until you've filled all 161,051 positions.

The second column would be constructed as such. Repeat the first string 11^3 times, then the second string 11^3 times, and so on until you've filled all 161,051 positions of the second column.

The third column would be the same as the above except with 11^2 repeats.

Fourth column would be 11 repeats.

Fifth column would go like this:

[String1;String2;String3;String4;String5;String6;String7;^;@;[space];[];String1;String2;String3;String4;String5;String6;String7;^;@;[space];[]]

Just repeat each string 1 time (e.g. 11^0 times) until you fill all 161,051 possible positions of the 5th column.

And that completes the matrix. Then find a way to print it to a text file, replacing all the strings with their proper values.

I hope that's clear. I believe this technique is correct, although, if I'm wrong about something, feel free to correct me. I may attempt this for you in a week or so if you're seriously desperate, but I hope that someone who's familiar with Matlab might attempt this.


p.s. Nice to see you on Wilders tateu. I remember you from the TrueCrypt forum's better years.

 

I made a password when I was fooling with Truecrypt a couple of years ago.

Closed my eyes and just typed at random twenty five characters, including symbols. I typed it in Notepad, then wrote it down and hid it away.

Unfortunately, I was distracted and couldn't get back to Truecrypt for a week, at which time I couldn't remember where I'd put the password. To this day, I haven't found the thing. I ended up reformatting the computer.

Moral, use a password you can remember or, if not then remember where you hid the password that you wrote down (which you shouldn't do).

 

Let me add that you should probably try dantz' technique first. It's probably the easiest. I should have read his post before I made mine. If that doesn't work, my technique will generate just about every possible combination, giving you more possibilities.

Regarding dantz' technique, I'm wondering if you've taken into account all the possibilities, such as when two symbols are used sequentially. For example:

SS##

Perhaps piotreg mentioned something previously that would exclude this possibility. If the possibility is not excluded, then there could theoretically be a lot more runs.

But it is a good technique.

 

I was thinking about using nulls as well, but I didn't see any way to enter them into tateu's password patterns. However, I just realized that there's a simple workaround. As far as the three symbols go, we can just add an otherwise unused symbol to represent null, then generate the wordlist, then do a search & replace to take out all the nulls. That approach might even allow the entire wordlist to be created in one pass (although of course there will still be lots of unneeded duplicates). Guess I'll try it tomorrow and see what happens.

I don't think he's doing that, but if he is then the wordlist will definitely expand!

 

You beat me to it!

It actually might work. Try this with tateu's excellent program:

(s1|s2|s3|s4|s5|s6|s7|^|@| |z){5}

Then, in a text editor, just replace the "z" with nothing. It will just erase the "z".

I'm pretty sure it will work, and it's simple. I also don't think it generates that many duplicates or obviously wrong passwords.

Edit: Alternately, you could try the following 4 in tateu's program:

(s1|s2|s3|s4|s5|s6|s7|^|@| ){5}
(s1|s2|s3|s4|s5|s6|s7|^|@| ){4}
(s1|s2|s3|s4|s5|s6|s7|^|@| ){3}
(s1|s2|s3|s4|s5|s6|s7|^|@| ){2}

You should use 4 separate text files. With this technique, you don't have to edit the text file afterward. This is probably the best overall technique, with a total of 111,100 possible passwords.

 

Thank you guys! A lot to digest I will have to dig in to it on the weekend. I will report back as soon as I have any results.

 

Sorry, I wrote a lot of stuff unnecessarily before I tried tateu's program.

The simplest technique is probably still the one I wrote last. Namely, use the program to create 4 separate text lists of passwords using the following rules:

(s1|s2|s3|s4|s5|s6|s7|^|@| ){5}
(s1|s2|s3|s4|s5|s6|s7|^|@| ){4}
(s1|s2|s3|s4|s5|s6|s7|^|@| ){3}
(s1|s2|s3|s4|s5|s6|s7|^|@| ){2}

That's it. Then, try each one separately. Of course, S1 stands for string1, etc.

Hope that clarifies it. It actually couldn't be any simpler.

 

I like what you've done so far, but I'm testing out a more tailored approach, as I think it will produce fewer unwanted results. I'm using * as a placeholder for null, and will take it out via search & replace after each wordlist is generated.

Here's my latest attempt. It involves two runs. For readability I've placed each portion on a separate line, but of course it should all entered into tateu's user interface as a single long line:

Combinations involving two strings:
[^@ *]{1}
(s1|s2|s3|s4|s5|s6|s7){1}
[^@ *]{1}
(s1|s2|s3|s4|s5|s6|s7){1}
[^@ *]{1}

The full string (can be copied and pasted into tateu's program):
[^@ *]{1}(s1|s2|s3|s4|s5|s6|s7){1}[^@ *]{1}(s1|s2|s3|s4|s5|s6|s7){1}[^@ *]{1}

This produces 3136 wordlist entries. The list is so short that it took Notepad's "Replace" command only a few seconds to replace all of the asterisks with nulls.

Combinations involving one string:
[^@ *]{1}
(s1|s2|s3|s4|s5|s6|s7){1}
[^@ *]{1}

The full string (for copy & paste into tateu's program):
[^@ *]{1}(s1|s2|s3|s4|s5|s6|s7){1}[^@ *]{1}

This produces 112 wordlist entries, and of course it takes almost no time to remove the asterisks.

So overall there are just two runs to perform, with a total of 3136 + 112 = 3,248 entries. Based on the rules of this particular password pattern, some entries will still contain unwanted duplicates, but the total number of words in the two wordlists is so low that it hardly matters. tateu's program will be able to whip through all of those in a matter of minutes.

The only problem is, the resulting wordlists are so short that I'm afraid I've overlooked something. Would somebody else please check this over to see if (or where) I may have messed up?

[minor edits to improve readability]

 

We are a couple math geeks aren't we?

The problem I see with your technique is that your 3136 password list is always of the form:

#S#S#

Your 112 password list is always of the form:

#S#


You could be right, but that's making a lot of assumptions. If piotreg wants to start that way, I don't see any problem with it, but I don't think your list will include every possibility that he could have used.

My 2 cents.

 

Your list is so short because you do not allow two of the special characters to be entered in a row. As long as piotreg's password pattern holds to that then your solution looks good to me. Otherwise, "I no more than U's" suggestions of

(s1|s2|s3|s4|s5|s6|s7|^|@| |*){5}
or
(s1|s2|s3|s4|s5|s6|s7|^|@| ){5}
(s1|s2|s3|s4|s5|s6|s7|^|@| ){4}
(s1|s2|s3|s4|s5|s6|s7|^|@| ){3}
(s1|s2|s3|s4|s5|s6|s7|^|@| ){2}

should work. Depending on computer speed and algorithms, even the 161,051 passwords contained in (s1|s2|s3|s4|s5|s6|s7|^|@| |*){5} can be tried at a decent speed. My Dual Xeon machine can do it in 16 minutes. My old Pentium 4 can do it in about 4.5 hours.

 

But if you open the saved word list in notepad and replace the * character with nothing...

*s1@s2* (#S#S#)
becomes
s1@s2 (S#S)

 

Yes, probably a good idea...something like \0 to represent a null?

 

I have a related question.

Brutus asks for a dictionary or password pattern. Is there a dictionary you would recommend that I could download, and then select it as the dictionary? Perhaps a "Most commonly used" type of wordlist?

 

How about **null**, or something that would be very unlikely to be used in a password?