How to brute force unsalted string?

[DavidVeksler]

I have a paper wallet with a lost password encrypted with AES 256 (by strongcoin).
With the correct password, "openssl enc -d -aes-256-cbc -in enc.txt -a -base64 -k PASSWORD' decrypts it.

Can you suggest how to fork this tool to brute force unsalted cypertext?

The file contains a string like this:
U2FsdGVkX191rPJP6/wzxZW3uM6pZTC
DoXWv853CTdjrsF1eJplyHNPjSwJqU6bU
yhfUEL4yqRDUF7n1UTyq+Ksm4CY9gNS
6PLfiKMVd5fE=

[DavidVeksler]

Actually, I get an error against salted files too:
openssl aes-256-cbc -a -salt -in enc.txt -out test.enc

./bruteforce-salted-openssl test.enc
Error: test.enc is not a salted openssl file.

[DavidVeksler]

I think I got it. I added Salted__XX to the first line and the -n param.

[DavidVeksler]

Arg, that does not work:

Works:
openssl enc -d -aes-256-cbc -in enc_known.txt -a -base64 -k XXX

Doesn't work:
./bruteforce-salted-openssl -c aes-256-cbc -f passwords.txt ./enc_known.txt -t 4
Warning: using dictionary mode, ignoring options -b, -e, -l, -m and -s.

Tried passwords: 6
Tried passwords per second: inf
Last tried password: XXX

Password not found

[glv2]

bruteforce-salted-openssl currently doesn't have support for base64 directly, so you have to give it the raw data.

base64 -d enc.txt > enc.dat
bruteforce-salted-openssl -c aes-256-cbc [...other options...] enc.dat

Besides, if what was encrypted is not ASCII characters, the -M option must be used, or the program won't be able to tell when the data decrypted with a candidate password is correct (because the encrypted file doesn't contain a message authentication code).

[DavidVeksler]

This helped, but I'm still having an issue. I can take text, encrypt it, then brute force it. That's good.

However, the encrypted private key does not work with bruteforce when I use the paper wallet copy that works with openssl.

Here is the encrypted private key from the paper wallet. openssl can decrypt it, but bruteforce fails.
U2FsdGVkX191rPJP6/wzxZW3uM6pZTC DoXWv853CTdjrsF1eJplyHNPjSwJqU6bU yhfUEL4yqRDUF7n1UTyq+Ksm4CY9gNS 6PLfiKMVd5fE=

Here is the same private key encrypted by open SSL. Both openssl and brute forcing works.
f4c3nS7vfzjjuawuMxMBfS6mKIPEH5aaEFbqKvpmUmsFFzOFNSnjxX0kuzgB4uxo
CdMzAas2mOwD1YhbnyC9Gg==

I've tried various variations of white space with no luck.

Running:
./bruteforce-salted-openssl -n -c aes-256-cbc -f passwords.txt ./test.dat -t 4 -M
Warning: using dictionary mode, ignoring options -b, -e, -l, -m and -s.

Tried passwords: 10
Tried passwords per second: inf
Last tried password: XXX

Password candidate: XXX

Dat for base64 encrypted via openssl: �‡7�.ï�8㹬.3��}.¦(ƒÄ�–š�Vê*úfRk��3…5)ãÅ}$»8�âìh Ó3�«6˜ì�Õˆ[Ÿ ½�

Dat for key encrypted on paper wallet: Salted__u¬òOëü3Å•·¸Î©e0ƒ¡u¯ó�ÂMØë°]^&™r�ÓãK�jS¦ÔÊ�Ô�¾2©�Ô�¹õQ<ªø«&à&=€Ôº<·â(Å]åñ

[DavidVeksler]

I got it now. The paper wallet key IS salted, as I can see in the dat so it works without -n.

[DavidVeksler]

Another issue. Now am running the brute force search on the unknown private key. Why do I get so many password candidates? I know that the secret is a private key (ascii)

./bruteforce-salted-openssl -c aes-256-cbc -l 8 -m 10 -n -s 936ABCDEFGHIJKLMNOPQRSTU! -v 10 ./enc.dat -t 4
Tried / Total passwords: 195532 / 9.93347e+13
Tried passwords per second: 195532.000000
Last tried password: 9999JJSE
Total space searched: 0.000000%
ETA: Fri Feb 10 14:01:40 2034

Password candidate: 9999JJSE
Tried / Total passwords: 241201 / 9.93347e+13
Tried passwords per second: 120600.500000
Last tried password: 9999MHU3
Total space searched: 0.000000%
ETA: Thu Feb 11 21:07:03 2044

[glv2]

As soon as the data decrypted by a candidate password is made of at least 90% of ASCII characters, this candidate password will be printed out as it is possibly the real password.

To filter false positives, you can use the -M option if you know that the decrypted data starts with some specific characters, or you can change the valid_data function in the source code to match the format your decrypted data should have.

[DavidVeksler]

Thanks. I have it working fine now.