my electrum wallet of 2016
#1
Hi all,

I have an issue with my electrum wallet from 2016. I did some days mining with my AMD APU for nicehash. As I did not use a passwordmanager this time, and wanted to have a good password.... oh, it does not matter anyway now.

I got my keystore file. I think it is the same as the wallet.dat.  But not sure here. The interestsing part seems to be this one here. But it is missing the private key.

"keystore": {
        "type": "bip32",
        "xprv": null,
        "xpub": "xpub661Myxpubkey111positions"

    },

There is more in the file. But mostly addresses I created to restore the wallet... There are some transactions from nicehash too.

So if there is no private key, no seed and no password. It is not possible to restore any BTC right?

I have checked the example hashes of the electrum wallets versions on hascat wiki. But I did not find anything. With John2electrum I only got the message: "This wallet is not encrypted". Nice, but how does it helps me. I remember parts of my password but that's all.

I still have a dd copy of my harddrive. But it's 4 years past since the wallet was created and it's only 120GB drive.

Any advice is welcome.

centurio
Reply
#2
This looks like a watch-only wallet only that does not include any private key data.
Reply
#3
(12-05-2020, 02:13 AM)undeath Wrote: This looks like a watch-only wallet only that does not include any private key data.

Oh, this makes sense. So I have to investigate further.

thx
Reply
#4
I did now further investigations and found the wallet on an other drive now.

However, bitcoin2john cannot extract the hash. But if I open the wallet.dat, it is not encrypted, the xprv and the seed fields are both filled. If I am right, there is the hashed private key.

Is the only way to decrypt the privatekey with hashcat to extracte the wallet hash? -m 11300 ? Or can I use an other mode on the private key only?

The seed seems to be in Version 33.
Reply
#5
So i will reply myself and anyone who find this post.

I found the real wallet.dat of my electrum wallet with the xprv key. I learned that, althoght my wallet is not encryptet, the xprv and the seed are. So I found electrum2john.py which should generate me the hash for hascat mode 16600. But it would should be to easy to just run the script. The error message tells me, my salt is not supported.

Further investigations helped me and I have tried to add my seed (no. 33 and not 10, 11 or 12 as it is in the script). I appended it to the 3 seeds to avoid the error being triggerd. That worked for me and I finally got my 16600 has value for electrum 2 wallet.

But here I am with the next problem. This time I might really need detailed help....

I remember the chars and the word I have used for my password generation. It includes the german small äöü and maybe the french ç symbols.
I have tried to test if I can crack an example hash. With the help of sha1generator.de I got the hash for öäü.

The hashvalue I copy pasted in Windows 10 Editor and made sure to save it with utf8. On my laptop I use hascat in windows.
I have tried a mask attack with the 3 different german charsets.
hashcat.exe -a 3 -m 100 -1 \charsets\standard\German\.... .hcchr ?1?1?1

To my surprise this did not crack the hash. I made sure the äöü letters were within these files.

I then created my own hcchr file, added the äöü letters and saved it with utf8 format. I was surprised it did not crack the hash!
So I have tried the --encoding-from=utf-8 and the encoding-to=utf8 option. The hash could not be cracked.

As last try I used the ?b?b?b mask which did not end positive.

Can someone please give me a hint? What do I miss here?

I do not have to start cracking my old electrum wallet if I am not able to use the special cahrs....
Reply
#6
Now I am a step further. After the use of hashcat combipow I have about 5mio password candidats what is not the problem.

It's is again the encoding. After reading several posts and studied @roycewilliams explanation on git, I am still not able to crack my old password. I used words (i remember them) and kind of keyboard walk where the chars are uesed only once. With combipow the right password should be in the list.
I made a utf-8 file in linux with all the words and chars and let combipow > the result in a utf-8 file.

If I run now hashcat (on my win10 Laptop) hashcat.exe -d 1 -m 16600 -a 0 hash.txt wordlist.txt (both utf-8) it does not find the hash.

Part of the candidate looks like this: 0R*ç%&/()=?!£öäühu
0R*%&/()=?! and hu are ok. But those in between should be the german umlaut öäü.

If I understood royce and atom in an other post correctly, hashcat does the encoding with wordlists itself. Only with brute force it is difficult.

Might one help me with a hint?
Reply
#7
Hi,

i don't know if this can help you but regarding the encoding i recomend you to read the following:


https://miloserdov.org/?p=4016

https://www.nixu.com/blog/cracking-non-e...ng-hashcat

https://blog.bitcrack.net/2013/09/cracki...e.html?m=1

BR
Reply
#8
Thank you,

Two of them are dealing with brute force. But as I know the letters of my password and finally have a list, only the firt link is kind of helpful.

"This option is simpler than a mask attack – just make sure that the dictionary is in the same encoding as the cracked password was during the computing of the hash. "

This part seems logic to me. But the problem is hashcat does not recognize the äöü letters. It just does not.

I do not know what encoding the electrum wallet used this time. But I assume it was utf-8. If not, the password would be cracked with the actual faulty imput.

*Edit*
I did convert the list to hex and used --hex-wordlist without success.

In Notepad++ hex view the special cars have the correct code C3 A7 --> ç
But it is just not displayed correctly. So maybe the correct password is still not in the list.


Attached Files
.png   HEX view.png (Size: 3.26 KB / Downloads: 3)
.png   utf-8 view.png (Size: 1.02 KB / Downloads: 3)
Reply