TrueCrypt is a now discontinued encryption tool. A littlewhile ago I stumbled upon an old TrueCrypt volume, unfortunately I couldn'tremember the exact passphrase! Thankfully I was able to use John theRipper to find the password and recover my old data. This post isgoing to go through the steps required to do this.
John the Ripper is capable of cracking many password hashes (both salted and non-) including SHA1. Extracting hashes The jumbo version of John the Ripper comes with a Python script called truecrypt2john.py. This can be used to extract hashes from a TrueCrypt volume with a command similar to the following./truecrypt2john.py test.tc truecrypthashes.txt.
Installing John the Ripper
There are a few different versions of John the Ripper, unfortunately theofficial release doesn't support TrueCrypt volumes, therefore the example inthis post is going to use the community-enhanced Jumbo version of John theRipper. On CentOS it can be downloadedand compiled with the following steps:
Install packages for building John the Ripper:
Clone the source code from GitHub:
Configure and compile the code:
John Crack Sha1 Hash
If everything goes well you should now be able to run john
from the run/
directory:
Note: for additional instructions refer todocs/INSTALL.
Extracting hashes
The jumbo version of John the Ripper comes with a Python script calledtruecrypt2john.py. This can be used to extracthashes from a TrueCrypt volume with a command similar to the following:
The resulting file will look something like the following:
There are multiple hashes for a single volume because it's not possible totell which hashing algorithm was used. If you do remember which algorithm wasused it's worth deleting the unused hashes as this will make running john
quicker.
Generating a wordlist
Once you've run truecrypt2john
, the hard part is coming up with a wordlist.In my case I knew the passphrase was a combination of a few passwords joinedtogether. I used the following script to generate a wordlist with everypossible two or three word combination:
Running the script generated a wordlist with 810 possible passphrases:
Note: if you just want a list of dictionary words you can use/usr/share/dict/words
, assuming you've got the words
package installed. Youcould also look at using a wordlist generation tool like crunch.
John The Ripper Crack Sha1 Hashes List
Running john
Once you've got a wordlist, john
can be used to try to brute force thepassword:
If everything goes well the --show
option will print any matches:
John The Ripper Crack Hash
Note: for obvious reasons this post doesn't use real passwords!