diff --git a/README.md b/README.md index 14465bb..0580af8 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,7 @@ _**This toolset is proudly the first publicly released Phantom Vault Extractor a - Mac: `Library>Application Support>Google>Chrome>Default>Local Extension Settings>bfnaelmomeimhlpmgjnjophhpkkoljpa` - Windows: `C:\Users\$USER\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\` ### Extractor usage example on test vault: (plaintext is `password`) +* Old pbkdf2 KDF ``` ./phantom_extractor.bin bfnaelmomeimhlpmgjnjophhpkkoljpa/ ----------------------------------------------------- @@ -29,6 +30,25 @@ _**This toolset is proudly the first publicly released Phantom Vault Extractor a | hashcat -m 30010 hash (pbkdf2 kdf) | ----------------------------------------------------- $phantom$SU9HoVMjb1ieOEv18nz3FQ==$7H29InVRWVbHS4WcBJdTay0ONb4mLX9Q$g0vJAbflhH4jJJDvuv7Ar5THgzBmJ8tt6oajsQZd/dSXNNjcY5/0eGeF5c1NW1WU + ----------------------------------------------------- +| hashcat -m 26651 hash (pbkdf2 kdf) | + ----------------------------------------------------- +PHANTOM:10000:SU9HoVMjb1ieOEv18nz3FQ==:7H29InVRWVbHS4WcBJdTay0ONb4mLX9Q:g0vJAbflhH4jJJDvuv7Ar5THgzBmJ8tt6oajsQZd/dSXNNjcY5/0eGeF5c1NW1WU +``` +* New scrypt KDF +``` +./phantom_extractor.bin bfnaelmomeimhlpmgjnjophhpkkoljpa/ + ----------------------------------------------------- +| Cyclone's Phantom Vault Hash Extractor | +| Use Phantom Vault Decryptor to decrypt | +| https://github.com/cyclone-github/phantom_pwn | + ----------------------------------------------------- +{"encryptedKey":{"digest":"sha256","encrypted":"37fJoKsB9vwnKEzPgc2AHtYVsPTTzrXdTGacbgWxLxbiS7Ri3P3iNnf8csaKwJ4wpk","iterations":10000,"kdf":"scrypt","nonce":"49aomus4HiKLyg7F66pSinR4tpuUuJDHX","salt":"M1PMFn4p4gdCxZDzf8qX71"},"version":1} + ----------------------------------------------------- +| hashcat -m 26650 hash (scrypt kdf) | + ----------------------------------------------------- +PHANTOM:4096:8:1:ogSL4J4xP/wNbAjiA8Q4hA==:Iofs3VYyyaYFzHVkcMsnpkrjGQ2+Kni2:OacHaTJAM8dD7XJIj5bGMU3cM8QW3u92n+ngYjXsgRSR20FDnkMLQHTgPxJDefOx + ``` ### Decryptor usage example: ``` diff --git a/phantom_extractor/phantom_extractor.go b/phantom_extractor/phantom_extractor.go index 17964c5..2cb7a25 100644 --- a/phantom_extractor/phantom_extractor.go +++ b/phantom_extractor/phantom_extractor.go @@ -39,8 +39,8 @@ v0.3.1-2024-06-23-1145; added raw db support for reading corrupt or non-standard leveldb files v0.3.2-2024-11-30-1415; updated help info for Chrome extensions on Linux, Mac and Windows -v0.3.3-2025-02-03; - added support for printing hashcat -m 30010 hash +v0.3.3-2025-02-04; + added support for hashcat modes 30010, 26650, 26651 */ // clear screen function @@ -59,7 +59,7 @@ func clearScreen() { // version func func versionFunc() { - fmt.Fprintln(os.Stderr, "Cyclone's Phantom Vault Extractor v0.3.3-2025-02-03\nhttps://github.com/cyclone-github/phantom_pwn\n") + fmt.Fprintln(os.Stderr, "Cyclone's Phantom Vault Extractor v0.3.3-2025-02-04\nhttps://github.com/cyclone-github/phantom_pwn\n") } // help func @@ -168,61 +168,6 @@ func detectVersion(data []byte) int { return -1 // unknown version } -// main -func main() { - cycloneFlag := flag.Bool("cyclone", false, "") - versionFlag := flag.Bool("version", false, "Program version") - helpFlag := flag.Bool("help", false, "Program usage instructions") - flag.Parse() - - clearScreen() - - // run sanity checks for special flags - if *versionFlag { - versionFunc() - os.Exit(0) - } - if *cycloneFlag { - line := "Q29kZWQgYnkgY3ljbG9uZSA7KQo=" - str, _ := base64.StdEncoding.DecodeString(line) - fmt.Println(string(str)) - os.Exit(0) - } - if *helpFlag { - helpFunc() - os.Exit(0) - } - - ldbDir := flag.Arg(0) - if ldbDir == "" { - fmt.Fprintln(os.Stderr, "Error: Phantom vault directory is required") - helpFunc() - os.Exit(1) - } - - printWelcomeScreen() - - db, err := leveldb.OpenFile(ldbDir, nil) - if err != nil { - fmt.Fprintln(os.Stderr, "Error opening Vault:", err) - fmt.Println("Attempting to dump raw .ldb files...") - err = dumpRawLDBFiles(ldbDir) - if err != nil { - fmt.Fprintf(os.Stderr, "Failed to dump raw .ldb files: %v\n", err) - os.Exit(1) - } - os.Exit(0) - } - defer db.Close() - - iter := db.NewIterator(nil, nil) - defer iter.Release() - for iter.Next() { - value := iter.Value() - processLevelDB(value) - } -} - func dumpRawLDBFiles(dirPath string) error { return filepath.Walk(dirPath, func(path string, info os.FileInfo, err error) error { if err != nil { @@ -283,15 +228,8 @@ func filterPrintableBytes(data []byte) []byte { return []byte(string(printable)) } -// print hashcat -m 30010 hash (only for pbkdf2 KDF) +// print hashcat modes 30010, 26650, 26651 func printHashcatHash(vault Vault_1) { - // only print if kdf is pbkdf2 - if strings.ToLower(vault.EncryptedKey.Kdf) != "pbkdf2" { - fmt.Println(" ----------------------------------------------------- ") - fmt.Println("| hashcat scrypt kdf not supported yet |") - fmt.Println(" ----------------------------------------------------- ") - return - } saltDecoded := base58.Decode(vault.EncryptedKey.Salt) nonceDecoded := base58.Decode(vault.EncryptedKey.Nonce) @@ -301,11 +239,85 @@ func printHashcatHash(vault Vault_1) { nonceB64 := base64.StdEncoding.EncodeToString(nonceDecoded) encryptedB64 := base64.StdEncoding.EncodeToString(encryptedDecoded) - fmt.Println(" ----------------------------------------------------- ") - fmt.Println("| hashcat -m 30010 hash (pbkdf2 kdf) |") - fmt.Println(" ----------------------------------------------------- ") - // $phantom$$$ - fmt.Printf("$phantom$%s$%s$%s\n", saltB64, nonceB64, encryptedB64) + // scrypt KDF + if strings.ToLower(vault.EncryptedKey.Kdf) == "scrypt" { + fmt.Println(" ----------------------------------------------------- ") + fmt.Println("| hashcat -m 26650 hash (scrypt kdf) |") + fmt.Println(" ----------------------------------------------------- ") + // PHANTOM:4096:8:1::: + fmt.Printf("PHANTOM:4096:8:1:%s:%s:%s\n", saltB64, nonceB64, encryptedB64) + return + } + + // pbkdf2 KDF + if strings.ToLower(vault.EncryptedKey.Kdf) == "pbkdf2" { + fmt.Println(" ----------------------------------------------------- ") + fmt.Println("| hashcat -m 30010 hash (pbkdf2 kdf) |") + fmt.Println(" ----------------------------------------------------- ") + // $phantom$$$ + fmt.Printf("$phantom$%s$%s$%s\n", saltB64, nonceB64, encryptedB64) + + fmt.Println(" ----------------------------------------------------- ") + fmt.Println("| hashcat -m 26651 hash (pbkdf2 kdf) |") + fmt.Println(" ----------------------------------------------------- ") + // PHANTOM:10000::: + fmt.Printf("PHANTOM:10000:%s:%s:%s\n", saltB64, nonceB64, encryptedB64) + } +} + +// main +func main() { + cycloneFlag := flag.Bool("cyclone", false, "") + versionFlag := flag.Bool("version", false, "Program version") + helpFlag := flag.Bool("help", false, "Program usage instructions") + flag.Parse() + + clearScreen() + + // run sanity checks for special flags + if *versionFlag { + versionFunc() + os.Exit(0) + } + if *cycloneFlag { + line := "Q29kZWQgYnkgY3ljbG9uZSA7KQo=" + str, _ := base64.StdEncoding.DecodeString(line) + fmt.Println(string(str)) + os.Exit(0) + } + if *helpFlag { + helpFunc() + os.Exit(0) + } + + ldbDir := flag.Arg(0) + if ldbDir == "" { + fmt.Fprintln(os.Stderr, "Error: Phantom vault directory is required") + helpFunc() + os.Exit(1) + } + + printWelcomeScreen() + + db, err := leveldb.OpenFile(ldbDir, nil) + if err != nil { + fmt.Fprintln(os.Stderr, "Error opening Vault:", err) + fmt.Println("Attempting to dump raw .ldb files...") + err = dumpRawLDBFiles(ldbDir) + if err != nil { + fmt.Fprintf(os.Stderr, "Failed to dump raw .ldb files: %v\n", err) + os.Exit(1) + } + os.Exit(0) + } + defer db.Close() + + iter := db.NewIterator(nil, nil) + defer iter.Release() + for iter.Next() { + value := iter.Value() + processLevelDB(value) + } } // end code