• RSS
  • Twitter
  • Facebook

Wednesday 15 May 2013

My Wednesday night failure: How to bruteforce Truecrypt passwords for dummies with OTFBrutus!

The last 4 hours have been traumatic for me.
It had been three weeks since I had put extra security in the way that I store my Truecrypt containers and drives. Only three weeks ago, I had formatted my portable hdd and had added a hidden drive, with a truecrypt container inside. Only three weeks ago.

I came home tonight, and while doing some of my pentesting, realised I needed access to my truecrypt. As usual, I plugged the micro-usb cord in and mounted the hidden drive without a problem. Phew! One layer of security down, only one more password left to remember for the truecrypt container.

Tensed. Stressed. Confused. Dead.

No luck. "Incorrect password or not a TrueCrypt volume."

Another try:
"Incorrect password or not a TrueCrypt volume."

"F****** hell" I thought to myself. I do info sec research and I can't even remember my own truecrypt passwords? Screw this. There has to be a way to get it back.

Let me give you a bit of insight about the password itself. It was over 20 characters, so say goodbye to traditional bruteforce technique. It was a combination of different passwords in which I had forgotten the order of (Great! I could work on this).

I quickly ran to other options, and I am going to tell you how I recovered my password. This doesn't necessarily apply to everyone and anyone (obviously I was stupid enough to forget my password in the first place) but searching about lost truecrypt passwords yielded quite a few results.

This was my flow of thought:
1. Make a list of every password I have ever had for the last year. I literally sat down with a whiteboard, closed the door, in total peace, and did this.
2. Create a script which could create a permutation of the list of passwords I had just made, hence ultimately  forming my "wordlist"
3. Find an effective software, or write my own software to actually attempt every possible combination of passwords I had recorded with the truecrypt container.

First and foremost. I recommend you download this beautiful piece of software by tateu at


This is a windows software. Sorry linux users! If you are on linux, I recommend

Anywho, back to the point. I had made my list of passwords, and I had the right software to do the job. Now all that was left was creating the permuatation script. I did this in Python (2.7)


Note: Where the code states itertools.permutations(l1, 1)) - please make sure the "1" is the right number of how deep you want the permutations to go. For example, if I had a list of "pass1", "pass2" and "pass3" and I wanted every combination for every pair, I would change the "1" to a "2". If I wanted every combination for every 3 joined strings, I would change it to a "3".

So, by running this script, it saved a text file to C:\ drive with every possible combo of pass1 pass2 and pass3 as stated in the list. Fair enough. Now all I had left to do was bruteforce my truecrypt drive.
As an example, this is how my file looked like:

Since I had an overwhelming amount of passwords, my txt file itself was over 8mb. But that was okay, because OTFBrutusGUI was able to handle it! Note: For myself, any text file over 20 mb made the program crash. In that case, use the command line version of the software, which can be found here: <= source code <= bin file

Continuing on: I entered the configurations in OTFBrutusGUI and was able to recover my TrueCrypt password. Success after 4 hours. I assure you, it was a great stress for me and I was going crazy. I had dropped absolutely everything and had taken my complete attention to getting this password back.

So relieved that I got it back. I hope you do too.

P.S. I was lucky. I stored my passwords in a manner which was logic based. My passes may have been scattered around in plain text all over the internet, but even if I were to have been compromised, the passwords were in an order which only I really knew, and it would never really be obvious to an intruder to think, "HEY THIS MUST BE A PART OF HIS TRUECRYPT PASSWORD!" Thanks for reading. Hope you enjoyed my afternoon/nighttime misery.

Monday 11 March 2013

"Douchebag" iiNet - Reported XSS, No response.

In 2012 September, I decided to responsibly disclose a few serious iiNet vulnerabilities. As a part of my beliefs, responsible disclosure is a MUST in this industry if we want to move further with a greater secure web experience for everyone.

Toying around with a few vectors on their toolbox had lead me to a GET XSS as well as HTML injection. After finding this, I decided to call iiNet and see what they had to say. Of course, I got pushed around department to department, simply because I was a good Samaritan on the internet.

Eventually, I reached an end, and I had been recommend to send an email to, doing so, I fully disclosed the vulnerability, it's effects and possible prevention methods. It took them over 3 months to fix it. Want to know what's worse? They didn't even reply.

Yes. I am talking about iiNet, considered a "good" ISP due to their "responsive" customer service. This certainly wasn't the case for me.

If you run a website or web service, and a penetration tester is willing to discuss his findings. Take the opportunity. Chances are that he or she is just trying to help, and if they are not asking for anything in return, consider him/her to be a person with decent moral standings.

The XSS vulnerabilities on iiNet are NOW fixed, but no reply has been issued to me, not even a simple two word response "Thank you".

Note: For those who wish to get any sort of proof or even perhaps a more detailed discussion about this personally, feel free to contact me.