Search for BIP39 seeds with AnuBitux

https://pixabay.com/it/illustrations/sfondo-bokeh-astratto-cerchi-665115/

There may be a lot of different reasons for which we have to scan a directory or a set of files, looking for BIP39 seeds. Maybe we have forgotten where we stored a seed or we are digital forensic consultants scanning third parties hard drives. With AnuBitux we can use seedsearch.py and seedsearchpro.py to perform this task.

Seedsearch.py simply scans all the files in a directory and looks for sequences of words that could be BIP39 seeds. Seessearchpro.py, after doing the search, allows us to derive addresses from the found seeds and check online if the obtained addresses had some activity, as seedcheck.py does.

Let's see how these tools work.

To run seedsearch.py we simply have to type the tool's name in our terminal followed by the -d option and the directory we want to scan, like:

seedsearch.py -d /home/anubitux/Documents

seedsearch1

The tool found four valid mnemonic seeds and also identified the language of the wordlist that has been used. Now we can consider if we want to import the seeds into a wallet client, check them using seedcheck.py, store them in a safe place, etc.

Using seedsearchpro.py, we will also be able to derive the addresses related to the found mnemonic seeds for the currencies Bitcoin, Ethereum, Litecoin, Dash and ZCash and check them through APIs to find out if they were involved in any activity. It can be run with the same syntax:

seedsearchpro.py -d /home/anubitux/Documents

seedsearch2

As we can see in the picture, the tool asks us if we want to derive the addresses and check them online. Then it shows the addresses derived with many derivation paths for each mnemonic seed and tells us if there was any activity for some of them.

seedsearch3

In this case, the tool didn't find any activity and any derivation path because we used test files containing mnemonic seeds that were never used.

The tool uses some public APIs to check the addresses, provided by blockchain.com, blockcypher.com and zcha.in. Blockcypher's APIs have strict limits that could easily be reached when doing a lot of tests. If we have a valid API key to avoid reaching this limit, we can provide it by editing line 46 of the seedsearchpro.py file.

github

Of course, the scan performed by the tool can't replace a manual review of each file, but it can be useful when we have not that much time or we know that mnemonic seeds can be found in commonly readable files like DOCX, PDF, TXT, CSV, HTML, JSON, etc.

This article was updated on May 15, 2024