Cracking Bitcoin wallet.dat password in 2 minutes!
A famous movie director once told me: “Shooting a movie is just 10% of the work, the other 90% is preparing”. That came into mind recently.
Wednesday 8.55 pm
Someone sends me a request to find the passphrase to his Bitcoin Core wallet password. I reply immediately I would be more than happy to help. There was no answer until the next day.
Thursday afternoon. 2.04 pm
I was at our summerhouse with my cat, making it back to the city after a short break when the reply dropped into my inbox. As always I replied with courtesy the needed steps etc. Including a request to send the amount and/or public address before we start, to make sure the wallet wasn’t stolen or forged (lately many of those occur)
Thursday afternoon 3.44 pm
The gentleman from New York sent the requested info. While driving the car with the rain pouring down and the cat being uncomfortable with the lightning strikes, the email was reading “can you call me now?”
I stopped the car in the middle of nowhere, booted up Skype and made the call.
The New York trader had a small Bitcoin fortune locked up since 2017 in a Bitcoin Core wallet. His first question was if I wouldn’t block his number once I opened the wallet.
“Sure I will” I thought to myself smiling, then got my senses together and answered “No, I would not, we are an incorporated US based entity, not a shady anonymous service.” I explained that while other services might be around longer, they are anonymous or simple a garage operation. We are incorporated in Delaware USA, with prominent investors and have a patent pending with the USPTO.
Having that said the guy asked if we would send over a contract and he would like me to sign and agree on terms before we start. I explained I am still in the car so we would need to continue in a few hours. I managed to send it with my phone so he could look it over while I was driving.
Thursday night 10.50pm
I arrived late home, still no contact from the guy, “Oh well, he changed his mind” I thought to myself and went to sleep. An hour later (New York is 6 hours behind me) my phone buzzed. I received an email with his signature on the contract and a request to call him. He would like me to extract the wallet from his computer as he did not know how to locate it. (Bitcoin core uses a hidden folder where it is storing the encrypted wallet)
We connected through Teamviewer and after a minute the wallet was located.
Thursday night 11:15pm
Final step, I asked for hints. They were a list of words, order which he did not know, and some misspelled. He also suggested there might be spaces between the words and or small/capital letters.
Thursday night 11:35pm. RECOVERY starts
Having those hints I quickly created a small python script that merged the hints into all kind of different combinations on my laptop. His hints were a combination of 6–8 words in a row used as the wallet passphrase. Usually I would connect to the company servers through a secure VPN but decided to try my luck on the NVIDIA boosted laptop. (An NVIDIA is a GPU that lets you crack passwords thousands or even millions time faster than using CPU during specific circumstances, like Bitcoin wallets).
Thursday night 11:36pm.
The first instance (algorithm used together with hints) created too many combinations as there were many variations including miss spelled words. It would take days to go through. Then using my intuition I minimized the variations and hit enter.
Thursday night 11:37pm. PASSWORD FOUND.
BOOM! My script found the passphrase to Bitcoin Core within two minutes after starting to code my first script.
As usually I sent him an email that we have found the passphrase and asked him where to move his share of the funds. My usual chain of action was once the wallet was opened, I would move my % of the wallet value and then the remaining to a wallet address of the clients choice. I received an address within minutes and swept the remaining funds out of the wallet.
After getting a confirmation that the wallet was emptied, I received a phone call from the guy asking if I can retract the transaction. I said “NO” since there is no such thing as reversing transactions on the blockchain.
He explained that he might have sent me the wrong address as his Coinbase account showed a different address last time he checked. I tried to calm the guy down by explaining that it was most probably a HD wallet that created a new address each time you requested funds. That is common in many wallets or services as a security option.
I said “just be cool and wait, we probably need more than 1 confirmation on the blockchain”.
He seemed to calm down a bit and we waited together for the Bitcoin Network to confirm the transaction and finally the funds appeared on his Coinbase account.
While it took over a day to discuss our chain of action when recovering wallets, the final approach to finding the password took merely 2 minutes, just like my movie director friend predicted…
Preparing an algorithm with good hints is the most crucial job. Don’t panic if your wallet address changes using a service like Coinbase. They just create new addresses each time you request funds.
Cracking wallet.dat using Hashcat
Password cracking is an art, consistent success of which requires a fine-tuning approach.
Don’t forget that luck and good hashrate will also help you recover lost passwords and access to the coins.
Tools
- Python 3.x
Bitcoin2john This is a fork of pywallet modified to extract the password hash in a format that Hashcat can understand. Original John the Ripper github.- Hashcat — software for bruteforce using CPU, GPU, DSP, FPGA.
-
to configuring your GPU drivers for Linux
- https://github.com/initstring/passphrase-wordlist
- https://github.com/danielmiessler/SecLists/tree/master/Passwords/Common-Credentials
- https://weakpass.com/wordlist
Extracting the Password Hash of wallet.dat
Copy wallet.dat file and bitcoin2john.py to a directory. If you work under Windows, copy both files to the Python folder or add Python links to environments.
Using the command line or terminal, execute:
python bitcoin2john.py wallet.dat
Take the line that starts with $bitcoin and place it in a file called hash.txt in the working directory. 
Note: If you’re reading this because you’ve forgotten your password and can’t crack it yourself, you can share this hash with a wallet recovery service. Cracking this hash will not allow them to access your Bitcoins unless they also have access to your wallet.dat file.
Standard Dictionary Attack
Save the desired dictionary to a file called wordlist.txt which is in the working folder with your hash.txt file. First, we are going to run a straight-up dictionary attack. This means that password has to be found in your wordlist exactly — with a correct case, special characters, etc.
Try it this way first, with some hardware optimization parameters:
/opt/hashcat/hashcat64.bin -a 0 -m 11300 ./hash.txt ./wordlist.txt -O -w 3
If that doesn’t work, try this:
/opt/hashcat/hashcat64.bin -a 0 -m 11300 ./hash.txt ./wordlist.txt
- Press + R, enter cmd
- Go to the work directory cd /folder_with_these_files/
- Execute hashcat64.exe -a 0 -m 11300 hash.txt wordlist.txt
- Press the S key at any time to see the status of your cracking session
If your session completes successfully, you will see an output with your password. If the session is completed and you aren’t sure it was successful, running the command as follows will show you all successfully cracked passwords for a given target:
/opt/hashcat/hashcat64.bin -a 0 -m 11300
If the output of the above command is blank, the password has not been cracked yet.
Rule-Based Attacks
As humans, we are pretty dumb when it comes to making passwords. We can add !, 1, or all capital chars to make them more secure. Cracking password MyWallet1 with the help of a dictionary with MyWallet you will not get lucky but using a rule-base can help.
Download Hob0Rules and place it in /opt/rules/ .
Then execute:
/opt/hashcat/hashcat64.bin -a 0 -m 11300 ./hash.txt ./wordlist.txt -r
/opt/rules/Hob0Rules/hob064.rule -O -w 3
Windows:
hashcat.exe —stdout wordlist.txt -r hob064.rule -m 11300 hash.txt
Mask Attack
For example, the password is Julia1984.
In the traditional Brute-Force attack, we require a charset that contains all upper-case letters, all lower-case letters, and all digits (aka “a mix of alpha-numeric”). The total number of passwords to try is Number of Chars in Charset ^ Length. The Password length is 9, so we have to iterate through 62^9 (13,537,086,546,263,552) combinations. Let’s say we crack with a rate of 100 M/s (slow Intel i3 processor), this requires more than 4 years to complete.
But let’s use a mask attack. We know that the name starts with a capital letter and four digits at the end.
Built-in charsets
- ?l = abcdefghijklmnopqrstuvwxyz
- ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
- ?d = 0123456789
- ?h = 0123456789abcdef
- ?H = 0123456789ABCDEF
- ?s = «space»!»#$%&'()*+,-./:; ?@[\]^_`
Execute:
hashcat64.exe -m 11300 hash.txt -a ?u?l?l?l?l?d?d?d?d
In a nutshell, with the mask attack we can reduce the keyspace to 52*26*26*26*26*10*10*10*10 (237,627,520,000) combinations. With the same cracking rate of 100 M/s, this requires just 40 minutes to complete.
Bitcoin/Litecoin hash Extractor — instantly
More than easy, just select and upload your Bitcoin wallet file from Bitcoin Core client (extension is .dat) or Litecoin wallet. The hash will be computed in the «Output» part.
Example of hash output
Hashcat mode is 11300, and looks like (sample):
Credits & Disclaimer
Credits go to JohnTheRipper project ; https://github.com/magnumripper/JohnTheRipper/
We are not responsible, and cannot be held responsible, if your wallet is lost / stolen / opened by a third party. You are solely responsible for the upload of your file, whether on this website or any website / forum on the internet.
Как достать хеш из wallet dat
До начала восстановления кошелька нужно сначала найти данный файл.
В операционной системе windows 7, windows vista, windows 8, windows 8.1 и windows 10 он находиться в директории %AppData%Bitcoin
Все операции и баланс кошелька храниться в файле wallet.dat.
Если вы забыли пароль к вашему кошельку bitcoin, то мы можем вам помочь.
Для этого вам надо перейти в раздел Восстановление пароля к bitcoin
и оформить заказ через отправку зашифрованного файла wallet.dat.
Если вы опасаетесь высылать данный файл нашему сервису, то можно извлечь из данного файла зашифрованный хеш-ключ от wallet.dat
И уже его выслать через Форму для отправки приватного ключи биткоин
Приватный ключ вы можете получить с помощью программы JohnTheRipper
1) Нужно будет поставить пакет python
2) Закачать файл ваш кошелек биткоина в директорию JohnTheRipper/run/
3) Выполнить команду python ./bitcoin2john.py wallet.dat
4) Полученный хеш вида $bitcoin$96$………………….. отправить нам через форму заказа хеша указанную выше.
5) Полученный хеш мы уже обрабатываем и восстановить пароль к wallet системы bitcoin, litecoin или к примеру ethereum.
Старый пакет уже не актуален для новых версий,но временно будет сохранен.
Вы всегда сами можете попробовать подобрать пароль wallet dat своими силами.
Если у вас появились вопросы, то пишите смело нашим консультантам.