• RSS
  • Twitter
  • Facebook

Wednesday 15 May 2013

My Wednesday night failure: How to bruteforce Truecrypt passwords for dummies with OTFBrutus!

The last 4 hours have been traumatic for me.
It had been three weeks since I had put extra security in the way that I store my Truecrypt containers and drives. Only three weeks ago, I had formatted my portable hdd and had added a hidden drive, with a truecrypt container inside. Only three weeks ago.

I came home tonight, and while doing some of my pentesting, realised I needed access to my truecrypt. As usual, I plugged the micro-usb cord in and mounted the hidden drive without a problem. Phew! One layer of security down, only one more password left to remember for the truecrypt container.

Tensed. Stressed. Confused. Dead.

No luck. "Incorrect password or not a TrueCrypt volume."

Another try:
"Incorrect password or not a TrueCrypt volume."

"F****** hell" I thought to myself. I do info sec research and I can't even remember my own truecrypt passwords? Screw this. There has to be a way to get it back.

Let me give you a bit of insight about the password itself. It was over 20 characters, so say goodbye to traditional bruteforce technique. It was a combination of different passwords in which I had forgotten the order of (Great! I could work on this).

I quickly ran to other options, and I am going to tell you how I recovered my password. This doesn't necessarily apply to everyone and anyone (obviously I was stupid enough to forget my password in the first place) but searching about lost truecrypt passwords yielded quite a few results.

This was my flow of thought:
1. Make a list of every password I have ever had for the last year. I literally sat down with a whiteboard, closed the door, in total peace, and did this.
2. Create a script which could create a permutation of the list of passwords I had just made, hence ultimately  forming my "wordlist"
3. Find an effective software, or write my own software to actually attempt every possible combination of passwords I had recorded with the truecrypt container.

First and foremost. I recommend you download this beautiful piece of software by tateu at


This is a windows software. Sorry linux users! If you are on linux, I recommend

Anywho, back to the point. I had made my list of passwords, and I had the right software to do the job. Now all that was left was creating the permuatation script. I did this in Python (2.7)


Note: Where the code states itertools.permutations(l1, 1)) - please make sure the "1" is the right number of how deep you want the permutations to go. For example, if I had a list of "pass1", "pass2" and "pass3" and I wanted every combination for every pair, I would change the "1" to a "2". If I wanted every combination for every 3 joined strings, I would change it to a "3".

So, by running this script, it saved a text file to C:\ drive with every possible combo of pass1 pass2 and pass3 as stated in the list. Fair enough. Now all I had left to do was bruteforce my truecrypt drive.
As an example, this is how my file looked like:

Since I had an overwhelming amount of passwords, my txt file itself was over 8mb. But that was okay, because OTFBrutusGUI was able to handle it! Note: For myself, any text file over 20 mb made the program crash. In that case, use the command line version of the software, which can be found here: <= source code <= bin file

Continuing on: I entered the configurations in OTFBrutusGUI and was able to recover my TrueCrypt password. Success after 4 hours. I assure you, it was a great stress for me and I was going crazy. I had dropped absolutely everything and had taken my complete attention to getting this password back.

So relieved that I got it back. I hope you do too.

P.S. I was lucky. I stored my passwords in a manner which was logic based. My passes may have been scattered around in plain text all over the internet, but even if I were to have been compromised, the passwords were in an order which only I really knew, and it would never really be obvious to an intruder to think, "HEY THIS MUST BE A PART OF HIS TRUECRYPT PASSWORD!" Thanks for reading. Hope you enjoyed my afternoon/nighttime misery.