Trying to recover a blockchain.info wallet

[jennifer4682]

Hey guys as the title says i'm trying to recover a blockchain.info wallet password . But before starting to use hashcat, i need to convert the wallet.aes.json to a hash file. so i'm using the following johntheripper script: 

https://github.com/magnumripper/JohnTheR...in2john.py

The output of the script is:
wallet.aes.json:$blockchain$v2$5000$1184$...ddc40e6979055eb129fb97e3e83d642ffc4f68fe5a441c95d7eb0822ff99dcbf4b978c2...   

it's 2368 char after $
Is that amount char normal? Can hashcat handle it?

[undeath]

why do you ask if hashcat can handle it instead of simply trying if hashcat can handle it?

[jennifer4682]

I actually tried and searched the forum before posting but i'm struggling like the guys on this thread: https://hashcat.net/forum/thread-8207.html?
All i get is the result of exhausted even with a test account.

[undeath]

What hardware are you using? Can you try with the beta version? https://hashcat.net/beta/

[jennifer4682]

What hardware are you using? Can you try with the beta version? https://hashcat.net/beta/

I'm using a Ryzen 5 2600 cpu with an RX580 8Gb GPU. I didn't had any problems with Hashcat detecting and using my GPU. 


The beta version still displays the same behavior. It just ignores the password in both straight and brute-force methods showing the result of "Exhausted". While both the stable and beta versions did crack successfully a bitcoin wallet.dat using -m 11300 on both straight and brute-force methods.

I did some research and found something interesting. And funny enough it was posted by yourself.

Link: https://hashcat.net/forum/thread-7498-po...l#pid40352

[undeath]

Note that post is about v1 blockchain wallets only. I don't know if it applies to v2 wallets as well. And if the hash gets loaded excessive data length should make no difference in cracking a v2 hash.

Can you successfully crack the example blockchain v2 hash from https://hashcat.net/wiki/doku.php?id=example_hashes ?

[jennifer4682]

Note that post is about v1 blockchain wallets only. I don't know if it applies to v2 wallets as well. And if the hash gets loaded excessive data length should make no difference in cracking a v2 hash.

Can you successfully crack the example blockchain v2 hash from https://hashcat.net/wiki/doku.php?id=example_hashes ?

Yes, i tried in both modes, it cracks the blockchain v2 very well!!

[philsmd]

maybe it has something to do with this: https://github.com/hashcat/hashcat/commi...4ee0620076

The validation check is only searching for some specific pattern... we would need to know what your decrypted file starts with, currently supported patterns are (see https://github.com/hashcat/hashcat/issue...-469038973):
- "guid"
- "tx_no
- "share
- "addre
- "doubl
- "keys"

I'm pretty sure this huge number of possibilities comes from the fact that for json it doesn't really matter which keys come first (as long as they are in the json object)... so it is somehow shuffle.... the problem is that if some pattern is completely missing in the cracker/hashcat, it doesn't validate correctly.

We would need that pattern, if it's really missing... or come up with a better strategy alltogether (but it's not easy to come up with a good plan... maybe a entropy check or a search for specific character sets (e.g. non-binary data. should contain : and " etc) would be also enough, but could lead to false positives )

[jennifer4682]

I tried to make the hashfile again from scratch using blockchain2john.py and now hashcat beta returns an actual error:

Hash 'myhash.txt': Token length exception
No hashes loaded.

[undeath]

that just means hashcat can't find the myhash.txt file