EtherBlob Explorer is a tool intended for researchers, analysts, CTF players or anyone curious enough wanting to search for different kinds of files or any meaningful human-supplied data on the Ethereum Blockchain Network. It searches over a user-supplied range of block IDs or UNIX timestamps on any of the 5 available networks: MainNet, Görli, Kovan, Rinkeby and Ropsten.
For a real-life case you can read this experiment made on 2017. The immutability of the blockchain can truly be a double-edged sword.
Installation
Run the following command:
$ pip install git+https://github.com/litneet64/etherblob-explorer.git
Now it’s ready to use from your CLI, you can find some common usage examples below!
Features
Networks
Search on any of the five Ethereum Networks:
Search Locations
This tool can search on the following locations, either separately or combining any of these on the same run:
[*] Storing data on ‘to’ addresses is possible on the Ethereum network as there’s no verification if sending to an address that has no associated account keys. Meaning you can make transactions to arbitrary addresses to craft a payload over several 20-byte sized transactions (it’s very rare but so are some CTF challenges).
Search and Extraction Methods
All of these methods can be used either separately or in any combination:
binwalk
.file
(default method).IMPORTANT: The order showed here is used under-the-hood for discarding searches with other methods (e.g. if file is found via embedded files
then it won’t attempt to search using file headers
, ascii string dump
nor entropy
) as it’s not likely to find anything meaningful if previous methods were already successful.
Misc
-h
)!Usage
Common use cases
Standard search (search inside transactions via file headers) on MainNet with API key on default location (.api-key
) and between these two block IDs (inclusive):
$ etherblob 4081599 4081600
More “in-through” search (search for embedded files + regular search method) on goerli network with key inside arbitrary file:
$ etherblob -K api.key 3134050 3145570 -M -H –network goerli
Search over block headers and transactions at the same time and save extracted files to ‘extracted’:
$ etherblob 4081599 4081600 –blocks –transactions -D extracted/
Search only inside ‘to’ addresses in range from blocks commited between Jan 25 2021 19:00:00
and Jan 26 2021
19:00:00
:
$ etherblob -t 1611601200 1611687600 –addresses
Search strings only on contracts’ storage and for the first 4 storage array positions (128 bytes worth of data):
$ etherblob 3911697 3912697 -S –contracts -C 4
Search only inside transactions for encrypted/compressed data (ignoring any other file format):
$ etherblob 4081599 4081600 –encrypted
Search inside transactions for custom entropy files while saving transactions into file:
$ etherblob 3911697 3912697 -E 4.0 5.0 -s
Only dump ASCII strings over blocks and transactions made on Christmas Eve (between the 24th and 25th):
$ etherblob -t 1608836400 1608922800 –blocks –transactions –strings
Full-blown search (slow, expect many false-positives):
$ etherblob 4081599 4081600 -U -S -M -H –blocks –transactions –addresses –contracts
Advanced Use Cases
There are more explanations for advanced usage cases and the things found with them on the wiki!
Manual
usage: etherblob [-h] [–transactions] [–blocks] [–addresses] [–contracts]
[–network {main,goerli,kovan,rinkeby,ropsten}] [-H] [-M] [-U] [-E CUSTOM_ENTROPY CUSTOM_ENTROPY]
[–encrypted] [-S] [-C CONTRACT_POSITION] [-t] [-K API_KEY_PATH] [-k API_KEY] [-D OUTPUT_DIR]
[-o OUT_LOG] [-s] [-i [IGNORED_FMT [IGNORED_FMT …]]] [–version]
start_block end_block
Tool to search and extract blob files on the Ethereum Network.
positional arguments:
start_block Start of block id range.
end_block End of block id range.
optional arguments:
-h, –help show this help message and exit
–transactions Search for blob files on transaction inputs. Default search mode.
–blocks Search for blob files on block inputs. If enabled then transaction input check is disabled unless
explicitly enabled.
–addresses Search for blob files on ‘to’ transaction addresses, as on Ethereum anyone can make transactions
to an arbitrary address even if it has no related owner (still not very common). If enabled then
transaction’s input check is disabled unless explicitly enabled.
–contracts Search for blob files on contract’s storage. If enabled then transaction input check is disabled
unless explicitly enabled.
–network {main,goerli,kovan,rinkeby,ropsten}, -N {main,goerli,kovan,rinkeby,ropsten}
Choose blockchain network to search in. Available choices are Main, Goerli (Görli), Kovan, Rinkeby
and Ropsten. MainNet is the default network. Case-insensitive.
-H, –file-header If enabled, search for file formats via magic bytes/file headers on data (from blocks,
transactions or addresses). Enabled by default unless another method is enabled too.
-M, –embedded If enabled, search for embedded files on data (from blocks, transactions or addresses) via
binwalk. Disabled by default as parsing now takes longer.
-U, –unicode If enabled, attempt to search and dump files containing UTF-8 text from harvested data (blocks,
transactions, addresses) using Shannon’s Entropy (between 3.5 and 5.0) if no other discernible
file is found first on that data. Yields many false positives.
-E CUSTOM_ENTROPY CUSTOM_ENTROPY, –custom-entropy CUSTOM_ENTROPY CUSTOM_ENTROPY
Define your own entropy limits (min and max) to search for files/data on harvested data.
–encrypted If enabled, attempt to search and dump encrypted/compressed data found via different search
methods (blocks, transactions, addresses) using Shannon’s Entropy (between 7.0 and 8.0) if no
other discernible file is found first on that data.
-S, –strings If enabled, attempt to search and dump ASCII strings into files found inside harvested data
(blocks, transactions, addresses) if no other discernible file is found first on that data.
-C CONTRACT_POSITION, –contract-position CONTRACT_POSITION
Search inside contract’s data until reaching the (N-1)th position on its storage array. Positions
contain 32 bytes worth of data. Count starts at 0 and default pos is the 15th pos (16 indexes in
total) if no custom position is given.
-t, –timestamps If enabled, then start and end block IDs are interpreted as UNIX timestamps that are then resolved
to the closest commited blocks for those specific times.
-K API_KEY_PATH, –api-key-path API_KEY_PATH
Path to file with Etherscan API key for queries. Default search location is ‘.api-key’.
-k API_KEY, –api-key API_KEY
Etherscan API key as parameter. If given then ‘–api-key-path’ is ignored.
-D OUTPUT_DIR, –output-dir OUTPUT_DIR
Out-dir for extracted files. Default is ‘ext_{start block}-{end block}’.
-o OUT_LOG, –out-log OUT_LOG
Out-file for logs. Default is ‘etherblob_{start block}-{end block}.log’.
-s, –save-transactions
If enabled, all transactions and their info are stored at file ‘transactions_{start-block}-{end-
block}.txt’
-i [IGNORED_FMT [IGNORED_FMT …]], –ignored-fmt [IGNORED_FMT [IGNORED_FMT …]]
Ignored file formats for extraction. Default ignored/common file formats are ‘ISO-8859 text’ and
‘Non-ISO extended-ASCII text’. The ‘data’ file format is always ignored. Accepts file format
substrings and makes case-insensitive matches. ‘*’ is a wildcard to ignore all file formats.
–version show program’s version number and exit
Official GitHub repo ‘https://github.com/litneet64/etherblob-explorer’
bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…
Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…
Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…
Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…