There was a lot of good discussion here recently but imo it got a little bit difficult to find useful information.
Especially for non-technical people it might be quite confusing.
Kudos to @amulecregg for pointing out the comment about old passkey which helped eiprol get his master_seed out and also for new build allowing to use a flag to control that.
Sadly I no longer see your repo/build available so for the rest of these instructions I will just use DChapes repo only.
Kudos to @eiprol for providing wallet contents for test - I will use that quite a bit in my instructions below.
While you also created new repo with built-in option for bruteforcing - I will stay away from it to avoid potential of future changes becoming potentially insecure - althouhg for anyone stuck in big bruteforcing please refer to @eiprol's repository as it is probably much faster !
So my idea now is to provide instructions that will be easy to follow for anyone regardless of OS and skill level that is safe and easy to follow.
I tested that on both Windows and Mac with success and I would love to hear from you about whether it looks ok.
Top level summary of what's below:
- create linux VM on your PC using trusted sources (automated)
- create environment for GO and wallter-recover executable (automated)
- create bruteforcing script that only requires you to put your username/password wordlists (obviously manual)
- prevent any scripts run in VM to access internet (by removing network from VM)
- test recovery works using test wallet
First let's install virtualbox (https://www.virtualbox.org/wiki/Downloads) and vagrant (https://www.vagrantup.com/downloads.html)
Why ? because these are used by millions of people and are considered safe. You can do it on any OS and will be the only thing to uninstall after you are done.
Virtualbox wil lallow us to create Ubuntu VM on your PC and Vagrant will help to automate majority of set up.
Since we will run everything in virtual machine you will be able to unplug virtual network cable and there is no risk then that your secrets will be stolen as VM will have no internet connectivity.
I won't go into steps of how to install them - refer to instructions on software vendor website. You should restart your pc after installation
Now that we have both installed let's create Ubuntu Virtual Machine.
To do that with minimal hassle create a new folder (i.e. ripple_recover) and Inside it create another one called ‘stuff’.
Then in ripple_recover create new file “Vagrantfile” (no extension !) with following contents:
ubuntu/trusty is an official Ubuntu prebuild VM picked up from this list of public machines: https://app.vagrantup.com/boxes/search
Provisionning script will install docker as per instructions from https://docs.docker.com/install/linux/docker-ce/ubuntu/#install-using-the-repository
I could have installed go etc but I prefer using docker- much simpler imo.
It will also make it so that ‘stuff’ folder from your PC is mirrored in /stuff folder in VM - this allows for easier file modification of wallet or bruteforcing usernames/passwords.
Then scipt adds vagrant user to docker group so we can run docker commands later once we log in into VM
Creates Dockerfile that will have wallet-recover from DChapes
It will also replace passkey to use old method and build that as wallet-recoer-old executable
Furthermore vagrant will create (in stuff folder) bruteforcing script, test wallet file and username/password wordlists with test entries for bruteforcing
Vagrant will also also prepare 3 aliases:
wallet-recover - will trigger docker command to execute wallet-recover from within docker
wallet-recover-old - will trigger docker command to execute wallet-revoer-old from within docker
bruteforce - will trigger bruteforcing through docker
I would like to ask community to review this script and confirm what I'm saying is true (@amulecregg, @eiprol ?)
Once we have the file created lets try creating the VM:
Open command line in this new folder (riplle_recover ?) and execute ‘vagrant up --provider=virtualbox’
What you should see is that:
And it might take good few minutes to finish.
Once it's done our VM should be running.
To get to it, open up virtualbox where you will see your box running:
When you dobule click on that you will notice sht like that:
you can type in vagrant for login and vagrant for password to get into the box
When you get message about the mouse just read it and click ‘capture’, (Note: to get back to your host and have mouse normally moving press right-ctrl (by default))
Lets switch to stuff folder by typing
And check whether we have internet connection with:
We do - so lets disable it in virtualbox menu:
click Devices -> Network -> Connect Network Adapter
This should unplug your cable from VM
Try curl again. It should get stuck for a while and then return error.
From now on no program or script run within VM can go out to internet so even if it's something dodgy it won't be able to steal your secrets.
Now lets test that everything is ok by trying to recover test wallet:
wallet-recover --json -name eiprol -pass TestPass01 -wallet test-wallet-old.txt
wallet-recover-old -name eiprol -pass TestPass01 -wallet test-wallet-old.txt
First one should fail and next two should be successful.
Result of wallet-recover:
Result of bruteforce:
Now that we know things work and your data is safe we can start to work on own wallet.
Copy your ripple-wallet.txt to ripple_recover/stuff folder on your PC (your ! not VM)
This actually makes it available on VM in /stuff directory (VM directory)
wallet-recover --json -name YOUR_USER -pass YOUR_PASS
wallet-recover-old --json -name YOUR_USER -pass YOUR_PASS
If either is successful - GRATS !
If not, open up on your PC two files in ripple_recover/stuff directory:
remove all the contents (these were used for test only)
And put any user you can think of -(in user file) same with passwords (in password file) space delimited.
Run (in VM) ‘bruteforce’ and hope for the best.
If it fails you will need to basically think of new usernames/passwords to put in for bruteforcing.
Might be worth reading on crunch https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-passwords-part-4-creating-custom-wordlist-with-crunch-0156817/
Hope it makes sense - I was really rushing and it still took me a good while.
Even if you don;t plan to use it lets hope it might work as a reference for any questions being asked.
EDIT: if you copy text to Vagrantfile and it complain with undefined method - look at the line it points to and edit manually any quotes or spaces as copy-pasting could have changed characters to unicode - sorry. Not My fault
EDIT 2: bruter script must be updated to encapsulate username/password and possible even encode for save bash use - will try to update it sometime soon
I might create repo just for this part of the work and organize the scripts a little bit better - if only I find time