[METAMASK] Syntax help
#1
Hi all,
I need to recover my password from Metamask.
I have the vault string, with data, salt, and iv
Could you please explain the syntax ?
Many thanks !

NB if someone has a bunch of powerful computers to help me i can give a reward if success
Reply
#2
The format of the hash line of -m 26600 = MetaMask Wallet is:

Code:
$metamask$[BASE64encodedSALT]$[BASE64encodedIV]$[BASE64encodedData]

The data (BASE64encodedData) is the encrypted data and the encryption/decryption authentication tag that the encryption algorithm uses (AES GCM).

see: https://github.com/hashcat/hashcat/blob/...600.pm#L75

and examples of how to extract the data, how the algorithm works and the full discussion about the MetaMask Wallet here: https://github.com/hashcat/hashcat/issue...-871947852
Reply
#3
Thanks for your answer.
Is it a regular base64 encode ?
I tried with the exemple here :

{data:wM+CSmCIIlaofXHPxCRFqbcPvEDZESBYM1XdAE8VFanedCIXvDEEt15nhzdv1pqzkW0MCQDBA5T1W1/Ltg7lKBszkoJJ1PtVHOpTn/afhvLyIp2VBBV1Tuj4s8LGo2GM9KOHn1Hn5BC1YhjP56opGrJlsIT9qnuGYHT8EtA5IiHP4zB4fwgGqDhtX+QUJi4rdm+apXZ1DpRvDq5J+bCca2GHXzU5H57Esn3THPXev3RdlkmjhuXVjV8=,iv:ejhZW94EsJZ049Sb/at0Xg==,salt:jgW3gi0eyPtXXguqMzi6uGyuR6m+lgQXw8onqivK5w0=}

It gives me this hash line once encoded :

$metamask$amdXM2dpMGV5UHRYWGd1cU16aTZ1R3l1UjZtK2xnUVh3OG9ucWl2SzV3MD0=$ZWpoWlc5NEVzSlowNDlTYi9hdDBYZz09$d00rQ1NtQ0lJbGFvZlhIUHhDUkZxYmNQdkVEWkVTQllNMVhkQUU4VkZhbmVkQ0lYdkRFRXQxNW5oemR2MXBxemtXME1DUURCQTVUMVcxL0x0ZzdsS0JzemtvSkoxUHRWSE9wVG4vYWZodkx5SXAyVkJCVjFUdWo0czhMR28yR005S09IbjFIbjVCQzFZaGpQNTZvcEdySmxzSVQ5cW51R1lIVDhFdEE1SWlIUDR6QjRmd2dHcURodFgrUVVKaTRyZG0rYXBYWjFEcFJ2RHE1SitiQ2NhMkdIWHpVNUg1N0VzbjNUSFBYZXYzUmRsa21qaHVYVmpWOD0=

One lauched in hashcat, it gives me a "token length exception" error.
No problem however with the example given here : https://hashcat.net/wiki/doku.php?id=example_hashes
Do you know why ?
Many thanks !
Reply
#4
According to the forum rules, you are not allowed to post hashes here: https://hashcat.net/forum/announcement-2.html

It's even worse that you didn't mention where this example comes from and what the password is etc... Doing stuff like this can lead to a permanent ban of your account, so you shouldn't do this.

The JSON file does already contain base64 encoded "values"/fields. That means that the IV of ejhZ.... is already in base64 format, the salt of jgW3.... is already base64 encoded and the data part wM+C... is already a base64 string... you don't need to manipulate, nor encode, them again and again (I only said it's base64 because other hashes that hashcat supports are sometimes hexadecimal instead of base64... that was just a clarification of the format, not really a instruction that you need to manipulate them).

So the hash would need to look something like this (with the ... of course replaced with the remaining part of that JSON value):

Code:
$metamask$jgW3...$ejhZ....$wM+C...

Please make sure you replace the fields with the full string (again, it's not allowed to post non-masked hashes in this forum)
Reply
#5
Hi, ok thanks ! But the example came from your own link given previously on this topic : https://github.com/hashcat/hashcat/issue...-871947852 (first message).
Reply
#6
so the password seems to be "mysecretpassword" (without quotes) and the JSON data and example itself seems to be an example hash posted by a github user that requested this new algorithm (github issue).
Reply
#7
Yes, thats it.
I have a "integer overflow errror" in keyspace of mask ( l?l?l?l?l?l?l?l?l?l?l?l?l?l?l ) perhaps because it's too long, i guess.
Reply
#8
Silly question. How do I extract hash/data from chrome metamask to test this?
Reply
#9
hi, What will the -m 26600 return? the password or the seed phrases?
in the vault decryptor it will return the seed phrases but you should add the password in there
https://metamask.github.io/vault-decryptor/

what about here?
Reply