Topic: John the Ripper and partially known password bruteforce (Read 385 times)

Your best shot is Hashcat with One rule to rule them all or a mask attack, what attacks have you tried?

/KX

He probably means this:

https://fossies.org/dox/john-1.9.0-jumbo-1/md_doc_DiskCryptor_HOWTO.html

Hashcat is much faster than john the ripper.

I highly recommend to use Hashcat instead of JohnTheRipper. Hashcat is an extremely powerful hash cracking tool and it supports Diskcryptor hashes. You can also use an advanced mask configuration to assist with the brute force process, adding in the characters you believe are already in place. Reference for Hashcat: https://hashcat.net/wiki/doku.php?id=hashcat

Hashcat works with "modes" with the "-m" flag for the command, so you can pick from the following modes for Diskcryptor:

  20011 | DiskCryptor SHA512 + XTS 512 bit                          
  20012 | DiskCryptor SHA512 + XTS 1024 bit                        
  20013 | DiskCryptor SHA512 + XTS 1536 bit

To perform the mask attack, with the "-a 3" flag for the command, using the information you already know about the password you can follow this guide for more information: https://hashcat.net/wiki/doku.php?id=mask_attack

For example this is the chat set for mask attacks:
?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?h = 0123456789abcdef
?H = 0123456789ABCDEF
?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 - 0xff

Your final command to crack a Diskcryptor hash might look like:

hashcat.exe -m 20011 -a 3


Edit: Also if you don't have sufficient compute on your personal device, you can rent AWS spot GPUs to assist with rapidly cracking and just pay by the hour. Once you build the right mask this should take a day or so to compete. I've gone through a 10 trillion keyspace cracking hashes with Hashcat on AWS resources in a few hours. Yours should be much less given you know some of the password.
 

What You mean by extracting hash? DiskCryptor uses choice of 3 user selectable hash algorithms together with random plaintext salt to derive header encryption key that unlocks a header containing the real encryption keys. And it is not possible to extract right hash without the proper password so Your post makes little sense to me.

have you extract the hash and how long should your password approximately be?

I heard or read somewhere that the folks in the password cracking scene (the white hat password crackers) are a quite helpful bunch.

From reading over your thread, I'd say that likelyhood of encryption header corruption isn't high, when two separate devices can't be unlocked. That said, I know nothing about this DiskCryptor 0.9.x software you used for your setup.

Have you investigated if there's any potential issues with hibernation mode with that software?
Likely this can be dismissed, too, as I assume it wasn't the first and only time you sent your device into hibernation mode with your encrypted disks.

When you are sure about certain chunks/pieces of your encryption password, then I'd seek help in the forums of John the Ripper or Hashcat. There are really knowledgeable people there who can assist you to create a decent password generator and mangling script to execute a sophisticated and feasible crack attack.

As you don't seem to be a computer noob, it should be obvious to only work on forensic copies of your encrypted disks. If you haven't done yet, make forensic copies of your encrypted harddisks, after that you can leave the original mechanical disks at rest.

As your encrypted disks hold a significant value, you should make multiple copies of the forensic copies to ensure you'll never loose any of the forensic copies by any chance.

You do your cracking only on copies of the forensic copies, if that's not clear and obvious already. The above mentioned cracking tools usually only need a certain portion of encrypted key material or encryption header to work on. If DiskCryptor is known to John the Ripper or Hashcat then usually there are tutorials or recipies how to extract such data for further cracking work.

Good luck and I'd appreciate to keep us posted of your unlocking journey! There's always some lesson to learn from this.

Have not checked after the incident, but I checked them at least one a month and they both were in great shape and also worked flawlessly. So the problem is not some sort of hardware failure.

I recall hibernation dump RAM content to the disk and load the dump to RAM once hibernation ends, so i doubt it's cosmic rays hit your RAM. And since you mention 2 drive, header corruption become unlikely. But just in case, have you checked S.M.A.R.T. status of both drives?

BEGIN
10 One of us two are stupid.
20 I am not stupid.
END

I know a lot about computers, forensics, data rescue, repairs, troubleshooting, administration. If WinPE would get to my wallet file, I would use it.Thank You, as I read Jack the Rapper documentation it might help. First I envisioned the JTR running under BAT file control, but now I also discovered software that takes wordlists directly and works with TrueCrypt and DiscCryptor under Windows. Now only the question is a good wordlist that contains my password from the password I remember and have written down.

OP

Here is an example to bruteforce your password with hashcat or Johntheripper:

1. Lets say the password is "Bitcoinlover184%"

The only part of the password you remember and are sure about is that it contained "bitcoinlover" and maybe you remember the lenght or approx lenght.


You could either use the mask attack like this ?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a

This would find your password but you would need an Extreme amount of GPU power.

Rather, like i would do is implement a couple of statistically proven password rules and it would be this:


Dictonary + bruteforce attack

1. put bitcoinlover in wordlist

use masks on the password. For example:

?H?itcoinlover?d?d?d?a

This mask would crack the password very fast but is not realistic as we dont know all the Details of the password. This is just meant to show you how easy it can be to crack passwords.

I actually did that once (at work!): I stored the password to an encrypted container inside that encrypted container. Luckily I had a backup of the data.
And you'll still have to remember the password to the password manager

This is the sort of thing that I'd store in a password manage though. Just saying.

The disk image obviously is not something that should go in a password manager but particularly when you are dealing with random passwords, you are inevitably going to forget them so you need to save them somewhere.

Even passwords made from combinations of words that are otherwise easy to remember can be forgotten if you suddenly get distracted with other things.

That's how I enter most of my passwords too: I wouldn't be able to write them down, but I can easily enter them on a keyboard. And that brings me to my next question (small chance): have you tried a different keyboard? Or enter it 100 times in a text document, and see where you make common mistakes?

You have a very good memory if you can remember 28 or more random characters... 
You wrote that you relied on muscle memory, but it was damaged after injury?  Perhaps hypnosis will help you? 
An experienced hypnotist can mentally transport you back in time and “give you a verbal command” to enter the correct password.  Your muscle memory may be blocked, but it is not gone, so it is possible that you will be able to decrypt your computer.  And then the hypnotist will bring you out of the altered state and you will change the password to a new one (which you will write down in a paper notebook). 
In general, it seems that crypto enthusiasts very often lose access to their Bitcoin wallets precisely because of their paranoia, due to overly complex passwords that they forget. 
Because the story you told is not the only such case.

win pe as in Windows Preinstallation Environment? I don't see how it can help OP perform brute-force in order to decrypt the encrypted disk.

Have you tried using win pe to get the bitcoin file?

Since you said you enter it everyday for 1.5 years, i feel it's far more likely the header got corrupted. By header, i refer to section of the partition which store key needed to perform decryption[1]. Anyway, you might also want to ask for help on DiskCryptor GitHub or forum, since it's less popular than BitLocker or LUKS.

[1] https://diskcryptor.org/volume/

I probably did not enter it every day, but sometimes it went without entering the password for week, sometimes I entered the password multiple times per day when installing and rebooting. I am pretty confident it was at least 350 times over course of the usage of that computer. That unhappy day I hibernated the computer at morning, went to study, returned home, powered the computer but it refused my password I entered multiple times. That was stressful time in my life - study and exams, relationship issues, and that day I slipped on icy road and slightly hurt my leg (not head!). I entered the password mostly from muscle memory, because it was 28 or more random characters, upper and lower case, numbers and special symbols. As it turns out the brain is unreliable storage medium.

The incident happened 8 years ago. I left the computer as-is and counted the data as unrecoverable. Because I made it to be immune against seizing and decryption attempts by KGB, FBI, CIA and NSA. But now I want to restore the computer as it was because it is in very good physical condition and very great example of that era ( HP Pavilion dv8000) and I have the the disk images to play with and spare hardware to run brute force on.

Did you enter your password from memory every day for 1.5 years, that is, 547 times, and then forgot it?  Here we can say unequivocally - you REMEMBER your password. 
And in order to restore it, you will not need any additional software or a password written down after the “incident” occurred.  You need to work with your memory.  For example, completely restore the entire atmosphere of one of those 547 days when you remembered your password well and successfully decrypted your computer. 
Remember the exact time when you started working at the computer, the smells from the kitchen, your thoughts and moods at that moment, visual images - that is, everything that can mentally return you to that time.... 
In neurolinguistic programming these are called "anchors".  By activating the “anchors”, you can quite easily hack your own brain and extract the information you need from it. 
As a last resort, you can resort to the help of an appropriate specialist who knows similar techniques.