TrueCrypt Password Bruteforce (Partial)

TL;DR

This guide shows how to use Hashcat to bruteforce a known part of a TrueCrypt password. This is useful if you remember some characters but not the whole thing.

Prerequisites

• TrueCrypt/VeraCrypt Volume: You need access to the encrypted volume file (.tc or .vc).
• Hashcat: Download and install Hashcat from https://hashcat.net/. Make sure it’s in your system’s PATH.
• VeraCrypt (Recommended): While the guide refers to TrueCrypt, VeraCrypt is a more secure and actively maintained fork and can be used interchangeably for volume mounting and keyfile extraction.

Step-by-step Guide

1. Mount the Volume: Mount your TrueCrypt/VeraCrypt volume using VeraCrypt (or TrueCrypt if you must). Note the drive letter assigned to it.
2. Extract Keyfile: This is crucial. Hashcat needs a keyfile representing the known part of the password.
   • Open VeraCrypt.
   • Select your mounted volume.
   • Click ‘Tools’ -> ‘Keyfiles’.
   • Create a new keyfile. Name it something descriptive (e.g., “known_part.key”).
   • Enter the known part of your password into the keyfile creation window. Important: Do *not* include any special characters or formatting here; just the plain text you remember.
   • Save the keyfile to a secure location.
3. Determine Hash Type: TrueCrypt uses different hash algorithms depending on its version and settings. We’ll assume SHA-512 as it’s common, but you might need to adjust this.
   • If you know the exact algorithm used during volume creation, skip this step.
   • Otherwise, try SHA-512 first. If that doesn’t work, consult TrueCrypt documentation or experiment with other algorithms (e.g., MD5, RIPEMD-160).
4. Run Hashcat: Use the following command structure in your terminal/command prompt. Replace placeholders with your actual values.

   hashcat -m 1400 --keyfiles /path/to/known_part.key /path/to/volume.tc ?a?a?a?a?a?a?a?a  --force

   • -m 1400: Specifies the hash type (TrueCrypt).
   • –keyfiles /path/to/known_part.key: Points Hashcat to your keyfile containing the known password part.
   • /path/to/volume.tc: The path to your TrueCrypt volume file. Use .vc if using VeraCrypt.
   • ?a?a?a?a?a?a?a?a: This is the mask for the unknown characters. Each ‘?’ represents a character Hashcat will try. ‘a’ means lowercase letters (a-z). You can change this to include uppercase, numbers, and symbols (e.g., ?l = lowercase, ?u = uppercase, ?d = digits, ?s = symbols). Adjust the number of question marks based on how many characters you *don’t* know.
   • –force: Necessary for some hash types to prevent warnings.
5. Adjust Mask (Important): The mask is critical.
   • If you only remember the first 3 characters, use ‘???’. If you remember the last 2, use ‘??’.
   • To include uppercase letters, numbers and symbols in your search, use a more complex mask like ‘?l?u?d?s’. This will significantly increase brute-force time.
6. Monitor Progress: Hashcat will display its progress on the screen. It shows the current hash rate and estimated time remaining.
7. Check Results: If Hashcat finds a password, it will output it to the console.

Troubleshooting

• Incorrect Hash Type: If Hashcat doesn’t find anything, double-check that you’re using the correct hash type (-m option).
• Keyfile Issues: Ensure your keyfile contains only the known password part and no special characters.
• Insufficient Mask: A too-short mask will not cover all possible passwords.
• Slow Performance: Brute-forcing is computationally intensive. Consider using a powerful GPU to speed up the process.