TrueCrypt password recovery

How to recover a TrueCrypt password you partially know with mask attack or a password you forgot with brute-force.

Introduction

TrueCrypt is an open-source disk encryption software available on several platforms (Windows, Mac OSX and Linux).
On May 2014, the TrueCrypt website announced that the project was no longer maintained.

A few years ago I was using TrueCrypt to encrypt my work projects on small volume files.

Unfortunately one day I couldn't remember one of the password I used to decrypt a volume.
The password was 20 characters long combining alpha, digits and special characters.

I could only remember which characters were in the password and in which order but I wasn't sure about 8 of them which means a lot of possibilities.

After manually trying a few combinations it became really annoying. I decided to search for a TrueCrypt password cracker but I couldn't find one with mask attack.

Because I don't have enough processing power to brute-force a 20 chars long password, I decided to write a little Python script to do the job.

This tutorial explains how I created launched a mask attack to recover a TrueCrypt password with Python itertools.

Research work

The first step was to find a way to check a password against TrueCrypt.

The following command will silently try to decrypt the volume cryptedvolume with the password mouse123 and mount it on the virtual drive X:.
TrueCrypt.exe /v cryptedvolume /lx /a /p mouse123 /e /b /s /q
On success the command will open the virtual drive with Explorer.

Mask attack with Python

This is what the Python script that performed the mast attack looks like.

#!/usr/bin/env python3

import os
import datetime
import argparse
import itertools

def do_unmount(drive):
    """ Unmount TrueCrypt drive """
    cmd = "truecrypt /l{:s} /d /s /q".format(drive)
    ret = os.system(cmd)
    return ret

def do_checkpass(volume, drive, password):
    """ Check password """
    cmd = "truecrypt /v {:s} /l{:s} /a /p {:s} /e /b /s /q".format(volume, drive, password)
    os.system(cmd)
    ret = os.path.exists(drive + ":\\")
    return ret

def start_brute(volume, drive):
    """ Brute-force main routine """
    password = None
    expression = [["C4t"], ["w", "W"], ["o", "0"], ["mAn", "man"]]

    print("Unmouting drive...")
    do_unmount(drive)

    a = datetime.datetime.now().replace(microsecond=0)
    print("Generating combinations...") 
    combinations = itertools.product(*expression)

    print("starting brute-force...")
    for x in combinations:
        candidate = "".join(x)
        if do_checkpass(volume, drive, candidate):
            password = candidate
            print ("Password found: ", password)
            break

    b = datetime.datetime.now().replace(microsecond=0)
    print("Operations took {:s} seconds.".format(b-a))

    if password is None:
        print("Password not found.")

def main():
    parser = argparse.ArgumentParser()

    parser.add_argument("-v", help="path to a TrueCrypt volume")
    parser.add_argument("-l", help="driver letter to mount the volume as")

    args = parser.parse_args()

    if args.v and args.l:
        start_brute(args.v, args.l)
    else:
        parser.print_help()

if __name__ == "__main__":
    main()

The interesting part is at the expression variable declaration.
In this example the Bob can't remember how he typed the woman of the password Catwoman.

Itertools will take care of generating all the possible combinations.

C4twomAn
C4twoman
C4tw0mAn
C4tw0man
C4tWomAn
C4tWoman
C4tW0mAn
C4tW0man

If you want to recover your own TrueCrypt password, you just have to modify the expression to cover what you know or what you suspect to be part of your password.

TrueCrack

TrueCrack is an Open Source Software created to brute-force password for TrueCrypt volumes. It works on Linux and it is optimized for Nvidia CUDA technology, a Parallel Programming and Computing Platform.
This tool is able to perform dictionary and brute-force attacks.

A very interesting point is that TrueCrack works on GPU and CPU, it's great for high performances brute-forcing.

Download TrueCrack

oclHashcat

oclHashcat is a GPGPU-based hash cracker using a brute-force attack (implemented as mask attack), combinator attack, dictionary attack, hybrid attack, mask attack, and rule-based attack.

At the time I wrote this article oclHashcat didn't support TrueCrypt.
It is probably the best choice because it can perform many attacks.

Download oclHashcat