TrueCrack
Overview
Section titled “Overview”TrueCrack is a specialized password cracking tool designed to recover passwords for TrueCrypt and VeraCrypt encrypted volumes. It uses GPU acceleration to perform brute force and dictionary attacks against encrypted containers, making it significantly faster than CPU-only approaches. TrueCrack is commonly used in forensic investigations and authorized penetration testing to recover access to encrypted storage devices.
TrueCrack leverages NVIDIA CUDA and OpenCL for GPU acceleration, achieving millions of passwords-per-second throughput compared to thousands with CPU-only methods.
Installation
Section titled “Installation”Prerequisites
Section titled “Prerequisites”# Install CUDA toolkit (for NVIDIA GPU)
sudo apt-get install nvidia-cuda-toolkit
# Install OpenCL libraries (for AMD GPU)
sudo apt-get install ocl-icd-libopencl1 amdgpu-pro
# Python and libraries
sudo apt-get install python3 python3-pipFrom Kali Linux
Section titled “From Kali Linux”sudo apt-get update
sudo apt-get install truecrackFrom Source
Section titled “From Source”git clone https://github.com/e-ago/truecrack.git
cd truecrack
makeDocker Installation
Section titled “Docker Installation”docker run --gpus all -it kalilinux/kali-rolling truecrackBasic Usage
Section titled “Basic Usage”| Command | Purpose |
|---|---|
truecrack -t VOLUME | Start cracking TrueCrypt/VeraCrypt volume |
truecrack -t VOLUME -w WORDLIST | Dictionary attack with wordlist |
truecrack -t VOLUME -c CHARSET | Brute force with character set |
truecrack -t VOLUME -k KEYFILE | Test with keyfile |
truecrack -t VOLUME --outdir DIR | Save recovery log |
Volume Preparation
Section titled “Volume Preparation”Mounting Encrypted Volumes
Section titled “Mounting Encrypted Volumes”# Identify encrypted volume
lsblk -a
sudo fdisk -l
# Example: /dev/sdb1 is the encrypted volume
sudo file /dev/sdb1
# Should show: LUKS encrypted file, ...Creating Test Volumes
Section titled “Creating Test Volumes”# Create TrueCrypt volume for testing
truecrypt --create test_volume.tc --size 100M --password testpass123
# Create VeraCrypt volume
veracrypt --create test_volume.vc --size 100M --password testpass123
# Verify volume
file test_volume.tcVolume Extraction
Section titled “Volume Extraction”# Extract volume file from mounted USB
sudo dd if=/dev/sdb1 of=encrypted_volume.tc bs=4M
# Verify extraction
ls -lh encrypted_volume.tc
file encrypted_volume.tcDictionary Attack
Section titled “Dictionary Attack”Basic Dictionary Cracking
Section titled “Basic Dictionary Cracking”# Single wordlist attack
truecrack -t encrypted_volume.tc -w /usr/share/wordlists/rockyou.txt
# Output shows password if found:
# [+] Password found: MyPassword123!
# [+] Time elapsed: 2 min 34 secMultiple Wordlists
Section titled “Multiple Wordlists”# Chain multiple wordlists
cat wordlist1.txt wordlist2.txt > combined.txt
truecrack -t encrypted_volume.tc -w combined.txt
# Test common passwords
truecrack -t encrypted_volume.tc -w /usr/share/wordlists/fasttrack.txtWordlist Generation
Section titled “Wordlist Generation”# Generate custom wordlist from keywords
crunch 8 12 "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" > custom.txt
# Generate from dictionary with mutations
hashcat -w 1 --stdout rockyou.txt | sort -u > expanded.txt
# Create date-based passwords
for year in 2015 2016 2017 2018 2019 2020 2021; do
echo "Password$year" >> dates.txt
done
truecrack -t encrypted_volume.tc -w dates.txtBrute Force Attack
Section titled “Brute Force Attack”Character Set Definition
Section titled “Character Set Definition”# Lowercase letters only
truecrack -t encrypted_volume.tc -c "abcdefghijklmnopqrstuvwxyz" -m 8
# Numbers only
truecrack -t encrypted_volume.tc -c "0123456789" -m 8
# Alphanumeric
truecrack -t encrypted_volume.tc -c "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" -m 8
# Special characters included
truecrack -t encrypted_volume.tc -c "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()" -m 8Length Parameters
Section titled “Length Parameters”# Set minimum length
truecrack -t encrypted_volume.tc -c "abcdefghijklmnopqrstuvwxyz" -m 4
# Set maximum length
truecrack -t encrypted_volume.tc -c "abcdefghijklmnopqrstuvwxyz" -M 8
# Range: minimum and maximum
truecrack -t encrypted_volume.tc -c "abcdefghijklmnopqrstuvwxyz" -m 6 -M 10GPU Acceleration Options
Section titled “GPU Acceleration Options”# Use NVIDIA GPU
truecrack -t encrypted_volume.tc -c "abcdefghijklmnopqrstuvwxyz" --gpu nvidia
# Use AMD GPU
truecrack -t encrypted_volume.tc -c "abcdefghijklmnopqrstuvwxyz" --gpu amd
# Use all available devices
truecrack -t encrypted_volume.tc -c "abcdefghijklmnopqrstuvwxyz" --gpu all
# Specify GPU device
truecrack -t encrypted_volume.tc -c "abcdefghijklmnopqrstuvwxyz" --device 0Keyfile Cracking
Section titled “Keyfile Cracking”Keyfile Attack
Section titled “Keyfile Attack”# Test with suspected keyfile
truecrack -t encrypted_volume.tc -k keyfile.bin
# Multiple keyfiles
for keyfile in *.bin; do
truecrack -t encrypted_volume.tc -k "$keyfile"
doneKeyfile Generation
Section titled “Keyfile Generation”# Extract potential keyfile from disk
sudo dd if=/dev/sdb of=potential_key.bin bs=1 count=64 skip=1000000
# Test extracted keyfile
truecrack -t encrypted_volume.tc -k potential_key.bin
# Common keyfile locations
sudo find / -name "*.key" 2>/dev/null | while read keyfile; do
truecrack -t encrypted_volume.tc -k "$keyfile"
doneAdvanced Attack Strategies
Section titled “Advanced Attack Strategies”Hybrid Attack (Dictionary + Brute Force)
Section titled “Hybrid Attack (Dictionary + Brute Force)”# Dictionary attack followed by patterns
hashcat -a 6 -m 13711 encrypted_volume.tc rockyou.txt ?d?d?d
# Use rules on dictionary
hashcat -r rules/best64.rule rockyou.txt > mutated.txt
truecrack -t encrypted_volume.tc -w mutated.txtPattern-Based Attacks
Section titled “Pattern-Based Attacks”# Test common patterns
patterns="Password1 Password123 Admin123 Welcome2021 Company123"
echo "$patterns" | tr ' ' '\n' > patterns.txt
truecrack -t encrypted_volume.tc -w patterns.txtRainbow Table Attack
Section titled “Rainbow Table Attack”# Create pre-computed hashes (time-intensive, runs once)
rtgen LM alpha 1 8 0 3000 0
# Use with truecrack
truecrack -t encrypted_volume.tc --rainbow rainbow_table.rtPerformance Optimization
Section titled “Performance Optimization”GPU Utilization
Section titled “GPU Utilization”# Check GPU status
nvidia-smi
# Monitor GPU during cracking
watch -n 1 nvidia-smi
# Adjust GPU memory usage
truecrack -t encrypted_volume.tc -w rockyou.txt --gpu-mem 4096Performance Benchmarking
Section titled “Performance Benchmarking”# Benchmark cracking speed
truecrack -t encrypted_volume.tc -c "abcdefghijklmnopqrstuvwxyz" --benchmark
# Output shows:
# Passwords per second: 15,234,567
# Estimated time for 8-char password: ~14 hoursParallel Processing
Section titled “Parallel Processing”# Use multiple GPU devices
truecrack -t encrypted_volume.tc -w rockyou.txt --device 0,1,2,3
# Distribute across machines
split -l 1000000 rockyou.txt wordlist_
for file in wordlist_*; do
truecrack -t encrypted_volume.tc -w "$file" &
done
waitVeraCrypt Specific Options
Section titled “VeraCrypt Specific Options”VeraCrypt Volume Detection
Section titled “VeraCrypt Volume Detection”# Identify VeraCrypt volumes
file encrypted_volume.vc
# Test VeraCrypt-specific features
truecrack -t encrypted_volume.vc --veracrypt
# VeraCrypt hidden volume
truecrack -t encrypted_volume.vc --veracrypt --hiddenVeraCrypt Algorithms
Section titled “VeraCrypt Algorithms”# Specify encryption algorithm
truecrack -t encrypted_volume.vc --algorithm AES
# Test multiple algorithms
for algo in AES Serpent Twofish; do
truecrack -t encrypted_volume.vc --algorithm $algo -w rockyou.txt
doneVeraCrypt with PIM (Personal Iterations Multiplier)
Section titled “VeraCrypt with PIM (Personal Iterations Multiplier)”# Standard PIM (default)
truecrack -t encrypted_volume.vc -w rockyou.txt
# Custom PIM value
truecrack -t encrypted_volume.vc -w rockyou.txt --pim 485
# Test PIM range
for pim in 485 1000 5000; do
truecrack -t encrypted_volume.vc -w rockyou.txt --pim $pim
doneRecovery and Verification
Section titled “Recovery and Verification”Successful Recovery
Section titled “Successful Recovery”# When password found
[+] Password found: MySecurePassword123!
[+] Time elapsed: 2 min 34 sec
[+] Total attempts: 45,234,567
# Mount recovered volume
truecrypt --text --mount --password "MySecurePassword123!" encrypted_volume.tc /mnt/recovered
# Verify access
ls -la /mnt/recovered/Save Progress
Section titled “Save Progress”# Resume from checkpoint
truecrack -t encrypted_volume.tc -w rockyou.txt --resume checkpoint.bin
# Save progress every N seconds
truecrack -t encrypted_volume.tc -w rockyou.txt --save-interval 300Logging
Section titled “Logging”# Save detailed log
truecrack -t encrypted_volume.tc -w rockyou.txt --log cracking.log
# Monitor log in real-time
tail -f cracking.log
# Extract successful password
grep "found\|succeeded" cracking.logForensic Applications
Section titled “Forensic Applications”Chain of Custody
Section titled “Chain of Custody”# Create forensic copy
sudo dcfldd if=/dev/sdb of=forensic_image.dd hashlog=dcfldd.log
# Calculate hash
sudo md5sum forensic_image.dd > forensic_image.md5
# Work on copy, not original
truecrack -t forensic_image.dd.tc -w rockyou.txtDocumentation
Section titled “Documentation”# Create incident report
cat > incident_report.txt << EOF
Evidence: encrypted_volume.tc
Date collected: $(date)
Hash: $(md5sum encrypted_volume.tc)
Method: Dictionary attack with GPU acceleration
Wordlist: rockyou.txt
Result: Password recovered
Password: [REDACTED]
Time elapsed: 2 hours 45 minutes
EOFTroubleshooting
Section titled “Troubleshooting”Common Issues
Section titled “Common Issues”| Issue | Solution |
|---|---|
| GPU not detected | Install proper drivers: nvidia-smi |
| Memory error | Reduce GPU memory, use CPU mode |
| Volume not recognized | Verify volume type with file command |
| No progress shown | Check volume path, ensure sufficient permissions |
| Extremely slow cracking | Verify GPU is being used, check memory |
Debug Mode
Section titled “Debug Mode”# Verbose output
truecrack -t encrypted_volume.tc -w rockyou.txt -v
# Show all attempts
truecrack -t encrypted_volume.tc -w rockyou.txt -vv
# Debug GPU initialization
truecrack --debug-gpuPerformance Diagnosis
Section titled “Performance Diagnosis”# Check CUDA installation
nvcc --version
# Test GPU memory
nvidia-smi --query-gpu=memory.total --format=csv
# Verify OpenCL
clinfo | grep DeviceEstimation and Planning
Section titled “Estimation and Planning”Time Estimation Calculator
Section titled “Time Estimation Calculator”# Calculate estimated time
# For 8-character lowercase: 26^8 = 208,827,064,576 combinations
# At 15M passwords/sec: ~4 hours
# For 8-character alphanumeric: 62^8 = 218,340,105,584,896
# At 15M passwords/sec: ~460 hours (19 days)
# Estimate function
estimate_time() {
charset_size=$1
password_length=$2
speed=$3
total=$((charset_size ** password_length))
echo "Estimated time: $((total / speed / 3600)) hours"
}
# Example: 26 chars, 8 length, 15M speed
estimate_time 26 8 15000000Security Considerations
Section titled “Security Considerations”- Authorization: Only crack volumes you own or have explicit permission to test
- Data Protection: Handle recovered data with confidentiality protocols
- Legal Compliance: Follow applicable laws and organizational policies
- Documentation: Maintain detailed records for audit trails
- Destruction: Securely destroy sensitive recovered data when no longer needed
Resources
Section titled “Resources”- TrueCrack GitHub: https://github.com/e-ago/truecrack
- TrueCrypt Documentation: https://www.truecrypt.org/
- VeraCrypt Documentation: https://www.veracrypt.fr/
- NVIDIA CUDA: https://developer.nvidia.com/cuda-downloads
- GPU Password Cracking: https://hashcat.net/
TrueCrack is essential for forensic investigators and security professionals who need to recover access to encrypted TrueCrypt and VeraCrypt volumes during authorized investigations and authorized penetration testing engagements.