Mask Attack with a "blank" value?
#31
Ahhh okay, now I see it working properly when I paste the output value in a translater. I can see the hex being converted to a string.

This should start to look pretty good, yes?

Code:
#####################################################################
# Custom Attack Mask for (presale) Ethereum Wallets
# Specific Task: CHECK FOR HIDDEN ASCII CHARACTERS! These may have been added incidently
# -------------------
# By AndrewNormore@Gmail.com
# -------------------
# ?1 = 0d0a = Carriage Return, Line Feed, etc
# ?2 = 203031323334353637383921402324255e262a = 0123456789!@#$%^&* and a space!
# EFBBBF = This really weird combo of hex characters called UTF-8 Byte order mark (UTF-8 BOM)
# 457468657265756d = the word "Ethereum" in Hex -- replace this with your password in hex
# ------
# Cool Tools:
# Ascii tables: http://www.asciitable.com/ Use this for your line feed and carriage return stuff
# Text to Hex converter (for your password): https://www.browserling.com/tools/text-to-hex
# Hex to text converter (to verify your hex output is making sense!) https://codebeautify.org/hex-string-converter
# ------
# Discussions:
# Ethereum GitHub: https://github.com/ethereum/mist/issues/3513
# Hashcat: https://hashcat.net/forum/thread-7181.html
#####################################################################

#####################################################################
# NO PREPEND
#####################################################################

# One Line Return
0d0a,203031323334353637383921402324255e262a,457468657265756d
0d0a,203031323334353637383921402324255e262a,457468657265756d?1
0d0a,203031323334353637383921402324255e262a,457468657265756d?2?1
0d0a,203031323334353637383921402324255e262a,457468657265756d?2?2?1
0d0a,203031323334353637383921402324255e262a,457468657265756d?2?2?2?1
0d0a,203031323334353637383921402324255e262a,457468657265756d?2?2?2?2?1
0d0a,203031323334353637383921402324255e262a,457468657265756d?2?2?2?2?2?1
0d0a,203031323334353637383921402324255e262a,457468657265756d?2?2?2?2?2?2?1

# Two Line Returns
0d0a,203031323334353637383921402324255e262a,457468657265756d?1?1
0d0a,203031323334353637383921402324255e262a,457468657265756d?2?1?1
0d0a,203031323334353637383921402324255e262a,457468657265756d?2?2?1?1
0d0a,203031323334353637383921402324255e262a,457468657265756d?2?2?2?1?1
0d0a,203031323334353637383921402324255e262a,457468657265756d?2?2?2?2?1?1
0d0a,203031323334353637383921402324255e262a,457468657265756d?2?2?2?2?2?1?1
0d0a,203031323334353637383921402324255e262a,457468657265756d?2?2?2?2?2?2?1?1

# One Line Returns + BOM
0d0a,203031323334353637383921402324255e262a,EFBBBF457468657265756d
0d0a,203031323334353637383921402324255e262a,EFBBBF457468657265756d?1
0d0a,203031323334353637383921402324255e262a,EFBBBF457468657265756d?2?1
0d0a,203031323334353637383921402324255e262a,EFBBBF457468657265756d?2?2?1
0d0a,203031323334353637383921402324255e262a,EFBBBF457468657265756d?2?2?2?1
0d0a,203031323334353637383921402324255e262a,EFBBBF457468657265756d?2?2?2?2?1
0d0a,203031323334353637383921402324255e262a,EFBBBF457468657265756d?2?2?2?2?2?1
0d0a,203031323334353637383921402324255e262a,EFBBBF457468657265756d?2?2?2?2?2?2?1

# Two Line Returns + BOM
0d0a,203031323334353637383921402324255e262a,EFBBBF457468657265756d?1?1
0d0a,203031323334353637383921402324255e262a,EFBBBF457468657265756d?2?1?1
0d0a,203031323334353637383921402324255e262a,EFBBBF457468657265756d?2?2?1?1
0d0a,203031323334353637383921402324255e262a,EFBBBF457468657265756d?2?2?2?1?1
0d0a,203031323334353637383921402324255e262a,EFBBBF457468657265756d?2?2?2?2?1?1
0d0a,203031323334353637383921402324255e262a,EFBBBF457468657265756d?2?2?2?2?2?1?1
0d0a,203031323334353637383921402324255e262a,EFBBBF457468657265756d?2?2?2?2?2?2?1?1

#####################################################################
# 1 PREPEND
#####################################################################

0d0a,203031323334353637383921402324255e262a,?2457468657265756d
0d0a,203031323334353637383921402324255e262a,?2457468657265756d?1
0d0a,203031323334353637383921402324255e262a,?2457468657265756d?2?1
0d0a,203031323334353637383921402324255e262a,?2457468657265756d?2?2?1
0d0a,203031323334353637383921402324255e262a,?2457468657265756d?2?2?2?1
0d0a,203031323334353637383921402324255e262a,?2457468657265756d?2?2?2?2?1
0d0a,203031323334353637383921402324255e262a,?2457468657265756d?2?2?2?2?2?1
0d0a,203031323334353637383921402324255e262a,?2457468657265756d?2?2?2?2?2?2?1

0d0a,203031323334353637383921402324255e262a,?2457468657265756d?1?1
0d0a,203031323334353637383921402324255e262a,?2457468657265756d?2?1?1
0d0a,203031323334353637383921402324255e262a,?2457468657265756d?2?2?1?1
0d0a,203031323334353637383921402324255e262a,?2457468657265756d?2?2?2?1?1
0d0a,203031323334353637383921402324255e262a,?2457468657265756d?2?2?2?2?1?1
0d0a,203031323334353637383921402324255e262a,?2457468657265756d?2?2?2?2?2?1?1
0d0a,203031323334353637383921402324255e262a,?2457468657265756d?2?2?2?2?2?2?1?1

0d0a,203031323334353637383921402324255e262a,EFBBBF?2457468657265756d
0d0a,203031323334353637383921402324255e262a,EFBBBF?2457468657265756d?1
0d0a,203031323334353637383921402324255e262a,EFBBBF?2457468657265756d?2?1
0d0a,203031323334353637383921402324255e262a,EFBBBF?2457468657265756d?2?2?1
0d0a,203031323334353637383921402324255e262a,EFBBBF?2457468657265756d?2?2?2?1
0d0a,203031323334353637383921402324255e262a,EFBBBF?2457468657265756d?2?2?2?2?1
0d0a,203031323334353637383921402324255e262a,EFBBBF?2457468657265756d?2?2?2?2?2?1
0d0a,203031323334353637383921402324255e262a,EFBBBF?2457468657265756d?2?2?2?2?2?2?1

0d0a,203031323334353637383921402324255e262a,EFBBBF?2457468657265756d?1?1
0d0a,203031323334353637383921402324255e262a,EFBBBF?2457468657265756d?2?1?1
0d0a,203031323334353637383921402324255e262a,EFBBBF?2457468657265756d?2?2?1?1
0d0a,203031323334353637383921402324255e262a,EFBBBF?2457468657265756d?2?2?2?1?1
0d0a,203031323334353637383921402324255e262a,EFBBBF?2457468657265756d?2?2?2?2?1?1
0d0a,203031323334353637383921402324255e262a,EFBBBF?2457468657265756d?2?2?2?2?2?1?1
0d0a,203031323334353637383921402324255e262a,EFBBBF?2457468657265756d?2?2?2?2?2?2?1?1

#####################################################################
# 2 PREPEND
#####################################################################

0d0a,203031323334353637383921402324255e262a,?2?2457468657265756d
0d0a,203031323334353637383921402324255e262a,?2?2457468657265756d?1
0d0a,203031323334353637383921402324255e262a,?2?2457468657265756d?2?1
0d0a,203031323334353637383921402324255e262a,?2?2457468657265756d?2?2?1
0d0a,203031323334353637383921402324255e262a,?2?2457468657265756d?2?2?2?1
0d0a,203031323334353637383921402324255e262a,?2?2457468657265756d?2?2?2?2?1
0d0a,203031323334353637383921402324255e262a,?2?2457468657265756d?2?2?2?2?2?1
0d0a,203031323334353637383921402324255e262a,?2?2457468657265756d?2?2?2?2?2?2?1

0d0a,203031323334353637383921402324255e262a,?2?2457468657265756d?1?1
0d0a,203031323334353637383921402324255e262a,?2?2457468657265756d?2?1?1
0d0a,203031323334353637383921402324255e262a,?2?2457468657265756d?2?2?1?1
0d0a,203031323334353637383921402324255e262a,?2?2457468657265756d?2?2?2?1?1
0d0a,203031323334353637383921402324255e262a,?2?2457468657265756d?2?2?2?2?1?1
0d0a,203031323334353637383921402324255e262a,?2?2457468657265756d?2?2?2?2?2?1?1
0d0a,203031323334353637383921402324255e262a,?2?2457468657265756d?2?2?2?2?2?2?1?1

0d0a,203031323334353637383921402324255e262a,EFBBBF?2?2457468657265756d
0d0a,203031323334353637383921402324255e262a,EFBBBF?2?2457468657265756d?1
0d0a,203031323334353637383921402324255e262a,EFBBBF?2?2457468657265756d?2?1
0d0a,203031323334353637383921402324255e262a,EFBBBF?2?2457468657265756d?2?2?1
0d0a,203031323334353637383921402324255e262a,EFBBBF?2?2457468657265756d?2?2?2?1
0d0a,203031323334353637383921402324255e262a,EFBBBF?2?2457468657265756d?2?2?2?2?1
0d0a,203031323334353637383921402324255e262a,EFBBBF?2?2457468657265756d?2?2?2?2?2?1
0d0a,203031323334353637383921402324255e262a,EFBBBF?2?2457468657265756d?2?2?2?2?2?2?1

0d0a,203031323334353637383921402324255e262a,EFBBBF?2?2457468657265756d?1?1
0d0a,203031323334353637383921402324255e262a,EFBBBF?2?2457468657265756d?2?1?1
0d0a,203031323334353637383921402324255e262a,EFBBBF?2?2457468657265756d?2?2?1?1
0d0a,203031323334353637383921402324255e262a,EFBBBF?2?2457468657265756d?2?2?2?1?1
0d0a,203031323334353637383921402324255e262a,EFBBBF?2?2457468657265756d?2?2?2?2?1?1
0d0a,203031323334353637383921402324255e262a,EFBBBF?2?2457468657265756d?2?2?2?2?2?1?1
0d0a,203031323334353637383921402324255e262a,EFBBBF?2?2457468657265756d?2?2?2?2?2?2?1?1
Reply
#32
I believe I have discovered steps to reproduce this Ethereum error:

https://github.com/ethereum/mist/issues/3513

See here for my post and screenshots. If you indeed copy and paste a password containing character returns, it will generate a wallet file that includes those characters.
Reply
#33
Great work Solace. So from here we just need to run rule attacks with various character returns?

Any idea how you’d input character returns into a mask file / rule set?
Reply
#34
Yes, I have it successfully running as a Mask in the rule set above Smile

Copy, paste, modify. Good luck..

I didn't have any luck tonight, because perhaps there are still additional characters that may be inserted.
Reply
#35
I think I could have simply done this:

?1?1?1?1?1?1?1?1?1?1?1?1PASSWORD?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1

And then used --increment-min 10 --increment-max 30

I think this would have achieved the same thing without 500 lines in the Mask
Reply
#36
I don't think that this mask would help or even be correct.
What -a 3 -1 charset --increment --increment-min 10 --increment-max 30
?1?1?1?1?1?1?1?1?1?1?1?1PASSWORD?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1

means is that hashcat will use the charset defined by --custom-charset1 (or short -1, "dash one") and increment the mask starting with length 10 e.g. if we convert that to a hcmask file it would be something like this:
Code:
charset,?1?1?1?1?1?1?1?1?1?1
charset,?1?1?1?1?1?1?1?1?1?1?1
charset,?1?1?1?1?1?1?1?1?1?1?1?1
charset,?1?1?1?1?1?1?1?1?1?1?1?1P
charset,?1?1?1?1?1?1?1?1?1?1?1?1PA
charset,?1?1?1?1?1?1?1?1?1?1?1?1PAS
charset,?1?1?1?1?1?1?1?1?1?1?1?1PASS
charset,?1?1?1?1?1?1?1?1?1?1?1?1PASSW
charset,?1?1?1?1?1?1?1?1?1?1?1?1PASSWO
charset,?1?1?1?1?1?1?1?1?1?1?1?1PASSWOR
charset,?1?1?1?1?1?1?1?1?1?1?1?1PASSWORD
charset,?1?1?1?1?1?1?1?1?1?1?1?1PASSWORD?1
...
charset,?1?1?1?1?1?1?1?1?1?1?1?1?1PASSWORD?1?1?1?1?1?1?1?1?1

note: this is completely different to the strategy/plan that we used above.
The mask will of course stop after the length of the password candidates reached 30 (included).
Furthermore: the masks soon become infeasible to brute-force. Depending on the charset (--custom-charset1 or short -1) the keyspace of the single masks will soon become way too huge and hashcat will also complain about (e.g. 64-bit integer limits, overflow risk because it will just be an infeasible huge keyspace).

I don't think that you understood --ncrement and the other parameters correctly. Please have a look at https://hashcat.net/wiki/doku.php?id=mask_attack for details on how masks work

Again, I still think that the best strategy is to use some well working rules and dictionaries. Brute-forcing should be only used as a last desperate option (and even if you use it you should have a good strategy, feasibility is very important!).
Reply
#37
Ahh okay, that's what I had thought, thanks for clarifying.

Currently I have a pretty solid brute force characterset, which only has 5 possible characters, so it's running insanely fast. 

Code:
057!@,?1?1?1?1?1?1?1?1?1?1PASSWORD?1?1?1?1?1?1?1?1?1?1

For example. It hasn't gotten here, but this is the longest one.
Reply
#38
This type of attack makes no sense to me. You are basically just trying some combinations of the characters "0", "5", "7", "!" and "@" (together with --increment right?).
hashcat will generate password candidates without the constant string PASSWORD first (this depends on how large the --increment-min parameter is), after that it will include P, PA, PAS, PASS, PASSW, PASSWO, PASSWOR and finally PASSWORD *exactly* at position 11 and afterwards (if all those masks were already done, this could take very long), it will also append a varying couple of appended chars from the charset.

it basically does this:
1. test all combinations of the characters "0", "5", "7", "!" and "@" of length specified with --increment-min (PASSWORD is not yet involved, depending on the --increment-min value)
2. test all combinations of the characters "0", "5", "7", "!" and "@" of length specified with increment-min + 1 (again, PASSWORD might not be involved at all)
3. test all combinations of the characters "0", "5", "7", "!" and "@" of length specified with --increment-min + 2 (again, PASSWORD might not be involved at all)
...
x. test all combinations of the characters "0", "5", "7", "!" and "@" of length 10 and append the first character of "PASSWORD", i.e. append "P" (10 characters from charset + "P")
x+1. test all combinations of the characters "0", "5", "7", "!" and "@" of length 10 and append the first two character of "PASSWORD", i.e. append "PA" (10 characters from charset + "PA")
...
y. test all combinations of the characters "0", "5", "7", "!" and "@" of length 10, append "PASSWORD" and append 1 character from the charset (either "0", "5", "7", "!" or "@")
y+1. test all combinations of the characters "0", "5", "7", "!" and "@" of length 10, append "PASSWORD" and append 2 character from the charset (either "0", "5", "7", "!" or "@")
...


as you can see, this type of attack only would make sense if you know that:
1. "PASSWORD" might not be involved at all (depending on the --increment-min value)
2. the length of the prefix before "PASSWORD" is constant (always 10 characters before "PASSWORD"), only the length after "PASSWORD" varies

It's very unusual to generate password candidates like this. Normally you would want to always involve the fixed string (if there is any) and the expansion should normally be done (if you have a set of custom charset around - before and after - a constant string) on either site, i.e. normally you would do something like this with hashcat mask files:
Code:
PASSWORD?1
?1PASSWORD
?1PASSWORD?1

PASSWORD?1?1
?1?1PASSWORD
?1?1PASSWORD?1?1

?1PASSWORD?1?1
?1?1PASSWORD?1
...

with a strategy like this, we would always involve PASSWORD and expand the constant string on one or the other (or both) sides. In my opinion, this would make much more sense.
Of course, I'm not saying that mask attack should be used here... because it might be better to use a different attack types (dict + rules?).... but I'm just saying I'm still not convinced that your password generation looks correct (it seems weird to me that PASSWORD is not always involved and that the prefix is of fixed length... or you must be very sure about the length of the prefix if you run such an attack).
Reply