TrueCrack
Overview
TrueCrack is a specialized password cracking tool designed to recover passwords for TrueCrypt and VeraCrypt encrypted volumes. It uses GPU acceleration to perform brute force and dictionary attacks against encrypted containers, making it significantly faster than CPU-only approaches. TrueCrack is commonly used in forensic investigations and authorized penetration testing to recover access to encrypted storage devices.
TrueCrack leverages NVIDIA CUDA and OpenCL for GPU acceleration, achieving millions of passwords-per-second throughput compared to thousands with CPU-only methods.
Installation
Prerequisites
# Install CUDA toolkit (for NVIDIA GPU)
sudo apt-get install nvidia-cuda-toolkit
# Install OpenCL libraries (for AMD GPU)
sudo apt-get install ocl-icd-libopencl1 amdgpu-pro
# Python and libraries
sudo apt-get install python3 python3-pipFrom Kali Linux
sudo apt-get update
sudo apt-get install truecrackFrom Source
git clone https://github.com/e-ago/truecrack.git
cd truecrack
makeDocker Installation
docker run --gpus all -it kalilinux/kali-rolling truecrackBasic Usage
| Command | Purpose |
|---|---|
truecrack -t VOLUME | Start cracking TrueCrypt/VeraCrypt volume |
truecrack -t VOLUME -w WORDLIST | Dictionary attack with wordlist |
truecrack -t VOLUME -c CHARSET | Brute force with character set |
truecrack -t VOLUME -k KEYFILE | Test with keyfile |
truecrack -t VOLUME --outdir DIR | Save recovery log |
Volume Preparation
Mounting Encrypted Volumes
# Identify encrypted volume
lsblk -a
sudo fdisk -l
# Example: /dev/sdb1 is the encrypted volume
sudo file /dev/sdb1
# Should show: LUKS encrypted file, ...Creating Test Volumes
# Create TrueCrypt volume for testing
truecrypt --create test_volume.tc --size 100M --password testpass123
# Create VeraCrypt volume
veracrypt --create test_volume.vc --size 100M --password testpass123
# Verify volume
file test_volume.tcVolume Extraction
# Extract volume file from mounted USB
sudo dd if=/dev/sdb1 of=encrypted_volume.tc bs=4M
# Verify extraction
ls -lh encrypted_volume.tc
file encrypted_volume.tcDictionary Attack
Basic Dictionary Cracking
# Single wordlist attack
truecrack -t encrypted_volume.tc -w /usr/share/wordlists/rockyou.txt
# Output shows password if found:
# [+] Password found: MyPassword123!
# [+] Time elapsed: 2 min 34 secMultiple Wordlists
# Chain multiple wordlists
cat wordlist1.txt wordlist2.txt > combined.txt
truecrack -t encrypted_volume.tc -w combined.txt
# Test common passwords
truecrack -t encrypted_volume.tc -w /usr/share/wordlists/fasttrack.txtWordlist Generation
# Generate custom wordlist from keywords
crunch 8 12 "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" > custom.txt
# Generate from dictionary with mutations
hashcat -w 1 --stdout rockyou.txt | sort -u > expanded.txt
# Create date-based passwords
for year in 2015 2016 2017 2018 2019 2020 2021; do
echo "Password$year" >> dates.txt
done
truecrack -t encrypted_volume.tc -w dates.txtBrute Force Attack
Character Set Definition
# Lowercase letters only
truecrack -t encrypted_volume.tc -c "abcdefghijklmnopqrstuvwxyz" -m 8
# Numbers only
truecrack -t encrypted_volume.tc -c "0123456789" -m 8
# Alphanumeric
truecrack -t encrypted_volume.tc -c "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" -m 8
# Special characters included
truecrack -t encrypted_volume.tc -c "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()" -m 8Length Parameters
# Set minimum length
truecrack -t encrypted_volume.tc -c "abcdefghijklmnopqrstuvwxyz" -m 4
# Set maximum length
truecrack -t encrypted_volume.tc -c "abcdefghijklmnopqrstuvwxyz" -M 8
# Range: minimum and maximum
truecrack -t encrypted_volume.tc -c "abcdefghijklmnopqrstuvwxyz" -m 6 -M 10GPU Acceleration Options
# Use NVIDIA GPU
truecrack -t encrypted_volume.tc -c "abcdefghijklmnopqrstuvwxyz" --gpu nvidia
# Use AMD GPU
truecrack -t encrypted_volume.tc -c "abcdefghijklmnopqrstuvwxyz" --gpu amd
# Use all available devices
truecrack -t encrypted_volume.tc -c "abcdefghijklmnopqrstuvwxyz" --gpu all
# Specify GPU device
truecrack -t encrypted_volume.tc -c "abcdefghijklmnopqrstuvwxyz" --device 0Keyfile Cracking
Keyfile Attack
# Test with suspected keyfile
truecrack -t encrypted_volume.tc -k keyfile.bin
# Multiple keyfiles
for keyfile in *.bin; do
truecrack -t encrypted_volume.tc -k "$keyfile"
doneKeyfile Generation
# Extract potential keyfile from disk
sudo dd if=/dev/sdb of=potential_key.bin bs=1 count=64 skip=1000000
# Test extracted keyfile
truecrack -t encrypted_volume.tc -k potential_key.bin
# Common keyfile locations
sudo find / -name "*.key" 2>/dev/null | while read keyfile; do
truecrack -t encrypted_volume.tc -k "$keyfile"
doneAdvanced Attack Strategies
Hybrid Attack (Dictionary + Brute Force)
# Dictionary attack followed by patterns
hashcat -a 6 -m 13711 encrypted_volume.tc rockyou.txt ?d?d?d
# Use rules on dictionary
hashcat -r rules/best64.rule rockyou.txt > mutated.txt
truecrack -t encrypted_volume.tc -w mutated.txtPattern-Based Attacks
# Test common patterns
patterns="Password1 Password123 Admin123 Welcome2021 Company123"
echo "$patterns" | tr ' ' '\n' > patterns.txt
truecrack -t encrypted_volume.tc -w patterns.txtRainbow Table Attack
# Create pre-computed hashes (time-intensive, runs once)
rtgen LM alpha 1 8 0 3000 0
# Use with truecrack
truecrack -t encrypted_volume.tc --rainbow rainbow_table.rtPerformance Optimization
GPU Utilization
# Check GPU status
nvidia-smi
# Monitor GPU during cracking
watch -n 1 nvidia-smi
# Adjust GPU memory usage
truecrack -t encrypted_volume.tc -w rockyou.txt --gpu-mem 4096Performance Benchmarking
# Benchmark cracking speed
truecrack -t encrypted_volume.tc -c "abcdefghijklmnopqrstuvwxyz" --benchmark
# Output shows:
# Passwords per second: 15,234,567
# Estimated time for 8-char password: ~14 hoursParallel Processing
# Use multiple GPU devices
truecrack -t encrypted_volume.tc -w rockyou.txt --device 0,1,2,3
# Distribute across machines
split -l 1000000 rockyou.txt wordlist_
for file in wordlist_*; do
truecrack -t encrypted_volume.tc -w "$file" &
done
waitVeraCrypt Specific Options
VeraCrypt Volume Detection
# Identify VeraCrypt volumes
file encrypted_volume.vc
# Test VeraCrypt-specific features
truecrack -t encrypted_volume.vc --veracrypt
# VeraCrypt hidden volume
truecrack -t encrypted_volume.vc --veracrypt --hiddenVeraCrypt Algorithms
# Specify encryption algorithm
truecrack -t encrypted_volume.vc --algorithm AES
# Test multiple algorithms
for algo in AES Serpent Twofish; do
truecrack -t encrypted_volume.vc --algorithm $algo -w rockyou.txt
doneVeraCrypt with PIM (Personal Iterations Multiplier)
# Standard PIM (default)
truecrack -t encrypted_volume.vc -w rockyou.txt
# Custom PIM value
truecrack -t encrypted_volume.vc -w rockyou.txt --pim 485
# Test PIM range
for pim in 485 1000 5000; do
truecrack -t encrypted_volume.vc -w rockyou.txt --pim $pim
doneRecovery and Verification
Successful Recovery
# When password found
[+] Password found: MySecurePassword123!
[+] Time elapsed: 2 min 34 sec
[+] Total attempts: 45,234,567
# Mount recovered volume
truecrypt --text --mount --password "MySecurePassword123!" encrypted_volume.tc /mnt/recovered
# Verify access
ls -la /mnt/recovered/Save Progress
# Resume from checkpoint
truecrack -t encrypted_volume.tc -w rockyou.txt --resume checkpoint.bin
# Save progress every N seconds
truecrack -t encrypted_volume.tc -w rockyou.txt --save-interval 300Logging
# Save detailed log
truecrack -t encrypted_volume.tc -w rockyou.txt --log cracking.log
# Monitor log in real-time
tail -f cracking.log
# Extract successful password
grep "found\|succeeded" cracking.logForensic Applications
Chain of Custody
# Create forensic copy
sudo dcfldd if=/dev/sdb of=forensic_image.dd hashlog=dcfldd.log
# Calculate hash
sudo md5sum forensic_image.dd > forensic_image.md5
# Work on copy, not original
truecrack -t forensic_image.dd.tc -w rockyou.txtDocumentation
# Create incident report
cat > incident_report.txt << EOF
Evidence: encrypted_volume.tc
Date collected: $(date)
Hash: $(md5sum encrypted_volume.tc)
Method: Dictionary attack with GPU acceleration
Wordlist: rockyou.txt
Result: Password recovered
Password: [REDACTED]
Time elapsed: 2 hours 45 minutes
EOFTroubleshooting
Common Issues
| Issue | Solution |
|---|---|
| GPU not detected | Install proper drivers: nvidia-smi |
| Memory error | Reduce GPU memory, use CPU mode |
| Volume not recognized | Verify volume type with file command |
| No progress shown | Check volume path, ensure sufficient permissions |
| Extremely slow cracking | Verify GPU is being used, check memory |
Debug Mode
# Verbose output
truecrack -t encrypted_volume.tc -w rockyou.txt -v
# Show all attempts
truecrack -t encrypted_volume.tc -w rockyou.txt -vv
# Debug GPU initialization
truecrack --debug-gpuPerformance Diagnosis
# Check CUDA installation
nvcc --version
# Test GPU memory
nvidia-smi --query-gpu=memory.total --format=csv
# Verify OpenCL
clinfo | grep DeviceEstimation and Planning
Time Estimation Calculator
# Calculate estimated time
# For 8-character lowercase: 26^8 = 208,827,064,576 combinations
# At 15M passwords/sec: ~4 hours
# For 8-character alphanumeric: 62^8 = 218,340,105,584,896
# At 15M passwords/sec: ~460 hours (19 days)
# Estimate function
estimate_time() {
charset_size=$1
password_length=$2
speed=$3
total=$((charset_size ** password_length))
echo "Estimated time: $((total / speed / 3600)) hours"
}
# Example: 26 chars, 8 length, 15M speed
estimate_time 26 8 15000000Security Considerations
- Authorization: Only crack volumes you own or have explicit permission to test
- Data Protection: Handle recovered data with confidentiality protocols
- Legal Compliance: Follow applicable laws and organizational policies
- Documentation: Maintain detailed records for audit trails
- Destruction: Securely destroy sensitive recovered data when no longer needed
Resources
- TrueCrack GitHub: https://github.com/e-ago/truecrack
- TrueCrypt Documentation: https://www.truecrypt.org/
- VeraCrypt Documentation: https://www.veracrypt.fr/
- NVIDIA CUDA: https://developer.nvidia.com/cuda-downloads
- GPU Password Cracking: https://hashcat.net/
TrueCrack is essential for forensic investigators and security professionals who need to recover access to encrypted TrueCrypt and VeraCrypt volumes during authorized investigations and authorized penetration testing engagements.