Truecrypt Password Recovery: Brute Force

TL;DR

This guide shows how to attempt brute-force password recovery on a Truecrypt (or VeraCrypt) encrypted file when you have some partial knowledge of the password. It uses hashcat, a powerful password cracking tool. Be aware that this can take a very long time – days, weeks or even longer – depending on password complexity and length.

Prerequisites

• Truecrypt/VeraCrypt File: The encrypted file you want to recover the password for.
• Hashcat: Download and install Hashcat (available for Windows, Linux, macOS). Make sure it’s added to your system’s PATH environment variable so you can run it from any command prompt/terminal.
• CUDA-compatible GPU (Recommended): Hashcat works much faster with a powerful NVIDIA GPU and the correct CUDA drivers installed.
• CPU: If you don’t have a suitable GPU, Hashcat will use your CPU, but this is significantly slower.

Step-by-step Guide

1. Determine the Truecrypt/VeraCrypt Hash Type: This is crucial for using hashcat correctly. VeraCrypt uses different hash algorithms than older versions of Truecrypt.
   • If you know which version of Truecrypt or VeraCrypt was used to encrypt the file, consult its documentation to find the correct hash type.
   • Alternatively, you can try to identify it by attempting a crack with common hashes (see Step 3). Hashcat will tell you if the hash is invalid for that algorithm.
2. Create a Hash File: You need to create a file containing the hash of your encrypted Truecrypt/VeraCrypt volume.

   hashcat --file-type truecrypt .tc > hash.txt

   Replace .tc with the actual name of your encrypted file.

3. Choose a Wordlist or Mask: This is where you define what passwords Hashcat will try.
   • Wordlists: If you suspect the password is based on common words, use a wordlist (e.g., rockyou.txt). You can find many pre-made wordlists online.
   • Masks: If you know parts of the password (e.g., it starts with ‘abc’ and is 8 characters long), use a mask.

     hashcat --file-type truecrypt hash.txt ?a?a?a?a?a?a?a?a

     This example tries all possible combinations where the first three characters are ‘a’. The ?a represents a lowercase letter (a-z). You can use different character sets:

     • ?l: Lowercase letters
     • ?u: Uppercase letters
     • ?d: Digits
     • ?s: Symbols
     • ?a: All characters (lowercase, uppercase, digits, symbols)
4. Run Hashcat: Start the cracking process.

   hashcat --file-type truecrypt hash.txt rockyou.txt -m 1400

   Replace rockyou.txt with your chosen wordlist or mask, and 1400 with the correct Truecrypt/VeraCrypt hash type (e.g., 1400 for AES-128, 1700 for Twofish). If you’re using a GPU, Hashcat will automatically use it.

   For more complex masks and options, consult the Hashcat Wiki.

5. Monitor Progress: Hashcat displays progress information in real-time, including the current cracking speed (hashes per second). The higher the speed, the faster it will crack.

   If you have a GPU, check its temperature to ensure it’s not overheating.

6. Check Results: If Hashcat finds a password, it will display it in the output. It also saves cracked passwords to a file named hashcat.potfile by default.

   cat hashcat.potfile

   This command displays the contents of the potfile, which contains the recovered password(s).

Important Considerations

• Time: Brute-forcing can take a very long time, especially for strong passwords.
• Hash Type: Using the correct hash type is essential. Incorrect types will lead to wasted time and incorrect results.
• Resource Usage: Hashcat can consume significant CPU and GPU resources. Ensure your system has adequate cooling.
• Legal Implications: Only attempt password recovery on files you own or have explicit permission to access.