Password Recovery: Known Password Brute Force

TL;DR

You know most of a hard drive password and want to crack it. This guide shows how to use tools like John the Ripper or Hashcat with wordlists tailored to your partial knowledge, focusing on efficiency and avoiding unnecessary computation.

Solution Guide

1. Understand the Situation
   • How much of the password do you know? (e.g., first 3 characters, last 2, specific pattern)
   • What type of drive is it? (HDD, SSD – affects speed and potential recovery methods). This guide focuses on password-protected drives accessible via standard operating system tools.
   • What operating system are you using? (Windows, Linux, macOS – tool availability varies.)
2. Choose a Password Cracking Tool
   • John the Ripper: User-friendly, good for simple passwords and wordlists. https://www.openwall.com/john/
   • Hashcat: More powerful, supports various hash types and attack modes. Requires a bit more technical knowledge. https://hashcat.net/
3. Obtain the Drive Hash

   You need the actual password hash from the drive, not just the drive letter. The method varies by OS:

   • Windows: Use a tool like chkdsk to attempt to access the drive and trigger hash generation (often stored in system files). Alternatively, if BitLocker was used, you’ll need the recovery key or explore BitLocker-specific tools.
   • Linux: If the drive is mounted, the hash might be accessible via filesystem metadata. Use lsblk to identify the device and then investigate relevant files (e.g., in /etc/shadow if applicable). For encrypted drives, use cryptsetup status .
   • macOS: Disk Utility may provide information about encryption status. For APFS volumes, use diskutil apfs list to check for password protection and potential hash locations.
4. Create a Targeted Wordlist

   This is the most important step! Don’t just use a generic wordlist.

   • If you know the first 3 characters are “abc”, create a list of possible endings. For example:

     abc1234
     abc5678
     abc9012
     abcpassword
     ...

   • If you know the password contains a specific word, combine it with common numbers or symbols.

     word123
     word!@#
     word456
     ...

   • Use tools like crunch (Linux) to generate lists based on length and character sets:

     crunch 8 a-z0-9 -o wordlist.txt

     (Generates 8-character passwords using lowercase letters and numbers).

   • If you know the password is likely a date, create a list of dates in various formats.

     20231027
     27/10/2023
     october272023
     ...

5. Run the Password Cracking Tool
   • John the Ripper Example: (Assuming hash is in a file called hash.txt and wordlist is wordlist.txt)

     john --wordlist=wordlist.txt hash.txt

   • Hashcat Example: (Assuming hash type is MD5, hash is in hash.txt, and wordlist is wordlist.txt)

     hashcat -m 0 hash.txt wordlist.txt --force

     (The --force option bypasses some checks; use with caution.)

6. Monitor Progress and Adjust
   • Password cracking can take a long time, even with targeted wordlists.
   • If no results after a reasonable amount of time, refine your wordlist or try different attack modes (e.g., brute-force with masks).
   • Consider using a GPU for Hashcat to significantly speed up the process.