Pt. 3: Tezos ICO password cracked, one more approach

In part 1, using a computer with Ubuntu and a NVIDIA RTX graphics card, we setup an environment for the John the Ripper password cracking tool to take advantage of OpenCL and the NVIDIA graphics card for high frequency password cracking.

In part 2, we learned about applying masks and using wordlists with rules in the event that you were confident enough in the characteristics of the lost password.

In part 3, we will present how we ended up cracking this smaller ICO wallet and how you can apply a similar strategy. It won’t be too hard in terms of Linux stuff. The main part will be editing a couple of files in the text editor. Don’t worry, you can do it!

Overview of what we’ll do below:

• Create a file and populate it with characters and words
• Use that file to generate a new character set
• Edit John the Ripper’s configuration file to include this new character set
• Use that new character set to crack the Tezos ICO password

John the Ripper has the ability to generate a new character set based on the contents of a file. Typically, one would populate this file with large sets of candidate passwords from previous hacks. Instead, we’re going to use this feature to build our own character set for a focused approach.

The resulting character set file not only contains the specified characters but also takes into account the frequencies of the different characters (or their estimated probabilities) and frequencies of different character pairs and triplets (or estimated conditional probabilities of their last characters). So the more probable passwords and bits of probable passwords that you can provide in the example below, the better chance you’ll have at cracking it.

This also works to reduce the amount of combinations that have to be tried by reducing the amount of characters used from the ASCII 95 set.

Navigate to John the Rippers’s run directory and create/open the john.pot file with the text editor vi:

cd ~/JohnTheRipper/run
vi john.pot

If you’re not familiar with Vi, here’s the first google result I found. For the purposes of this exercise, I’ll give a few pointers. If you’re confused, learn using a YouTube video or whatever works best for you.

In order to insert characters into the file, you need to press the “i” key first. This enters a mode that lets you insert characters. Press the “Esc” key to exit that mode and move around with the arrow keys. While in this mode, press the “x” key to delete a character that is highlighted. Press “dd” to delete an entire row. When you are done editing the document, press “Esc”, then type in “:wq” followed by pressing the “Enter” key to write and quit (save and exit) the document.

For this exercise, let’s assume that we have a strong sense that our password is close to one of these: Magic12!, Magic23@, magiC01!, Magggic12$

We’ll now populate the john.pot file with all the characters in the above candidate passwords, the candidate passwords themselves, and any bits and pieces of possible passwords. We’ll also add any other characters that we may have used that aren't in the candidate passwords or bits of them. Each new line should start with a colon “:” and make sure to include both upper and lowercase characters. Here is a snippet of what the file should look like (hopefully you will have more possible passwords and bits of passwords):

Make sure to include every character that may have been used, otherwise you’ll be hopelessly waiting for it to be cracked.

Exit the john.pot file by pressing the “Esc” key and then typing “:wq” and pressing the "Enter" key to save and exit.

Now let’s generate a new character set using the john.pot file we just made. You won’t need to specify the john.pot file in the command because John the Ripper automatically uses it. We’ll name this character set special.chr. Make sure you’re in the /run directory and then run the command:

cd ~/JohnTheRipper/run
./john --make-charset=special.chr

The output of this command will show you a Character Count. Save this number! We’re going to need it when we edit John the Ripper’s configuration file.

Open the configuration file, and insert the below section that we’ve named special in the image below, specifying the Character Count from the previous step and the minimum and maximum lengths.

vi john.conf

(If you want to place this “special” section like we have done in the screenshot, you can search in vi by pressing “Esc” then typing a forward slash “/” immediately followed by your search term and pressing the “Enter” key. In this example you could type “/ascii” to find this section)

Now write and exit the john.conf file by pressing “Esc” and typing “:wq” and pressing the "Enter" key to save and exit.

Now we can try cracking our password with this specialized character set that already has minimum and maximum lengths specified from the previous step:

./john hashes --devices=1 --format=tezos-opencl --incremental=special

In our case, it only took 38 minutes to crack! We’ve removed any identifying information including the guesses displayed in the successful status output below:

We’ve transferred this bounty into our baker’s bond account.

We hope this helps you all! You can find us in the XTZ Recovery Telegram group and our own baker’s group.

Now you see me, now you don’t!