old TrueCrypt volumes
#1
OK, so I've come a long way these last days from never having cracked a password before in my life by reading and trying, but I can't get the masking right. It's not written in a way I understand it. Let me explain the setup;

I know *all* the characters used for the passphrases, a very limited selection;

;:,.!@#$%&()_-+=
1234567890
XxZzJjTtUuQq

and I know the passphrases have no spaces in them, and must be
a minimum of 9 and maximum 12 characters in length.
How do I put that in a mask? And how to emphasize to try the  lower case characters first?

I just need a good example, from then on I will understand I'm sure. I know RegEx and batch and bash quite well, but the question mark in a mask, what does it mean?

I'm cracking on Windows 7 x64 now, since that is a system with the fastest GPU (a 1080 Ti) in it.
It's a selection of 10 TrueCrypt Volumes, *.tc I need to find the passwd for.
I have created them myself years ago, so I know the basics for the password I used for it. It wasn't top secret material, but I wanted to shield content/profiles etc for snooping people in the same house I lived in back then. When I went away, when the PC was idle, the TC volume drive-letter would auto-Dismount and thereby protecting all my personal content, so none of the people could access/delete/alter it when using that PC in my absense.
This worked fine, but I lost the password management database that had all the passwords in it (never buy a Drobo by the way, non-redundant maps of your beyond-raid volume, ridiculously insecure way of storing data!).


I remember what I created the volumes with, so -m 6222 or -m 6232 are the two to try for me.

hashcat64.exe -m 6222 J:\tc\mooi2009.tc --outfile TCfound
hashcat64.exe -m 6232 J:\tc\mooi2009.tc --outfile TCfound
Do I need to crack these in two following lines since I want it to try 6222 and 6232 modes or can I combine them?

And how does one --outfile the outcomes (if it finds the passes) for all 10 .tc files into 1 or more files, so I can run the cracking in absense? Does it auto-increment the recovered hashes found into the one outfile?

TIA for any help and advice on speeding it up as well.
Reply
#2
First of all to answer you question, you normally would use a mask attack like this:
Code:
hashcat64.exe -m 6222 -a 3 --increment --increment-min 9 J:\tc\mooi2009.tc -2 "XxZzJjTtUuQq?d;:,.!@#$%&()_-+=" ?2?2?2?2?2?2?2?2?2?2?2?2

The problem is that it is difficult to brute-force (or use a mask attack) on passwords that are that long in general and it is even worse when it comes to a slow hash like truecrypt.

The best suggestion would be to remember as much as possible from the password and create a small dictionary with at most a few thousand/millions of password candidates and try those.
Trying each and every possible combination of all those characters is infeasible for such long passwords.
Another consideration would be to try to recover the password manager files from your hard drive, there are experts (data recovery specialists) that are able to recover files that you thought were already impossible to get back... the only problem is: you should not have used the drive a lot after the failure and therefore not overridden/damaged the files on the disk.
Reply