good
thanks for your support, two left. -Will
Topic: NXT Password Recovery Tool! / NXT mining rig ( :) ) (Read 4751 times)
Ok, I can send this out to 3 more people (7 have gone out) . I've caught some guff from folks about users using this to steal money. (I hope that isn't happening)
I've sent 5 out (for all the people that just sent messages please read the post above, much easier than managing the various messages I"m getting).
Also good feedback:
ano nybuffer
5:22 PM (2 hours ago)
to me
hey
hey , its pretty sweet!
thank you much.
Also good feedback:
ano nybuffer
5:22 PM (2 hours ago)
to me
hey
hey , its pretty sweet!
thank you much.
Arg, somebody requested video of the tool running. I've supplied a tiny dictionary file pulled from some random site, used the api to confirm that that they are vacant accounts (don't want to screw anyone over) and threw in a cgi script that updates accounts at: http://192.168.0.4/cgi/test.cgi (This will actually update very slowly, and I really hope nobody adds NXT to them! ) <- *edit took down
I've got 6 spots left and I'm closing this up. To expedite this, just send ~500 NXT (.1 bc) (email [email protected] the amount, make it unique so I know who you are) to the account listed in the initial post and I'll email the tool and API balance checker.
(additionally, the top donator has the option for one hell of an app given the others)
-Will
NXT: 10529688047532253405
BTC: 15LjXMdKZ9jnH8TDMxntQkvh1838oitoQU
I've got 6 spots left and I'm closing this up. To expedite this, just send ~500 NXT (.1 bc) (email [email protected] the amount, make it unique so I know who you are) to the account listed in the initial post and I'll email the tool and API balance checker.
(additionally, the top donator has the option for one hell of an app given the others)
-Will
NXT: 10529688047532253405
BTC: 15LjXMdKZ9jnH8TDMxntQkvh1838oitoQU
Are u running this against an offline blockchain ?
Because if you are running this attack against the live NXT network, then congratulations, mate, u have made an account generator.
Because if you are running this attack against the live NXT network, then congratulations, mate, u have made an account generator.
How is that? As long as he does not transfer money FROM that account, no account is created.
Hmmm...the way I understand it (and I'm not saying that I've got a perfect understanding of NXT account security) is that an account is created with a 64 bit hash the first time a particular pass phrase is submitted to the NXT client and thus to the network/blockchain.
No. Only transactions create accounts.
Are u running this against an offline blockchain ?
Because if you are running this attack against the live NXT network, then congratulations, mate, u have made an account generator.
Because if you are running this attack against the live NXT network, then congratulations, mate, u have made an account generator.
How is that? As long as he does not transfer money FROM that account, no account is created.
Hmmm...the way I understand it (and I'm not saying that I've got a perfect understanding of NXT account security) is that an account is created with a 64 bit hash the first time a particular pass phrase is submitted to the NXT client and thus to the network/blockchain.
U can then transfer NXT into this account, but the full 256 bit hash is only created when u first transfer funds (even if it is only 1 NXT) out of the account, which is recommended for any account holding funds.
64 bit encryption is a lot easier to crack, obviously, which is why (supposedly) BCNext chose this mechanism to allow recovery of "lost" NXT in the future, ie NXT sent by mistake to an account with no set passphrase.
Have a look in the mega-thread, there is (somewhere) lots of info about this issue.
https://bitcointalksearch.org/topic/nxt-descendant-of-bitcoin-updated-information-345619
...
I wanted to go the python route (love Python!) but ran into some issues finding the two types of encryption in Python libraries. You'll have to let me know if you get it figured out. (I think SHA256 was actually available to some extent but not Curve)
I wanted to go the python route (love Python!) but ran into some issues finding the two types of encryption in Python libraries. You'll have to let me know if you get it figured out. (I think SHA256 was actually available to some extent but not Curve)
This one not working
- https://github.com/Hatswitch/cirripede/tree/master/curve25519-python
?
There are minor variations is the different implementations. The 64-bit integer implementation of Curve25519 in Java (ported from C) just worked for me out of the box.
Could you elaborate? (bold part)
Moreover: Does your tool support GPUs for recovery (e.g. uses jCuda)? what about the performance, any specifics?
thanks
I'm certainly no expert in the different implmentations but a quick google search shows:
Implementation Platform Author 32-bit speed 64-bit speed Constant time
curve25519 x86 32-bit djb 265µs N/A yes
curve25519-donna-c64 64-bit C agl N/A 215µs yes
curve25591-donna Portable C agl 2179µs 610µs yes
My tool does not support GPU's (my expectation though is that it would be used with pre-defined wordlists and not random permutations. ) I don't have any metrics on number of hashes a second or anything like that. (it's the exact same implementation built into the NXT protocol)
I did rent one of Amazons EC2's supercomputer for a day ($60 bucks). I can say that was blazingly fast compared to my laptop.
ok, so https://github.com/Hatswitch/cirripede/tree/master/curve25519-python could be working.
ok, so same code as good old vanitygen from jlp, with added wordlist and scan blockchain/transactions functionality.
thanks for answering
...
I wanted to go the python route (love Python!) but ran into some issues finding the two types of encryption in Python libraries. You'll have to let me know if you get it figured out. (I think SHA256 was actually available to some extent but not Curve)
I wanted to go the python route (love Python!) but ran into some issues finding the two types of encryption in Python libraries. You'll have to let me know if you get it figured out. (I think SHA256 was actually available to some extent but not Curve)
This one not working
- https://github.com/Hatswitch/cirripede/tree/master/curve25519-python
?
There are minor variations is the different implementations. The 64-bit integer implementation of Curve25519 in Java (ported from C) just worked for me out of the box.
Could you elaborate? (bold part)
Moreover: Does your tool support GPUs for recovery (e.g. uses jCuda)? what about the performance, any specifics?
thanks
I'm certainly no expert in the different implmentations but a quick google search shows:
Implementation Platform Author 32-bit speed 64-bit speed Constant time
curve25519 x86 32-bit djb 265µs N/A yes
curve25519-donna-c64 64-bit C agl N/A 215µs yes
curve25591-donna Portable C agl 2179µs 610µs yes
My tool does not support GPU's (my expectation though is that it would be used with pre-defined wordlists and not random permutations. ) I don't have any metrics on number of hashes a second or anything like that. (it's the exact same implementation built into the NXT protocol)
I did rent one of Amazons EC2's supercomputer 'cc2.8xlarge' for a day ($60 bucks). I can say that was blazingly fast compared to my laptop.
...
I wanted to go the python route (love Python!) but ran into some issues finding the two types of encryption in Python libraries. You'll have to let me know if you get it figured out. (I think SHA256 was actually available to some extent but not Curve)
I wanted to go the python route (love Python!) but ran into some issues finding the two types of encryption in Python libraries. You'll have to let me know if you get it figured out. (I think SHA256 was actually available to some extent but not Curve)
This one not working
- https://github.com/Hatswitch/cirripede/tree/master/curve25519-python
?
There are minor variations is the different implementations. The 64-bit integer implementation of Curve25519 in Java (ported from C) just worked for me out of the box.
Could you elaborate? (bold part)
Moreover: Does your tool support GPUs for recovery (e.g. uses jCuda)? what about the performance, any specifics?
thanks
...
I wanted to go the python route (love Python!) but ran into some issues finding the two types of encryption in Python libraries. You'll have to let me know if you get it figured out. (I think SHA256 was actually available to some extent but not Curve)
I wanted to go the python route (love Python!) but ran into some issues finding the two types of encryption in Python libraries. You'll have to let me know if you get it figured out. (I think SHA256 was actually available to some extent but not Curve)
This one not working
- https://github.com/Hatswitch/cirripede/tree/master/curve25519-python
?
There are minor variations is the different implementations. The 64-bit integer implementation of Curve25519 in Java (ported from C) just worked for me out of the box.
Are u running this against an offline blockchain ?
Because if you are running this attack against the live NXT network, then congratulations, mate, u have made an account generator.
Because if you are running this attack against the live NXT network, then congratulations, mate, u have made an account generator.
I just have it scan the blockchain for all transactions and account numbers. (all offline following that)
...
I wanted to go the python route (love Python!) but ran into some issues finding the two types of encryption in Python libraries. You'll have to let me know if you get it figured out. (I think SHA256 was actually available to some extent but not Curve)
I wanted to go the python route (love Python!) but ran into some issues finding the two types of encryption in Python libraries. You'll have to let me know if you get it figured out. (I think SHA256 was actually available to some extent but not Curve)
This one not working
- https://github.com/Hatswitch/cirripede/tree/master/curve25519-python
?
Are u running this against an offline blockchain ?
Because if you are running this attack against the live NXT network, then congratulations, mate, u have made an account generator.
Because if you are running this attack against the live NXT network, then congratulations, mate, u have made an account generator.
How is that? As long as he does not transfer money FROM that account, no account is created.
Are u running this against an offline blockchain ?
Because if you are running this attack against the live NXT network, then congratulations, mate, u have made an account generator.
Because if you are running this attack against the live NXT network, then congratulations, mate, u have made an account generator.
(I'm now down to 7)
You just opened a Pandora's Box ...
Perhaps Nxt can actually be "mined", after all.
Perhaps Nxt can actually be "mined", after all.
It's a "feature".
Quote
What you fail to understand is that in order to brute force an unsecured account requires not only SHA asics, but also curve ASICS, which there are none of now. but like as has been stated many times for you already here, this is intentional; to allow 'mining' of lost NXT in the future.
https://bitcointalksearch.org/topic/m.4785565Nxt passwords are supposed to be at least 30 random uppercase/lowercase/number characters, why the client simply doesn't generate these itself and then save them in a wallet.dat is beyond me.
I'm not going to pay for this kind of ( more elaborate) software, but I'm sooo tempted to make a python scrypt and dictionary attack this crap, just to see how many accounts I can find with non-zero balance.
I wanted to go the python route (love Python!) but ran into some issues finding the two types of encryption in Python libraries. You'll have to let me know if you get it figured out. (I think SHA256 was actually available to some extent but not Curve)
You just opened a Pandora's Box ...
Perhaps Nxt can actually be "mined", after all.
Perhaps Nxt can actually be "mined", after all.
It's a "feature".
Quote
What you fail to understand is that in order to brute force an unsecured account requires not only SHA asics, but also curve ASICS, which there are none of now. but like as has been stated many times for you already here, this is intentional; to allow 'mining' of lost NXT in the future.
https://bitcointalksearch.org/topic/m.4785565Nxt passwords are supposed to be at least 30 random uppercase/lowercase/number characters, why the client simply doesn't generate these itself and then save them in a wallet.dat is beyond me.
I'm not going to pay for this kind of ( more elaborate) software, but I'm sooo tempted to make a python scrypt and dictionary attack this crap, just to see how many accounts I can find with non-zero balance.
That's a good method to "mined" nxt.When yon mine any coin, must be exciting
You just opened a Pandora's Box ...
Perhaps Nxt can actually be "mined", after all.
Perhaps Nxt can actually be "mined", after all.
It's a "feature".
Quote
What you fail to understand is that in order to brute force an unsecured account requires not only SHA asics, but also curve ASICS, which there are none of now. but like as has been stated many times for you already here, this is intentional; to allow 'mining' of lost NXT in the future.
https://bitcointalksearch.org/topic/m.4785565Nxt passwords are supposed to be at least 30 random uppercase/lowercase/number characters, why the client simply doesn't generate these itself and then save them in a wallet.dat is beyond me.
I've updated the subject of the email based on this post. It's an interesting possibility.
You just opened a Pandora's Box ...
Perhaps Nxt can actually be "mined", after all.
Perhaps Nxt can actually be "mined", after all.
It's a "feature".
Quote
What you fail to understand is that in order to brute force an unsecured account requires not only SHA asics, but also curve ASICS, which there are none of now. but like as has been stated many times for you already here, this is intentional; to allow 'mining' of lost NXT in the future.
https://bitcointalksearch.org/topic/m.4785565Nxt passwords are supposed to be at least 30 random uppercase/lowercase/number characters, why the client simply doesn't generate these itself and then save them in a wallet.dat is beyond me.
Jump to: