Ethereum json file and ethereum aes.json file
#1
I want to recover password from ETH wallet - json file and aes.json, but unfortunately it doesn't work with mode 15700 (and every other modes used for ETH), i have an error that says "no hashes loaded". Can you help me, do you know what method, mode will be good in this case?
Reply
#2
Please post the full error message / hashcat output and not only part of it.
Reply
#3
Hashfile 'hashcode.txt' on line 1 ($ether...1dcba78378cb6b3b34315c6460b397ca): Token length exception
No hashes loaded.
Reply
#4
You have 3 modes for eth (15600, 15700, 16300).
Did you choose the good one?
Reply
#5
Yes, i tried all of this modes and everytime i have the same error.
Reply
#6
please test the example hashes from https://hashcat.net/wiki/doku.php?id=example_hashes

try to make the example hashes work and also try to crack the hashes with password hashcat

after everything works with the example hashes, try to check what kind of hash your target hash is (the signature, start is important like $ethereum$s* ) and after that try to construct a similar hash with fields of the example hash modified with your info.

We for instance got a similar request a few weeks/months ago and the fields / hash wasn't even with valid hexadecimal data (for instance "x" as a hexadecimal char etc)... this hash was for sure tampered / modified, because the ethereum client doesn't generate .json files like this that do not even encode the raw data correctly into hexadecimal data. So my suggestion is to first try the example hashes and after that create a modified example hash (example_mod.txt where you replace the single field delimited by * with the data of your target hash and see when it stops working).



update: doing some little more research, I think it could have to do with this go-ethereum missing padding behaviour that seemed to be present in some/several very old geth (go-ethereum) versions that had (depending on the bytes in the "output", problem of zero-bytes + missing padding) shorted "ciphertext" fields: https://github.com/ethereum/go-ethereum/...r.json#L49 and https://github.com/ethereum/go-ethereum/...r.json#L73 ).

I think a problem here is that you can NOT really pad them manually without changing the algorithm (by adding some 00 at the start), because I think the input that is used to verify and compute the mac etc also uses the "wrong" input (so basically 2 "problems", not just the missing 00-padding to a fixed size in the JSON output)

also see: https://github.com/ethereum/go-ethereum/pull/3032 and https://github.com/hashcat/hashcat/issues/2017 (it's interesting that I did open this issue, but didn't really remember opening it or any details, but at least I did document it quite well, fortunately ).

It would make sense that you at least test/see if this is really the problem also for you, i.e. the ciphertext length shorter than 32 bytes... otherwise we can't really proceed here (without knowing if you are affected by this < 32 byte ciphertext padding bug)
Reply
#7
I think a diff (patch) to the source code like this could work in the case of shorter ciphertext length and therefore solve the github issue #2017 on https://github.com/hashcat/hashcat/issues/2017 :

patch_ethereum_15700_github_2017_base64.diff
Code:
ZGlmZiAtLWdpdCBhL09wZW5DTC9tMTU3MDAtcHVyZS5jbCBiL09wZW5DTC9tMTU3MDAtcHVyZS5jbAppbmRleCBjM2UzMmZhZTkuLjg0ZWY2ZGQ1NCAxMDA2NDQKLS0tIGEvT3BlbkNML20xNTcwMC1wdXJlLmNsCisrKyBiL09wZW5DTC9tMTU3MDAtcHVyZS5jbApAQCAtNDQsNyArNDQsOSBAQCBpbmxpbmUgX19kZXZpY2VfXyB1aW50NCByb3RhdGUgKGNvbnN0IHVpbnQ0IGEsIGNvbnN0IGludCBuKQogdHlwZWRlZiBzdHJ1Y3QgZXRoZXJldW1fc2NyeXB0CiB7CiAgIHUzMiBzYWx0X2J1ZlsxNl07Ci0gIHUzMiBjaXBoZXJ0ZXh0WzhdOworICB1MzIgY2lwaGVydGV4dFs5XTsKKworICB1MzIgY2lwaGVydGV4dF9sZW47CiAKIH0gZXRoZXJldW1fc2NyeXB0X3Q7CiAKQEAgLTU5OSw3ICs2MDEsNyBAQCBLRVJORUxfRlEgdm9pZCBtMTU3MDBfY29tcCAoS0VSTl9BVFRSX1RNUFNfRVNBTFQgKHNjcnlwdF90bXBfdCwgZXRoZXJldW1fc2NyeXB0XwogICAgKiBrZWNjYWsKICAgICovCiAKLSAgdTMyIGNpcGhlcnRleHRbOF07CisgIHUzMiBjaXBoZXJ0ZXh0WzldOwogCiAgIGNpcGhlcnRleHRbMF0gPSBlc2FsdF9idWZzW0RJR0VTVFNfT0ZGU0VUXS5jaXBoZXJ0ZXh0WzBdOwogICBjaXBoZXJ0ZXh0WzFdID0gZXNhbHRfYnVmc1tESUdFU1RTX09GRlNFVF0uY2lwaGVydGV4dFsxXTsKQEAgLTYwOSw2ICs2MTEsNyBAQCBLRVJORUxfRlEgdm9pZCBtMTU3MDBfY29tcCAoS0VSTl9BVFRSX1RNUFNfRVNBTFQgKHNjcnlwdF90bXBfdCwgZXRoZXJldW1fc2NyeXB0XwogICBjaXBoZXJ0ZXh0WzVdID0gZXNhbHRfYnVmc1tESUdFU1RTX09GRlNFVF0uY2lwaGVydGV4dFs1XTsKICAgY2lwaGVydGV4dFs2XSA9IGVzYWx0X2J1ZnNbRElHRVNUU19PRkZTRVRdLmNpcGhlcnRleHRbNl07CiAgIGNpcGhlcnRleHRbN10gPSBlc2FsdF9idWZzW0RJR0VTVFNfT0ZGU0VUXS5jaXBoZXJ0ZXh0WzddOworICBjaXBoZXJ0ZXh0WzhdID0gZXNhbHRfYnVmc1tESUdFU1RTX09GRlNFVF0uY2lwaGVydGV4dFs4XTsKIAogICB1MzIga2V5WzRdOwogCkBAIC02MjUsNyArNjI4LDcgQEAgS0VSTkVMX0ZRIHZvaWQgbTE1NzAwX2NvbXAgKEtFUk5fQVRUUl9UTVBTX0VTQUxUIChzY3J5cHRfdG1wX3QsIGV0aGVyZXVtX3NjcnlwdF8KICAgc3RbIDNdID0gaGwzMl90b182NF9TIChjaXBoZXJ0ZXh0WzNdLCBjaXBoZXJ0ZXh0WzJdKTsKICAgc3RbIDRdID0gaGwzMl90b182NF9TIChjaXBoZXJ0ZXh0WzVdLCBjaXBoZXJ0ZXh0WzRdKTsKICAgc3RbIDVdID0gaGwzMl90b182NF9TIChjaXBoZXJ0ZXh0WzddLCBjaXBoZXJ0ZXh0WzZdKTsKLSAgc3RbIDZdID0gMHgwMTsKKyAgc3RbIDZdID0gaGwzMl90b182NF9TICggICAgICAgICAgICAwLCBjaXBoZXJ0ZXh0WzhdKTsKICAgc3RbIDddID0gMDsKICAgc3RbIDhdID0gMDsKICAgc3RbIDldID0gMDsKZGlmZiAtLWdpdCBhL3NyYy9tb2R1bGVzL21vZHVsZV8xNTcwMC5jIGIvc3JjL21vZHVsZXMvbW9kdWxlXzE1NzAwLmMKaW5kZXggYjU0YjkyMmI4Li5lMGMzYjI1NzMgMTAwNjQ0Ci0tLSBhL3NyYy9tb2R1bGVzL21vZHVsZV8xNTcwMC5jCisrKyBiL3NyYy9tb2R1bGVzL21vZHVsZV8xNTcwMC5jCkBAIC00Niw3ICs0Niw5IEBAIGNvbnN0IGNoYXIgKm1vZHVsZV9zdF9wYXNzICAgICAgICAoTUFZQkVfVU5VU0VEIGNvbnN0IGhhc2hjb25maWdfdCAqaGFzaGNvbmZpZywKIHR5cGVkZWYgc3RydWN0IGV0aGVyZXVtX3NjcnlwdAogewogICB1MzIgc2FsdF9idWZbMTZdOwotICB1MzIgY2lwaGVydGV4dFs4XTsKKyAgdTMyIGNpcGhlcnRleHRbOV07CisKKyAgdTMyIGNpcGhlcnRleHRfbGVuOwogCiB9IGV0aGVyZXVtX3NjcnlwdF90OwogCkBAIC0zMzcsNyArMzM5LDcgQEAgaW50IG1vZHVsZV9oYXNoX2RlY29kZSAoTUFZQkVfVU5VU0VEIGNvbnN0IGhhc2hjb25maWdfdCAqaGFzaGNvbmZpZywgTUFZQkVfVU5VU0UKICAgICAgICAgICAgICAgICAgICB8IFRPS0VOX0FUVFJfVkVSSUZZX0hFWDsKIAogICB0b2tlbi5zZXBbNV0gICAgID0gJyonOwotICB0b2tlbi5sZW5fbWluWzVdID0gNjQ7CisgIHRva2VuLmxlbl9taW5bNV0gPSAzMjsKICAgdG9rZW4ubGVuX21heFs1XSA9IDY0OwogICB0b2tlbi5hdHRyWzVdICAgID0gVE9LRU5fQVRUUl9WRVJJRllfTEVOR1RICiAgICAgICAgICAgICAgICAgICAgfCBUT0tFTl9BVFRSX1ZFUklGWV9IRVg7CkBAIC0zODksMTUgKzM5MSwxNyBAQCBpbnQgbW9kdWxlX2hhc2hfZGVjb2RlIChNQVlCRV9VTlVTRUQgY29uc3QgaGFzaGNvbmZpZ190ICpoYXNoY29uZmlnLCBNQVlCRV9VTlVTRQogICAvLyBjaXBoZXJ0ZXh0CiAKICAgY29uc3QgdTggKmNpcGhlcnRleHRfcG9zID0gdG9rZW4uYnVmWzVdOworICBjb25zdCBpbnQgY2lwaGVydGV4dF9sZW4gPSB0b2tlbi5sZW5bNV07CisKKyAgaWYgKChjaXBoZXJ0ZXh0X2xlbiAlIDIpICE9IDApIHJldHVybiAoUEFSU0VSX0hBU0hfTEVOR1RIKTsKKworICB1OCAqY2lwaGVydGV4dF9wdHIgPSAodTggKikgZXRoZXJldW1fc2NyeXB0LT5jaXBoZXJ0ZXh0OworCisgIGNvbnN0IGludCBjaXBoZXJfbGVuID0gaGV4X2RlY29kZSAoY2lwaGVydGV4dF9wb3MsIGNpcGhlcnRleHRfbGVuLCBjaXBoZXJ0ZXh0X3B0cik7CiAKLSAgZXRoZXJldW1fc2NyeXB0LT5jaXBoZXJ0ZXh0WzBdID0gaGV4X3RvX3UzMiAoKGNvbnN0IHU4ICopICZjaXBoZXJ0ZXh0X3Bvc1sgMF0pOwotICBldGhlcmV1bV9zY3J5cHQtPmNpcGhlcnRleHRbMV0gPSBoZXhfdG9fdTMyICgoY29uc3QgdTggKikgJmNpcGhlcnRleHRfcG9zWyA4XSk7Ci0gIGV0aGVyZXVtX3NjcnlwdC0+Y2lwaGVydGV4dFsyXSA9IGhleF90b191MzIgKChjb25zdCB1OCAqKSAmY2lwaGVydGV4dF9wb3NbMTZdKTsKLSAgZXRoZXJldW1fc2NyeXB0LT5jaXBoZXJ0ZXh0WzNdID0gaGV4X3RvX3UzMiAoKGNvbnN0IHU4ICopICZjaXBoZXJ0ZXh0X3Bvc1syNF0pOwotICBldGhlcmV1bV9zY3J5cHQtPmNpcGhlcnRleHRbNF0gPSBoZXhfdG9fdTMyICgoY29uc3QgdTggKikgJmNpcGhlcnRleHRfcG9zWzMyXSk7Ci0gIGV0aGVyZXVtX3NjcnlwdC0+Y2lwaGVydGV4dFs1XSA9IGhleF90b191MzIgKChjb25zdCB1OCAqKSAmY2lwaGVydGV4dF9wb3NbNDBdKTsKLSAgZXRoZXJldW1fc2NyeXB0LT5jaXBoZXJ0ZXh0WzZdID0gaGV4X3RvX3UzMiAoKGNvbnN0IHU4ICopICZjaXBoZXJ0ZXh0X3Bvc1s0OF0pOwotICBldGhlcmV1bV9zY3J5cHQtPmNpcGhlcnRleHRbN10gPSBoZXhfdG9fdTMyICgoY29uc3QgdTggKikgJmNpcGhlcnRleHRfcG9zWzU2XSk7CisgIGNpcGhlcnRleHRfcHRyW2NpcGhlcl9sZW5dID0gMHgwMTsgLy8gYWRkIDB4MDEgYXQgdGhlIGVuZAorCisgIGV0aGVyZXVtX3NjcnlwdC0+Y2lwaGVydGV4dF9sZW4gPSAodTMyKSBjaXBoZXJfbGVuOwogCiAgIC8vIGhhc2gKIApAQCAtNDI3LDIwICs0MzEsMTggQEAgaW50IG1vZHVsZV9oYXNoX2VuY29kZSAoTUFZQkVfVU5VU0VEIGNvbnN0IGhhc2hjb25maWdfdCAqaGFzaGNvbmZpZywgTUFZQkVfVU5VU0UKIAogICBldGhlcmV1bV9zY3J5cHRfdCAqZXRoZXJldW1fc2NyeXB0ID0gKGV0aGVyZXVtX3NjcnlwdF90ICopIGVzYWx0X2J1ZjsKIAotICBjb25zdCBpbnQgbGluZV9sZW4gPSBzbnByaW50ZiAobGluZV9idWYsIGxpbmVfc2l6ZSwgIiVzKiV1KiV1KiV1KiVzKiUwOHglMDh4JTA4eCUwOHglMDh4JTA4eCUwOHglMDh4KiUwOHglMDh4JTA4eCUwOHglMDh4JTA4eCUwOHglMDh4IiwKKyAgLy8gY2lwaGVydGV4dDoKKyAgY2hhciBjaXBoZXJ0ZXh0X2hleFs2NCArIDFdID0geyAwIH07CisKKyAgaGV4X2VuY29kZSAoKGNvbnN0IHU4ICopIGV0aGVyZXVtX3NjcnlwdC0+Y2lwaGVydGV4dCwgKGNvbnN0IGludCkgZXRoZXJldW1fc2NyeXB0LT5jaXBoZXJ0ZXh0X2xlbiwgKHU4ICopIGNpcGhlcnRleHRfaGV4KTsKKworICBjb25zdCBpbnQgbGluZV9sZW4gPSBzbnByaW50ZiAobGluZV9idWYsIGxpbmVfc2l6ZSwgIiVzKiV1KiV1KiV1KiVzKiVzKiUwOHglMDh4JTA4eCUwOHglMDh4JTA4eCUwOHglMDh4IiwKICAgICBTSUdOQVRVUkVfRVRIRVJFVU1fU0NSWVBULAogICAgIHNhbHQtPnNjcnlwdF9OLAogICAgIHNhbHQtPnNjcnlwdF9yLAogICAgIHNhbHQtPnNjcnlwdF9wLAogICAgIChjaGFyICopIHRtcF9zYWx0LAotICAgIGJ5dGVfc3dhcF8zMiAoZXRoZXJldW1fc2NyeXB0LT5jaXBoZXJ0ZXh0WzBdKSwKLSAgICBieXRlX3N3YXBfMzIgKGV0aGVyZXVtX3NjcnlwdC0+Y2lwaGVydGV4dFsxXSksCi0gICAgYnl0ZV9zd2FwXzMyIChldGhlcmV1bV9zY3J5cHQtPmNpcGhlcnRleHRbMl0pLAotICAgIGJ5dGVfc3dhcF8zMiAoZXRoZXJldW1fc2NyeXB0LT5jaXBoZXJ0ZXh0WzNdKSwKLSAgICBieXRlX3N3YXBfMzIgKGV0aGVyZXVtX3NjcnlwdC0+Y2lwaGVydGV4dFs0XSksCi0gICAgYnl0ZV9zd2FwXzMyIChldGhlcmV1bV9zY3J5cHQtPmNpcGhlcnRleHRbNV0pLAotICAgIGJ5dGVfc3dhcF8zMiAoZXRoZXJldW1fc2NyeXB0LT5jaXBoZXJ0ZXh0WzZdKSwKLSAgICBieXRlX3N3YXBfMzIgKGV0aGVyZXVtX3NjcnlwdC0+Y2lwaGVydGV4dFs3XSksCisgICAgY2lwaGVydGV4dF9oZXgsCiAgICAgYnl0ZV9zd2FwXzMyIChkaWdlc3RbMF0pLAogICAgIGJ5dGVfc3dhcF8zMiAoZGlnZXN0WzFdKSwKICAgICBieXRlX3N3YXBfMzIgKGRpZ2VzdFsyXSksCmRpZmYgLS1naXQgYS90b29scy90ZXN0X21vZHVsZXMvbTE1NzAwLnBtIGIvdG9vbHMvdGVzdF9tb2R1bGVzL20xNTcwMC5wbQppbmRleCA4OTZjZTY2ZTUuLjgzN2NmYjYxMiAxMDA2NDQKLS0tIGEvdG9vbHMvdGVzdF9tb2R1bGVzL20xNTcwMC5wbQorKysgYi90b29scy90ZXN0X21vZHVsZXMvbTE1NzAwLnBtCkBAIC0yMCw3ICsyMCw3IEBAIHN1YiBtb2R1bGVfZ2VuZXJhdGVfaGFzaAogICBteSAkc2NyeXB0X04gICA9IHNoaWZ0IHx8IDEwMjQgOyAjIDI2MjE0NCBvcmlnaW5hbGx5CiAgIG15ICRzY3J5cHRfciAgID0gc2hpZnQgfHwgMTsgIyA4IG9yaWdpbmFsbHkKICAgbXkgJHNjcnlwdF9wICAgPSBzaGlmdCB8fCAxOwotICBteSAkY2lwaGVydGV4dCA9IHNoaWZ0IHx8IHJhbmRvbV9ieXRlcyAoMzIpOworICBteSAkY2lwaGVydGV4dCA9IHNoaWZ0IHx8IHJhbmRvbV9ieXRlcyAocmFuZG9tX251bWJlciAoMTYsIDMyKSk7CiAKICAgbXkgJGRlcml2ZWRfa2V5ID0gc2NyeXB0X3JhdyAoJHdvcmQsICRzYWx0LCAkc2NyeXB0X04sICRzY3J5cHRfciwgJHNjcnlwdF9wLCAzMik7CiAK


to apply this patch:
Code:
git clone https://github.com/hashcat/hashcat hashcat_15700_mod
cd hashcat_15700_mod
git checkout 15bf8b7302fd2febd93845eb26d60efed6255bae
base64 -d patch_ethereum_15700_github_2017_base64.diff > patch_ethereum_15700_github_2017.diff
git apply patch_ethereum_15700_github_2017.diff
make
./hashcat -m 15700 -b

(use hashcat.exe instead of ./hashcat for windows)

the patch above is in base64 encoded format, otherwise the forum software or pastebin etc add some whitespace problems such that the patch can't be applied. Therefore it needs to be base64 decoded first (base64 -d of patch_ethereum_15700_github_2017_base64.diff to patch_ethereum_15700_github_2017.diff)

Of course you need to make sure that you do not confuse this hashcat_15700_mod modified hashcat version with other release (or beta) version of hashcat. remember that it's a modified/patched version

Of course this would need to be tested with several keystore files to make sure it doesn't break anything and at the same time also works with the keystore files with shorter ciphertext lengths.

Please test

update: I've updated the patch above to add tests with much shorter ciphertext lengths and corrected the keccak computation in the kernel after I've discovered that some shorter lengths failed (should be fixed now)
Reply