06-09-2023, 01:12 PM
Hello everyone. I was re-organizing my home when I came across an hdd containing my old eth presale .json file (Not life changing amount but still great to take…). Got few hints of the password but the wordlist is going be huge ... I took a look at jhontheripper hash extracter but I have seen that the hash is revealing (meaning that the hash contain the whole seed pharse of the wallet ... I have a correct level in python and perl and I really like learning and I have a lot of spare-time for the next months coming ...
On the security side a revealing hash is bad. I know many guys who have some cheap server I would like to be able to run some of the wordlist/rules on their server. I spend hours looking at the few ressources that are online. And thanks to philsmd great work that I saw here https://github.com/hashcat/hashcat/issues/1279 .I think I understand the decrypt process. I also find the issue on git about making safe hash extraction for eth https://github.com/openwall/john/issues/3130. From the hashcat issue I see that the -m 16300 is pretty similar to the -m 15600 and from the openwall issue I can see that there could be a way using padding (which I don't really get) to make safe hash extraction of this -m 15600 hash.
Although at the end the solardiz is saying that this could potentially not work for eth presale type ...
To summarize and to get all the info I can confirm that the .json file of the eth presale is looking like this :
Although at the end the solardiz is saying that this could potentially not work for eth presale type ...
To summarize and to get all the info I can confirm that the .json file of the eth presale is looking like this :
Code:
{ "bkp": 64 chars, "btcaddr": 34 chars, "email":email@gmail.com, "encseed": 1248 chars, "ethaddr": 40 chars }
And thanks to philsmd post I can say that the actual decryption algorithm should be something like this :
The algorithm is very easy. sha3 (aes_256_cbc_decrypt (pbkdf2 ($pass, $pass, 2000), $iv, $encseed) . "\x02")
So basically we just extract the first 16 bytes (0-15) from the "encseed" field which we use as the initialization vector (iv) for the AES-256-CBC decryption, the remaining bytes (starting from byte 16) we use as the encrypted seed. The key for the AES-256-CBC decrytion is generated by using the user password as salt AND pass and use 2000 iterations of pbkdf2-hmac-sha256. The final hash is just a sha3/keccak hash of the seed (the decrypted encseed from the AES decrytion mentioned above).
Also from the code I see that we can only use the first half of the bkp to verify the matching of the seed hash to the bkp (only 32 characters long vs 64 characters long in the .json).
Code:
my $bkp = pack ("H*", "74fdb879ece341dd590a769f2cd39d67");
So basically after all of this I am thinking of 4 ways to make this "SAFE" hash extractor and the hashcat code associated :
- Using only a part of the of the encseed to generate a part of the bkp but i'm not sure it could work due to the way aes is working.
- Using the padding stuff (would really appreciate any links to learn more ) mentionned here by solardiz
- Try to build something https://github.com/philsmd/7z2hashcat but for the presale wallet
- Encrypt every part of the json with a really strong 64 char (or more) random password but a low computation time algorithms to not slow too much the process. But I'm unusure if encrypting it another time will allow the decryption to find the password of the first encryption...
If you have any idea that can help me or any opinion on the ways describe above (I'm still a big newbie in encryption so I can say some stupid stupid stuff). Also if you have some recommandation for me after reading my post don't hesitate to send me some links.
BIG thanks to all the admin and contributor of hashcat and Jtr.