Skip to content

Advanced Usage

Jump to bottom
litneet64 edited this page Apr 2, 2021 · 10 revisions

Searching for blob files is not the only purpose or functionality of this tool, as the Ethereum network is a vast sea of data with endless possibilities. Below you can find some interesting usage cases found while testing this tool:

  • Search for Custom Token names:

    • etherblob {start_id} {end_id} --contracts --strings -N {testnet_name}
    • Searching for strings inside contract's data on testnets can yield some interesting results, as found on Goerli testnet, you will usually find custom token names (e.g. Test Mysterium token, HPERC721, dEthcode), or even some URLs along with the token's name (ZBC Test Net https://zoobc.io/i/BZ).

  • Search for interesting contracts being deployed / parameters to contracts:

    • etherblob {start_id} {end_id} --transactions --strings -N {testnet_name}
    • Dumping strings inside transaction's can sometimes yield the deploying of a contract (with the source code for it), where strings used inside the code will be shown as newline-separated strings on the dump file. This can sometimes yield interesting things (e.g. a warning message, more information about the inner workings and the purpose of the contract or who it belongs to) just like hermes already registered, Roles: account already has role, WhitelistAdminRole: caller does not have the WhitelistAdmin role.
    • There's the case when the dumped strings are just parameters for a smart contract. Notable examples are Add fertilizer or microsoft.com|158.69.243.155|Mozilla/5.0 (Linux 2.4.18-ltsp-1 i686; U) Opera 6.1 [en]|1600x1200|/wp-admin/admin-footer.php|GL belonging to a transaction for a contract that contained the string domains;ip_addrs;browsers;resolut;pages;countries. The following files found are the same kind of records with different browsers, ips and pages visited. Looks like someone wanted to do something more interesting with their contracts? [*]

  • Search for general sensitive data:

    • etherblob {start_id} {end_id} --transactions --contracts --strings -N {testnet_name}
    • This two search locations have proved to contain lots of interesting info, where in one ocassion I found a DockerHub image URL along with a GitHub repo with code for a side-app and data for the contract it deployed (luckily it was just inside the Goerli testnet and not actually in Main).
    • Another interesting thing found on these locations are IPFS IDs to files, links to S3 buckets or links to other proper data storage solutions.
    • Could this be a new horizon for malicious actors scraping for sensitive data just as GitHub repos contain credentials sometimes?

  • Count frequency / Get most common Ethereum mining clients for MainNet:

    • etherblob {start_id} {end_id} --blocks --strings
    • This should only retrieve the names of mining clients/pools used for the validation of blocks (e.g. eu1.ethpool.org, ethpool - US1, pool.ethfans.org, DwarfPool, 七彩神仙鱼, etc).
    • These names will be saved on individual files, so counting their frequencies should be trivial with another programming language.

[*]: If you want to check some weird HTML/data in parameters on almost every transaction made by that account, here's the address 0xcdf4e0481e796afae76a9e4c537d4b895925b0cc (on Goerli testnet).

Clone this wiki locally