@philsmd Thank you so much for your support. I think I start understand a bit better now how to work well with hashcat and how to test and write rules.
Unfortunately when I searched for my word list while prepending the BOM bits '^\xfe ^\xff' (UTF-8 BOM bits) and '^\xff ^\xff' (UTF16 BOM bits), I did not get hit. Meaning there are probably other newline characters prepended or appended in the password. I know the password was copied from a text file on Windows hence, I am pursuing this angle.
Based on the example you provide, I assume that when \x is encountered in a rule or mask, it indicates that a hexadecimal characters follow?
I create a rule set that should look for all possible BOM bits prepended as well as all possible white new line characters prepended or appended, see below:
#####################################################################################
## Rule set to look for passwords with BOM bits and prepended or appended white space characters
#####################################################################################
## BOM Bits UTF-8 and UTF16
^\xfe ^\xff
^\xff ^\xff
## New line characters https://en.wikipedia.org/wiki/Newline
## Prepend all new line characters from ASCII, ATASCII, EBCDIC, non-ASCII character set
^\x0A
^\x0A ^\x0D
^\x0D
^\x1E
^\x0D ^\x0A
^\x9B
^\x15
^\x76
## Append all new line characters from ASCII, ATASCII, EBCDIC, non-ASCII character set
$\x0A
$\x0D $\x0A
$\x0D
$\x1E
$\x0A $\x0D
$\x9B
$\x15
$\x76
#########################################################################
Since I did not find the password yet, I create a prepend and append rule to combine having both invisible, white space characters and BOM bits prepended as well as appended. They can simply be run like:
hashcat -m 15700 -a0 hashcode.txt pwdlist.txt -w3 --status --status-timer=5 -r rules/bom-bit-newline-characters-prepepend.rule rules/bom-bit-newline-characters-append.rule
In my case the password is used for a My Ether Wallet, hence -m 15700, be sure to change if you have another hash type to crack.
I attached the two rule sets to the original (first post to this thread, replace the file extentions '.txt.' with '.rule') in case any one else would ever encounter a similar issue and might need them. I think this is the case, especially since apparently pre-sold Ethereum wallets more often had the issue that they included hidden characters and white space characters in the password used for encrypting the wallet file:
1) bom-bit-newline-characters-prepend.rule
2) bom-bit-newline-characters-append.rule
Unfortunately when I searched for my word list while prepending the BOM bits '^\xfe ^\xff' (UTF-8 BOM bits) and '^\xff ^\xff' (UTF16 BOM bits), I did not get hit. Meaning there are probably other newline characters prepended or appended in the password. I know the password was copied from a text file on Windows hence, I am pursuing this angle.
Based on the example you provide, I assume that when \x is encountered in a rule or mask, it indicates that a hexadecimal characters follow?
I create a rule set that should look for all possible BOM bits prepended as well as all possible white new line characters prepended or appended, see below:
#####################################################################################
## Rule set to look for passwords with BOM bits and prepended or appended white space characters
#####################################################################################
## BOM Bits UTF-8 and UTF16
^\xfe ^\xff
^\xff ^\xff
## New line characters https://en.wikipedia.org/wiki/Newline
## Prepend all new line characters from ASCII, ATASCII, EBCDIC, non-ASCII character set
^\x0A
^\x0A ^\x0D
^\x0D
^\x1E
^\x0D ^\x0A
^\x9B
^\x15
^\x76
## Append all new line characters from ASCII, ATASCII, EBCDIC, non-ASCII character set
$\x0A
$\x0D $\x0A
$\x0D
$\x1E
$\x0A $\x0D
$\x9B
$\x15
$\x76
#########################################################################
Since I did not find the password yet, I create a prepend and append rule to combine having both invisible, white space characters and BOM bits prepended as well as appended. They can simply be run like:
hashcat -m 15700 -a0 hashcode.txt pwdlist.txt -w3 --status --status-timer=5 -r rules/bom-bit-newline-characters-prepepend.rule rules/bom-bit-newline-characters-append.rule
In my case the password is used for a My Ether Wallet, hence -m 15700, be sure to change if you have another hash type to crack.
I attached the two rule sets to the original (first post to this thread, replace the file extentions '.txt.' with '.rule') in case any one else would ever encounter a similar issue and might need them. I think this is the case, especially since apparently pre-sold Ethereum wallets more often had the issue that they included hidden characters and white space characters in the password used for encrypting the wallet file:
1) bom-bit-newline-characters-prepend.rule
2) bom-bit-newline-characters-append.rule