v0.3.3-2025-02-04

README.md

@@ -17,6 +17,7 @@ _**This toolset is proudly the first publicly released Phantom Vault Extractor a
 - Mac: `Library>Application Support>Google>Chrome>Default>Local Extension Settings>bfnaelmomeimhlpmgjnjophhpkkoljpa`
 - Windows: `C:\Users\$USER\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\`
 ### Extractor usage example on test vault: (plaintext is `password`)
+* Old pbkdf2 KDF
 ```
 ./phantom_extractor.bin bfnaelmomeimhlpmgjnjophhpkkoljpa/
  ----------------------------------------------------- 
@@ -29,6 +30,25 @@ _**This toolset is proudly the first publicly released Phantom Vault Extractor a
 |          hashcat -m 30010 hash (pbkdf2 kdf)         |
  ----------------------------------------------------- 
 $phantom$SU9HoVMjb1ieOEv18nz3FQ==$7H29InVRWVbHS4WcBJdTay0ONb4mLX9Q$g0vJAbflhH4jJJDvuv7Ar5THgzBmJ8tt6oajsQZd/dSXNNjcY5/0eGeF5c1NW1WU
+ ----------------------------------------------------- 
+|          hashcat -m 26651 hash (pbkdf2 kdf)         |
+ ----------------------------------------------------- 
+PHANTOM:10000:SU9HoVMjb1ieOEv18nz3FQ==:7H29InVRWVbHS4WcBJdTay0ONb4mLX9Q:g0vJAbflhH4jJJDvuv7Ar5THgzBmJ8tt6oajsQZd/dSXNNjcY5/0eGeF5c1NW1WU
+```
+* New scrypt KDF
+```
+./phantom_extractor.bin bfnaelmomeimhlpmgjnjophhpkkoljpa/
+ ----------------------------------------------------- 
+|        Cyclone's Phantom Vault Hash Extractor       |
+|        Use Phantom Vault Decryptor to decrypt       |
+|    https://github.com/cyclone-github/phantom_pwn    |
+ ----------------------------------------------------- 
+{"encryptedKey":{"digest":"sha256","encrypted":"37fJoKsB9vwnKEzPgc2AHtYVsPTTzrXdTGacbgWxLxbiS7Ri3P3iNnf8csaKwJ4wpk","iterations":10000,"kdf":"scrypt","nonce":"49aomus4HiKLyg7F66pSinR4tpuUuJDHX","salt":"M1PMFn4p4gdCxZDzf8qX71"},"version":1}
+ ----------------------------------------------------- 
+|          hashcat -m 26650 hash (scrypt kdf)         |
+ ----------------------------------------------------- 
+PHANTOM:4096:8:1:ogSL4J4xP/wNbAjiA8Q4hA==:Iofs3VYyyaYFzHVkcMsnpkrjGQ2+Kni2:OacHaTJAM8dD7XJIj5bGMU3cM8QW3u92n+ngYjXsgRSR20FDnkMLQHTgPxJDefOx
+
 ```
 ### Decryptor usage example:
 ```

phantom_extractor/phantom_extractor.go

@@ -39,8 +39,8 @@ v0.3.1-2024-06-23-1145;
 	added raw db support for reading corrupt or non-standard leveldb files
 v0.3.2-2024-11-30-1415;
 	updated help info for Chrome extensions on Linux, Mac and Windows
-v0.3.3-2025-02-03;
-	added support for printing hashcat -m 30010 hash
+v0.3.3-2025-02-04;
+	added support for hashcat modes 30010, 26650, 26651
 */
 
 // clear screen function
@@ -59,7 +59,7 @@ func clearScreen() {
 
 // version func
 func versionFunc() {
-	fmt.Fprintln(os.Stderr, "Cyclone's Phantom Vault Extractor v0.3.3-2025-02-03\nhttps://github.com/cyclone-github/phantom_pwn\n")
+	fmt.Fprintln(os.Stderr, "Cyclone's Phantom Vault Extractor v0.3.3-2025-02-04\nhttps://github.com/cyclone-github/phantom_pwn\n")
 }
 
 // help func
@@ -168,61 +168,6 @@ func detectVersion(data []byte) int {
 	return -1 // unknown version
 }
 
-// main
-func main() {
-	cycloneFlag := flag.Bool("cyclone", false, "")
-	versionFlag := flag.Bool("version", false, "Program version")
-	helpFlag := flag.Bool("help", false, "Program usage instructions")
-	flag.Parse()
-
-	clearScreen()
-
-	// run sanity checks for special flags
-	if *versionFlag {
-		versionFunc()
-		os.Exit(0)
-	}
-	if *cycloneFlag {
-		line := "Q29kZWQgYnkgY3ljbG9uZSA7KQo="
-		str, _ := base64.StdEncoding.DecodeString(line)
-		fmt.Println(string(str))
-		os.Exit(0)
-	}
-	if *helpFlag {
-		helpFunc()
-		os.Exit(0)
-	}
-
-	ldbDir := flag.Arg(0)
-	if ldbDir == "" {
-		fmt.Fprintln(os.Stderr, "Error: Phantom vault directory is required")
-		helpFunc()
-		os.Exit(1)
-	}
-
-	printWelcomeScreen()
-
-	db, err := leveldb.OpenFile(ldbDir, nil)
-	if err != nil {
-		fmt.Fprintln(os.Stderr, "Error opening Vault:", err)
-		fmt.Println("Attempting to dump raw .ldb files...")
-		err = dumpRawLDBFiles(ldbDir)
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "Failed to dump raw .ldb files: %v\n", err)
-			os.Exit(1)
-		}
-		os.Exit(0)
-	}
-	defer db.Close()
-
-	iter := db.NewIterator(nil, nil)
-	defer iter.Release()
-	for iter.Next() {
-		value := iter.Value()
-		processLevelDB(value)
-	}
-}
-
 func dumpRawLDBFiles(dirPath string) error {
 	return filepath.Walk(dirPath, func(path string, info os.FileInfo, err error) error {
 		if err != nil {
@@ -283,15 +228,8 @@ func filterPrintableBytes(data []byte) []byte {
 	return []byte(string(printable))
 }
 
-// print hashcat -m 30010 hash (only for pbkdf2 KDF)
+// print hashcat modes 30010, 26650, 26651
 func printHashcatHash(vault Vault_1) {
-	// only print if kdf is pbkdf2
-	if strings.ToLower(vault.EncryptedKey.Kdf) != "pbkdf2" {
-		fmt.Println(" ----------------------------------------------------- ")
-		fmt.Println("|         hashcat scrypt kdf not supported yet        |")
-		fmt.Println(" ----------------------------------------------------- ")
-		return
-	}
 
 	saltDecoded := base58.Decode(vault.EncryptedKey.Salt)
 	nonceDecoded := base58.Decode(vault.EncryptedKey.Nonce)
@@ -301,11 +239,85 @@ func printHashcatHash(vault Vault_1) {
 	nonceB64 := base64.StdEncoding.EncodeToString(nonceDecoded)
 	encryptedB64 := base64.StdEncoding.EncodeToString(encryptedDecoded)
 
-	fmt.Println(" ----------------------------------------------------- ")
-	fmt.Println("|          hashcat -m 30010 hash (pbkdf2 kdf)         |")
-	fmt.Println(" ----------------------------------------------------- ")
-	// $phantom$<salt_b64>$<nonce_b64>$<encrypted_b64>
-	fmt.Printf("$phantom$%s$%s$%s\n", saltB64, nonceB64, encryptedB64)
+	// scrypt KDF
+	if strings.ToLower(vault.EncryptedKey.Kdf) == "scrypt" {
+		fmt.Println(" ----------------------------------------------------- ")
+		fmt.Println("|          hashcat -m 26650 hash (scrypt kdf)         |")
+		fmt.Println(" ----------------------------------------------------- ")
+		// PHANTOM:4096:8:1:<salt_b64>:<nonce_b64>:<encrypted_b64>
+		fmt.Printf("PHANTOM:4096:8:1:%s:%s:%s\n", saltB64, nonceB64, encryptedB64)
+		return
+	}
+
+	// pbkdf2 KDF
+	if strings.ToLower(vault.EncryptedKey.Kdf) == "pbkdf2" {
+		fmt.Println(" ----------------------------------------------------- ")
+		fmt.Println("|          hashcat -m 30010 hash (pbkdf2 kdf)         |")
+		fmt.Println(" ----------------------------------------------------- ")
+		// $phantom$<salt_b64>$<nonce_b64>$<encrypted_b64>
+		fmt.Printf("$phantom$%s$%s$%s\n", saltB64, nonceB64, encryptedB64)
+
+		fmt.Println(" ----------------------------------------------------- ")
+		fmt.Println("|          hashcat -m 26651 hash (pbkdf2 kdf)         |")
+		fmt.Println(" ----------------------------------------------------- ")
+		// PHANTOM:10000:<salt_b64>:<nonce_b64>:<encrypted_b64>
+		fmt.Printf("PHANTOM:10000:%s:%s:%s\n", saltB64, nonceB64, encryptedB64)
+	}
+}
+
+// main
+func main() {
+	cycloneFlag := flag.Bool("cyclone", false, "")
+	versionFlag := flag.Bool("version", false, "Program version")
+	helpFlag := flag.Bool("help", false, "Program usage instructions")
+	flag.Parse()
+
+	clearScreen()
+
+	// run sanity checks for special flags
+	if *versionFlag {
+		versionFunc()
+		os.Exit(0)
+	}
+	if *cycloneFlag {
+		line := "Q29kZWQgYnkgY3ljbG9uZSA7KQo="
+		str, _ := base64.StdEncoding.DecodeString(line)
+		fmt.Println(string(str))
+		os.Exit(0)
+	}
+	if *helpFlag {
+		helpFunc()
+		os.Exit(0)
+	}
+
+	ldbDir := flag.Arg(0)
+	if ldbDir == "" {
+		fmt.Fprintln(os.Stderr, "Error: Phantom vault directory is required")
+		helpFunc()
+		os.Exit(1)
+	}
+
+	printWelcomeScreen()
+
+	db, err := leveldb.OpenFile(ldbDir, nil)
+	if err != nil {
+		fmt.Fprintln(os.Stderr, "Error opening Vault:", err)
+		fmt.Println("Attempting to dump raw .ldb files...")
+		err = dumpRawLDBFiles(ldbDir)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Failed to dump raw .ldb files: %v\n", err)
+			os.Exit(1)
+		}
+		os.Exit(0)
+	}
+	defer db.Close()
+
+	iter := db.NewIterator(nil, nil)
+	defer iter.Release()
+	for iter.Next() {
+		value := iter.Value()
+		processLevelDB(value)
+	}
 }
 
 // end code