Need advice on TrueCrypt password recovery
#1
Hi,

I'm absolutely new to this business as I've never seen any need to crack passwords. Unfortenately, I forgot the new password of my TrueCrypt container after a password change, so here I am looking for some help / advice.

First about the basics: I have an AES-encrypted TrueCrypt volume at hand. I don't know which hashing algorithm I chose back then. Right now, all I know is the approximate length of my new, lost password (should be around 18 characters) and I can narrow down the possible special characters. A dictionary will not help as I combined fantasy words and I'm absolutely unsure about my new password. My computer has a i7-4770 CPU and an AMD HD5770 graphics card, which is why I downloaded oclHashcat 1.20. My Catalyst version is 14.04. To make things worse I experience stability problems which might be GPU / heat related. For example, running example0 will stop with a GPU temperature warning.

My plan is to setup oclHashcat and run a few examples to find out my options. At the moment I think I will have to settle for a Brute Force attack (ugly, ugly...), but I think I can reduce the characters. I will think harder about my possible password so I can optimize my attack and use permutation mode or hybrid mode.

Enough blabla, here are some specific questions:

1) Is it possible at all to define custom charsets? EDIT: found out by myself
2) Is it reasonable at all to try to recover this password or will my computer have to run for the next 3 million years? ;-)
3) Does oclHashcat support resuming after a possible machine crash?
4) How do I find out my TrueCrypt volume's hash? I will need this as input, of course.
5) Do I need to specify my volume's hash algorithm? How do I find out, if possible?
6) I will think harder about my possible password so I can optimize my attack and use permutation mode or hybrid mode.

Thank you for any help in advance.
#2
(05-25-2014, 08:55 PM)TruecryptAddict Wrote: 1) Is it possible at all to define custom charsets?
Yes, that's what "-1" - "-4" flags are for.

(05-25-2014, 08:55 PM)TruecryptAddict Wrote: 2) Is it reasonable at all to try to recover this password or will my computer have to run for the next 3 million years? ;-)
Reasonable if you can reduce the keyspace to something attackable within current specs.

(05-25-2014, 08:55 PM)TruecryptAddict Wrote: 3) Does oclHashcat support resuming after a possible machine crash?
Yes, the "--restore" flag is what you need.
Atom/Philipp can clarify how frequently it is written to disk.

(05-25-2014, 08:55 PM)TruecryptAddict Wrote: 4) How do I find out my TrueCrypt volume's hash? I will need this as input, of course.
Say what?

(05-25-2014, 08:55 PM)TruecryptAddict Wrote: 5) Do I need to specify my volume's hash algorithm? How do I find out, if possible?
Of course.
There is no way to find the hashing algorithm out, except remembering it.

(05-25-2014, 08:55 PM)TruecryptAddict Wrote: 6) I will think harder about my possible password so I can optimize my attack and use permutation mode or hybrid mode.
Good and probably only choice you have.
#3
Hi Rolf,

thank you for your answers. I will rephrase my question 4 from above. I guess my wording is too complicated. The examples delivered with oclHashcat have a .hash file each containing the passwords to be recovered. I will need to specify my volume's hash, is that correct? oclHashcat needs to know which hash it should crack.
#4
Nope.
Just feed it your tc volume with any extension, it automatically grabs the required info from the corresponding offsets.
#5
Okay, I just created a Truecrypt volume for test purposes so I have a chance to setup oclHashcat correctly. The password is fixed to nine letters. My command line looks like this:

oclHashcat64.exe -t 32 -a 3 -m 6211 -1 charsets/maik.hcchr test ?1?1?1?1?1?1?1?1?1

Does this look correct? Estimated time is > 10 years for this test. This is a letdown but I expected this. As a result brute force is definately not an option, but at least I have a setup which makes use of my own charset.
#6
command line looks fine, but don't mess with -t unless you know what you are doing.