Ethereum Wallet Cracking

hashcat v3.6.0 was released yesterday and one of the newly supported hashes was Ethereum wallets (Go Ethereum (Geth), Mist and MyEtherWallet variants). This guide will show how a MyEtherWallet JSON keystore file is broken down, how it’s mapped to a hashcat compatible format, and finally an example crack.

First let’s get our wallet. That’s as easy as going to MyEtherWallet, entering a password, clicking generate and downloading it. MyEtherWallet suggests you “enter a strong password (at least 9 characters)”. Firstly this isn’t a suggestion it won’t let you generate your wallet unless your it’s at least 9 characters.  Secondly, I wouldn’t say 9 characters is particularly strong, but that’s an argument for another day. If you don’t set a wallet name, a default is provided (as ours is) which comprises of the UTC time/date generated, followed by your new Ethereum wallet address.

Our wallet’s password is P@ssw0rd1! and the generated keystore file can be found below which is coloured to show how it’s mapped to the hashcat compatible format.

UTC–2017-06-10T11-51-33.675Z–f418f8185f2c1163ae953bf778acc6877b9bc203

{“version”:3,”id”:”5cf4711d-3f69-4636-89d0-b304a7e23b75″,
“address”:”f418f8185f2c1163ae953bf778acc6877b9bc203″,
“Crypto”:{“ciphertext”:”7f5c865554d67604394ae54d7a4f9735bdb85c90e606a672d18add1d167d793b“,
“cipherparams”:{“iv”:”ae4e8c9c2ac201d6c2baa58ff670fd39″},
“cipher”:”aes-128-ctr”,
“kdf”:”scrypt”,
“kdfparams”:{“dklen”:32,”salt”:”437964c9bd1b5f63bde56560808c894792f8f670694590b776e22381e32dd
33b“,”n”:1024,”r”:8,”p”:1},
“mac”:”96f2a849321cc04cb6c0fcee1bd4b195ca681ca28064dc45000f02e47230c5b6“}}

hashcat Format

$ethereum$s*1024*8*1*437964c9bd1b5f63bde56560808c894792f8f670694590b776e22381
e32dd33b*7f5c865554d67604394ae54d7a4f9735bdb85c90e606a672d18add1d167d793b*96f
2a849321cc04cb6c0fcee1bd4b195ca681ca28064dc45000f02e47230c5b6

So from the above we can derive the following hashcat structure…

$ethereum$s*n*r*p*salt*mac*ciphertext

EDIT (17/07/17): Despite documentation showing the above structure due to transitions between ethereum2john versions, hashcat will accept both $ethereum$s*n*r*p*salt*ciphertext*mac (as shown in this example) and $ethereum$s*n*r*p*salt*mac*ciphertext formats.

…where s references scrypt variant in this instance. The letter p could also be found which indicates it’s a PBKDF2 variant. Fortunately ethereum2john.py makes the hashcat prep easy (you heard me right, ethereum2john for hashcat prep… ether2hashcat was superseded by it) by just pointing it at the wallet as shown below.

ethereum2john

Now we’ve got the hash we can pass it over to hashcat. As we’ve got an scrypt based hash a quick lookup shows the required hashcat mode is 15700.

hashcat64.exe -m15700 $ethereum$s*1024*8*1*437964c9bd1b5f63bde56560808c894792f8f670694590b776e22381e32dd33b*7f5c865554d67604394ae54d7a4f9735bdb85c90e606a672d18add1d167d793b*96f2a849321cc04cb6c0fcee1bd4b195ca681ca28064dc45000f02e47230c5b6 b:\Dictionaries\rockyou.txt --status --status-timer=5 -w3 -r rules\hob064.rule

ethereumcrack

3 mins 41 secs @ circa 2200 H/s,  job done. FYI this laptop has a mobile GTX 1060.

A couple of general password cracking points to note here…

  • The passwordP@ssw0rd1! isn’t in the standard rockyou dictionary so assuming this dictionary is being used (and commonly is), a non-rule based attack wouldn’t have cracked it.
  • The rule –  They’re important, as I literally just said above 😀 . Algorithm complexity should always be a factor when choosing one. For example, I throw bigger rule sets against fast hashes (e.g. MD5, NTLM) as the speed you’ll crack at will exhaust the larger rule set quicker. As Ethereum scrypt hashes are heinously slow, I’ll throw smaller, more efficient rule sets (relative to size) against it first.

The hob064 rule set used above is very efficient and good first choice when attacking complex algorithms. I’ve already written about hashcat rule efficiency on NotSoSecure’s  blog (where you’ll note the most efficient rule tested was hob064). When attacking fast hashes I tend to use my own larger custom rule, derived from a number of high performing rules against a large hash set. This custom rule was created from the testing noted in the above linked blog, and can be found here if you want to give it a go… although you’ll be waiting a while if you throw it against an Ethereum wallet with a good password!

Advertisements
This entry was posted in password cracking, Pentest. Bookmark the permalink.

21 Responses to Ethereum Wallet Cracking

  1. Vadym says:

    Does not work for me: always finishes with Exhausted status.

    Like

    • Is your rockyou dictionary and hob064 rule modified in any way? The default dictionary rule will crack the example password used above. If you’re still having trouble paste your hashcat command here 🙂

      Like

  2. {“address”:”e5073c7e598a15ff6902f3d691e716be0dee8db1″,”crypto”:{“cipher”:”aes-128-ctr”,”ciphertext”:”602323b0d50e5f12f1ad61a271ab9e12629572d7c3d6ea3950b24f991d4ebdcb”,”cipherparams”:{“iv”:”4cfc5544fff57448955246170ba0db31″},”kdf”:”scrypt”,”kdfparams”:{“dklen”:32,”n”:4096,”p”:6,”r”:8,”salt”:”3384860f3e361300e07aa481a4157b48721411557192b486fa7d73d7669ef8f8″},”mac”:”9ef3b17d5f6aa97f1903bd93fa286d0341bb4dc59090065f024857cb216d38dc”},”id”:”00b6a2d8-7a4a-4252-842d-80799f4e9f7a”,”version”:3}

    Like

    • Hi there. I’m not sure what you’re asking by pasting that? Hashcat will accept that, but you’ll need to reorder the parameters into the order as shown in the post for ethereum2john to accept it. Doing so will provide the following hashcat format:

      $ethereum$s*4096*8*6*3384860f3e361300e07aa481a4157b487214
      11557192b486fa7d73d7669ef8f8*602323b0d50e5f12f1ad61a271ab
      9e12629572d7c3d6ea3950b24f991d4ebdcb*9ef3b17d5f6aa97f1903
      bd93fa286d0341bb4dc59090065f024857cb216d38dc

      Also, your wallet likely won’t crack on GPU’s (I couldn’t get it running) because of the memory requirement from your kdfparams. Trying it on GPU’s will liekly hang/crash the system. CPU cracking will work fine but the speed will be really slow (I got 115 h/s on yours).

      When you run hashcat it lists the devices (CPU, GPU etc) that are present. If your CPU is device 1 for example, run hashcat with your desired options but add -D 1 and it’ll work fine.

      Like

  3. Kma says:

    Hey, I tried the whole thing. ethereum2john.py give me the correct hash but when I run it when hashcat, I have the following error:

    > Hash ‘*n*r*p*salt*cypertext*salt’: Line-length exception

    (vars are obiously obfuscated)

    My N is huge, like 262144. What can I do?

    Like

    • You’ve got a couple of problems here, one of which I’ve outlined in the previous question.

      1)
      Firstly, if hashcat reports a Line-length exception, it typically means that either you’ve assigned the wrong hash type (in this case possibly -m15600 instead of -m15700 ?), or that the hash is incorrectly formatted (more likely). Please check that your string is *exactly* formatted as shown in my example. I haven’t tested ethereum2john’s error handling but ensure that your salt, mac and ciphertext are all correct.

      Both $ethereum$s*n*r*p*salt*ciphertext*mac (as shown in my example) and $ethereum$s*n*r*p*salt*mac*ciphertext formats will work.

      2)
      Yes, your high scrypt settings will mean that a GPU won’t be able to crack due to the memory requirement. You’ll need to solve your line length exception issue anyway, but after you’ve done that, you’ll only be able to attempt to crack using your CPU. Run hashcat with -b to identify which device your CPU is, let’s say it’s device #1… Then when attempting your Ethereum crack, append -D 1 to the end of them command and it’ll skip your GPU and perform a CPU crack which should work fine. It won’t crack quickly though!

      Like

      • ztop says:

        What is the determining factor of high scrypt settings? Why do n values vary so much between wallets? If you have some kind of general idea of the length of a password and the makeup of such a password, for example 3 words and a set of numbers in the middle would you be better off doing a mask attack, higher success rate? Thanks 🙂

        Like

      • As far as I know these settings differ between various implementations of scrypt. For example, in Ethereum, the scrypt defaults are n:262144, r:1, p:8 but different wallets may implement different factors.

        This post does a good job of describing what n, p and r are in scrypt. The tl;dr is that if n is very high, there’s a good chance you won’t be able to GPU crack it because you won’t have the RAM.

        If you have an idea as to the password’s structure, then you’re already in a much better position to crack it. I’d approach it the same way I would any hashing algorithm.

        E.g. if I knew there were numbers at either the start or end of a ‘3 word’ wordlist, I’d create the 3-word wordlist (This post shows you how to quickly create a list using hashcat’s combinator tool) and use it with a mask file containing your numbers (?d, ?d?d, ?d?d?d etc), running it once for each end. If we assume you’ll be CPU cracking due to the RAM problem, examples would be:

        -a6 -D1 -m15700 hashfile 3wordlist numbers.mask

        followed by

        -a7 -D1 -m15700 hashfile numbers.mask 3wordlist

        Like

  4. PC4USER says:

    help

    Like

    • I’m afraid you’re going to have to be a little more specific!

      Like

      • PC4USER says:

        I’m sorry, sorry, that was a test because I wrote a bunch of posts and my antivirus blocks your site constantly, I have a problem with brute on the video card, help me please, the problem is that if without -D 1 my pc hangs completely and helps only the reset button, in your version $ ethereum $ s * 1024 * 8 * 1 and everything is fine, but in my versionnt 262144 * 8 * 1 please tell me whether it is possible to somehow run brute using a video card 262144 * 8 * 1 and PC did not hang? on 1024 * 8 * 1 does not hang, until the block on -D 1 11H/s on CPU i7 3770
        My pc –CPU i7 3370 / RAM 16gb / 2*gtx1060 6gb / ssd+hdd

        my hash:
        ????? Hashcat64.exe -m15700 -D 1 $ ethereum $ s * 262144 * 8 * 1 * 5af5c013e170e5506a972098ac631d1ea896813db05beb8e0c64f277bc12e61e * bc46586dc16add0cc22bf666e075fb064df73ec281ecffc626fda4288d56ea50 * bd3f8d428b655cb2a2ea2c54d6a7a6443e79d699edda6e31657fe63825e3868b 5e7Vqty l l l l l –status –status-timer = 5 -w3 – status –status-timer = 5 -w3

        I heard you can somehow reduce the load on the video card and this PC will not hang, so that not 100% of it brutila

        Yes, and there is a pre-correct password and with it seems to have once deduced funds, but this is not certain, maybe this is a bug if so how to solve it?

        Like

      • Your system will always hang as your kdfparams (262144*8*1) result in a large RAM requirement (meaning you can only CPU crack). I won’t go into the maths, but with those settings, a *single* GTX 1060 will need 160GB RAM (which of course you don’t have) to work on that hash. In other words, when you start hashcat, it’s trying to use 320GB RAM over both your cards and will bomb out. So unfortunately you’re stuck with -D1 or whatever number your CPU is listed as.

        Regarding your GPU load reduction, you’re probably referring to Time Memory Trade Off (TMTO), but you’ll barely get 1h/s going down that route so I honestly wouldn’t bother. Higher scrypt settings make it an algorithm that can be very resilient to GPU cracking.

        Liked by 1 person

      • PC4USER says:

        thanks, very detailed explained, maybe you know some more ways to find out the password? but then I do not know what to do with this problem, because even if 12 characters to brute at a rate of 1 milliard per second, it turns out 10 years)

        Like

      • PC4USER says:

        can reduce the load on the processor with brute, but lose 1 hash, but I can freely use the PC, do not tell me? your article is like salvation, thanks again

        Like

      • There isn’t another viable way that I’m aware of to crack high scrypt settings like those with any speed. You’re only choice is CPU cracking which will be slow. I typically wouldn’t advise brute-forcing the entire keyspace of a password because as you said, as the length of the password increases, the time required will become years very quickly. The practical way to crack passwords is by dictionary attacks, so unless the password to your wallet is something that would commonly be found in a wordlist, it’s probably not worth your time attempting to break it.

        Removing the -w3 will tell hashcat to use the “default” workload profile, which will make the system respond more. Using a -w3 will slow down responsiveness and -w4 will make it almost unusable.

        Liked by 1 person

      • PC4USER says:

        I’m flattered if I can still crack the password by all means, I’ll write to you and thank you, and even such a question, maybe somehow you can find out how many characters in the password on the hash? and could not explain how to brute the mask correctly? For example :
        – [Built-in Charsets] –

           ? | | Charset
          === + =========
           l | abcdefghijklmnopqrstuvwxyz
           u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
           d | 0123456789
           h | 0123456789abcdef
           H | 0123456789ABCDEF
           s | ! “# $% & ‘() * +, -. / :; ? @ [\] ^ _` {|} ~
           a | ? l? u? d? s
           b | 0x00 – 0hff

        my password for example – 5e7Vqyp2Qrpd

        how do I properly write a mask for the last 3 characters so that she croaks both small and large and numbers at once?

        5e7Vqyp2Q?luhHs?luhHs?luhHs Probably like this?

        Like

      • You’ll never be able to work out how many characters the plain text password is from the hash. Hashing algorithms take an arbitrary length input and produce a fixed length output.

        Using your example password you could use a mask attack to try and crack it (but it still might take some time at CPU cracking speeds). If you want the last 3 characters masks you’d use 3 lowercase letters (assuming you knew the password), so you’d provide hashcat the following:

        Hashcat -a3 -m15700 -D1 hash 5e7Vqyp2Q?l?l?l

        If you didn’t know the last 3 characters and wanted to try just mixed-alpha you’d need a custom char set containing mixed alpha:

        Hashcat -a3 -D1 -m15700 -1 ?l?u hash 5e7Vqyp2Q?1?1?1

        And if you wanted to try all combinations for the last 3 places just use the first example but replace ?l for ?a

        Liked by 1 person

      • PC4USER says:

        ok, i dont know 3 last simbols i write this – 5e7Vqyp2Q?a?a?a yes? if i can last 3 simbols only big-small-number how write mask?

        Like

      • Yes. In that example the last 3 characters will be tested of mixed-alphanumeric and symbols. If you only wanted mixed alpha-numeric without symbols then you would create a custom character set similar to last response that assigns lower(?l), upper (?u) and numbers (?d) into a single character set:

        Hashcat -a3 -D1 -m15700 -1 ?l?u?d hash 5e7Vqyp2Q?1?1?1

        Like

      • PC4USER says:

        if GTX 1080 will need 160GB RAM (which of course you don’t have) to work on that hash but if i buy 20×1080 8gb in one farm=160gb? program start in vedeocard?

        Like

      • No this wouldn’t work either. When the maths is worked out for a GTX 1080 the RAM the requirement becomes 320GB per card. You could have 100x GTX 1080s and it still wouldn’t work because the RAM requirement is per GPU. Your GPU will always only be 8GB.

        Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s