wallet.dat mode 11300: can make a hash from pywallet.py dump?

[james79]

Hello,

The example hash for -m 11300 Bitcoin/Litecoin wallet.dat is:

$bitcoin$96$d011a1b6a8d675b7a36d0cd2efaca32a9f8dc1d57d6d01a58399ea04e703e8bbb44899039326f7a00f171a7bbc854a54$16$1563277210780230$158555$96$628835426818227243334570448571536352510740823233055715845322741625407685873076027233865346542174$66$625882875480513751851333441623702852811440775888122046360561760525

Can anyone help with the format of this hash, and how I could construct one with output from pywallet.py?

As far as I know, $bitcoin$96$ I can just ignore for now.  (But what is the 96?)  Then:
d011a1b6a8d675b7a36d0cd2efaca32a9f8dc1d57d6d01a58399ea04e703e8bbb44899039326f7a00f171a7bbc854a54

is the encrypted master key.  Not sure what the $16$ part is.

Then 1563277210780230 is the salt, then 158555 is the iter count.  Is that correct so far? 

Note sure what $96$ after that is again.

Then there's:

628835426818227243334570448571536352510740823233055715845322741625407685873076027233865346542174
$66$
625882875480513751851333441623702852811440775888122046360561760525

What are these parts?  Can I get them from the json output of a tool like pywallet.py that dumps encrypted wallet information?  Do these extra parts have something to do with the mkey or other parts of the wallet.dat, like an addr, compressed true/false, another encrypted private key, pubkey, and if so, what parts?

Thank you for any help, I'm trying to manually construct a hashcat compatible wallet.dat hash from information dumped from pywallet.py, which looks like this:

"mkey": {
        "encrypted_key": "encrypted key bytes", 
        "nDerivationIterations": 47923, # contrived example
        "nDerivationMethod": 0, 
        "nID": 1, 
        "otherParams": "", 
        "salt": "salt bytes"
    }, 


Would the other information be another somehow encrypted private key associated with an address in the wallet.dat, and maybe a pubkey?

Or can I just have a go at a hash that has an encrypted private key as above, iterations, salt?  What would I be missing out on if I didn't have any further information about the entire hash?  How would hashcat deal with the last parts

628835426818227243334570448571536352510740823233055715845322741625407685873076027233865346542174
$66$
625882875480513751851333441623702852811440775888122046360561760525


... as the example hash from the wiki?

Thank you for any help!

[james79]

Looks like the salt and iterations count are in decimal, is that right? They can't be provided in hex?

[philsmd]

it's the length of the next field. e.g the length of d011a1b6a8d675b7a36d0cd2efaca32a9f8dc1d57d6d01a58399ea04e703e8bbb44899039326f7a00f171a7bbc854a54 is 96 hexadecimal characters.

Please use bitcoin2john.py to generate the hash or troubleshoot it

[james79]

it's the length of the next field. e.g the length of d011a1b6a8d675b7a36d0cd2efaca32a9f8dc1d57d6d01a58399ea04e703e8bbb44899039326f7a00f171a7bbc854a54 is 96 hexadecimal characters.

Please use bitcoin2john.py to generate the hash or troubleshoot it

Thanks Phil.

That was very useful.  I'll have a hack on some tools like bitcoin2john and try to get a better understanding.

I would like to manually build a hash that hashcat can work on if I have the output from a tool like john2bitcoin, or pywallet (where the wallet is encrypted).  Manually put it together.  Still not sure because there's no doc I can find on how the hash is put together after the priv key, salt, iterations.  (Will check bitcoin2john.py and see if I can figure it out).

I'm actually not sure if there's any difference at all trying to crack the hash, encrypted wallet or not encrypted.  Presumably the hash is meant for keys that are not encrypted, but I don't know.