GPU brute forcing an encrypted wallet

[yourstruly]

I lost my password to a wallet that had 20 bitcoins in it, its now worth my effort to retrieve it. I tried using Revalins script found here https://bitcointalk.org/index.php?topic=85495.msg942171#msg942171 without any luck.

So I have modified it to brute force based off a base password that I know is correct, so I'm only have to brute force between 6-8 characters which is feasible.

Code:

#!/usr/bin/ruby -w
class Cracker
  def initialize(char_array, password_range)
    @char_array = char_array
    @password_range = password_range
  end

  def password_correct?(phrase)
    print "basepassword" + phrase, "\t"
    system("./bitcoind walletpassphrase basepassword#{phrase} 20")
    case $?.exitstatus
    when 0
      puts "Found it!  basepassword#{phrase}"
      exit 0
    end
    return false
  end

  def generate_password( perm_number, password_length )
    password=""
    (1..password_length).each do |char_number| # loop through characters
      char_reference = (perm_number / @char_array.length**(char_number-1)).floor % @char_array.length
      character = @char_array[char_reference]
      password << character
    end
    password
  end

  def do_combination( num_combinations, password_length )
    (0..num_combinations-1).each do |perm_number| # loop through combinations for a given length
      password = generate_password( perm_number, password_length )
      return password, perm_number if password_correct?(password)
    end
  end

  def crack()
    (@password_range).each do |password_length|  # loop to gradually increase password length
      num_combinations=@char_array.length**password_length
      password, perm_number = do_combination(num_combinations, password_length)
      if password
        puts "#{password} | Access Granted | #{perm_number} / #{num_combinations}"
        return password
      end
    end
  end
end

# I removed characters I was sure I didn't use
characters = "!$@01235@ABCDEFGIKLMNOSTWYZabcdefgiklmnopqrstuwyz".split(//)

cracker = Cracker.new( characters, (6..8) )
password = cracker.crack()

puts "No luck."
exit 1

This is going terribly slow though, but that is because I'm using CPU to try to crack this and I should take a lesson from the mining community and try to use my GPU through CUDA or OpenCL. I was wondering if anyone could help me adapt this script to python or a ruby OpenCL/CUDA library so that I can harness my GPU power to try to crack my password to recover it.

If not perhaps this will help someone else who ends up losing their wallet password and needs to brute force it. At 3-5 characters this would work find with a Quadcore.

[1715089158]

1715089158

[peewee]

An ambitious project...curious to see the outcome...and thanks for the reminder not to lose my wallet info

[kokjo]

system("sudo bitcoind", "bruteforce", "basepassword" + phrase, "20")

WTF!! seriously how far up your butt are your head?
have you even tried cracking a password before, on your own?

SUDO Really?
the method you are using have way too much overhead to be anywhere possible even to crack a 4-char password.
1. you are comminucating with bitcoind over jsonrpc over http over tcp.
2. bitcoind are using berkeley DB, to check if the password s correct.

RLY? U CRAZY?

solution:
extract enough information from from wallet.dat, to be able to verify a password, look in berkeleyDB manuels, bitcoin source, and determent  what is needed.
implement algoritm in some sort of GPU code(cuda, opencl,...) that do this efficient.

[alig23]

system("sudo bitcoind", "bruteforce", "basepassword" + phrase, "20")

WTF!! seriously how far up your butt are your head?
have you even tried cracking a password before, on your own?

SUDO Really?
the method you are using have way too much overhead to be anywhere possible even to crack a 4-char password.
1. you are comminucating with bitcoind over jsonrpc over http over tcp.
2. bitcoind are using berkeley DB, to check if the password s correct.

RLY? U CRAZY?

solution:
extract enough information from from wallet.dat, to be able to verify a password, look in berkeleyDB manuels, bitcoin source, and determent  what is needed.
implement algoritm in some sort of GPU code(cuda, opencl,...) that do this efficient.

It would not work

[yourstruly]

system("sudo bitcoind", "bruteforce", "basepassword" + phrase, "20")

WTF!! seriously how far up your butt are your head?
have you even tried cracking a password before, on your own?

SUDO Really?
the method you are using have way too much overhead to be anywhere possible even to crack a 4-char password.
1. you are comminucating with bitcoind over jsonrpc over http over tcp.
2. bitcoind are using berkeley DB, to check if the password s correct.

RLY? U CRAZY?

solution:
extract enough information from from wallet.dat, to be able to verify a password, look in berkeleyDB manuels, bitcoin source, and determent  what is needed.
implement algoritm in some sort of GPU code(cuda, opencl,...) that do this efficient.

Yeah that line was bad, I fixed it.

I have no cracked before, you raise a great point that I had been noticing myself. My biggest bottleneck is the bitcoind client itself which is running on my CPU. The only way I could increase the speed is by running more bitcoind clients.

I will try to read more about your proposed solution, I think that is the right direction.

It would not work

Could you please elaborate?

[DannyHamilton]

This is going terribly slow though, but that is because I'm using CPU to try to crack this and I should take a lesson from the mining community and try to use my GPU through CUDA or OpenCL. I was wondering if anyone could help me adapt this script to python or a ruby OpenCL/CUDA library so that I can harness my GPU power to try to crack my password to recover it.

Mining involves generating hashes, which apparently GPU shaders are good at.  I'm not sure what algorithm is used for encrypting your private keys, but I guess the first thing to figure out is if a GPU would be any good at that algorithm anyhow.

Then assuming that it is, I would think you could pull an encrypted private key from the wallet and repeatedly attempt to decrypt it, looking to see if the result is a valid private key without having to go back to bitcoind every time.

[yourstruly]

This is going terribly slow though, but that is because I'm using CPU to try to crack this and I should take a lesson from the mining community and try to use my GPU through CUDA or OpenCL. I was wondering if anyone could help me adapt this script to python or a ruby OpenCL/CUDA library so that I can harness my GPU power to try to crack my password to recover it.

Mining involves generating hashes, which apparently GPU hashes are good at.  I'm not sure what algorithm is used for encrypting your private keys, but I guess the first thing to figure out is if a GPU would be any good at that algorithm anyhow.

Then assuming that it is, I would think you could pull an encrypted private key from the wallet and repeatedly attempt to decrypt it, looking to see if the result is a valid private key without having to go back to bitcoind every time.

I will look into this, who knows if bitcoins keeps going up cracking wallets with lost passwords will be worth greater and greater investment. I was considering writing a short story about it.

[kokjo]

Mining involves generating hashes, which apparently GPU shaders are good at.  I'm not sure what algorithm is used for encrypting your private keys, but I guess the first thing to figure out is if a GPU would be any good at that algorithm anyhow.

AES is used to encrypt the privatekeys, if i remember correctly. it is easy to brutefore on GPU

[tminuszer0]

AES is used to encrypt the privatekeys, if i remember correctly. it is easy to brutefore on GPU

You would be correct.

[kokjo]

AES is used to encrypt the privatekeys, if i remember correctly. it is easy to brutefore on GPU

You would be correct.

Naah, multiple rounds of AES. bruteforcing sucks.

[yourstruly]

AES is used to encrypt the privatekeys, if i remember correctly. it is easy to brutefore on GPU

You would be correct.

Naah, multiple rounds of AES. bruteforcing sucks.

So since its multiple rounds I would be better off trying to just crack via multiple instances of the bitcoind rpc?

[Nicolai]

Don't use bitcoind RPC interface, it's waaaaaaay to slow.

Go to github, find the 'wallet unlock code'-part, extract and use this code to bruteforce.

[yourstruly]

Don't use bitcoind RPC interface, it's waaaaaaay to slow.

Go to github, find the 'wallet unlock code'-part, extract and use this code to bruteforce.

Great idea, thank you.

Ill share my code when it is ready, incase anyone else runs into this.

[el_rlee]

can you not somehow utilize hashcat or john the ripper for that?

[djdollabill]

You realize if you are successful you could brute force ANY BTC wallet whether you had legitimate claim to it or not.

In other words, bitcoin would be essentially dead, since you could take from any arbitrary wallet.  You would start with the biggest ones, of course, and eventually word would get out, and bitcoin would be officially dead.

So far, since the 2009 release of the bitcoin protocol, nobody has hacked an arbitrary wallet.  This is presumably not for lack of trying.

I would, to quote Justin Bieber, "Never say never," but if you want a way to open a wallet, you might be brute forcing for a long, long time.

[silverfuture]

You realize if you are successful you could brute force ANY BTC wallet whether you had legitimate claim to it or not.

In other words, bitcoin would be essentially dead, since you could take from any arbitrary wallet.  You would start with the biggest ones, of course, and eventually word would get out, and bitcoin would be officially dead.

So far, since the 2009 release of the bitcoin protocol, nobody has hacked an arbitrary wallet.  This is presumably not for lack of trying.

I would, to quote Justin Bieber, "Never say never," but if you want a way to open a wallet, you might be brute forcing for a long, long time.

Maybe you are confusing cracking the user password for the wallet with cracking a private key? A wallet password would crack easier or harder depending on what the password was.

[archaeopteryx]

You realize if you are successful you could brute force ANY BTC wallet whether you had legitimate claim to it or not.

In other words, bitcoin would be essentially dead, since you could take from any arbitrary wallet.  You would start with the biggest ones, of course, and eventually word would get out, and bitcoin would be officially dead.

So far, since the 2009 release of the bitcoin protocol, nobody has hacked an arbitrary wallet.  This is presumably not for lack of trying.

I would, to quote Justin Bieber, "Never say never," but if you want a way to open a wallet, you might be brute forcing for a long, long time.

OP:

So I have modified it to brute force based off a base password that I know is correct, so I'm only have to brute force between 6-8 characters which is feasible.

He knows part of the password so has some a priori information to go off of, not like cracking a private key. It still might take a while.

[yourstruly]

You realize if you are successful you could brute force ANY BTC wallet whether you had legitimate claim to it or not.

In other words, bitcoin would be essentially dead, since you could take from any arbitrary wallet.  You would start with the biggest ones, of course, and eventually word would get out, and bitcoin would be officially dead.

So far, since the 2009 release of the bitcoin protocol, nobody has hacked an arbitrary wallet.  This is presumably not for lack of trying.

I would, to quote Justin Bieber, "Never say never," but if you want a way to open a wallet, you might be brute forcing for a long, long time.

Not quite, I'm trying to crack a wallet with a password I created that is over 14 characters long. Since I created it though I have a base password which I know for certain is in the password which brings down the length of the password I need to crack to an insecure length. It is already pretty much known you don't use passwords less than 8 characters, preferably 14 or greater.

All of this got me thinking, wouldn't it be crazy if after all the bitcoins were handed out the infrastructure once used to mine was turned to hack wallets because of their value.

[DannyHamilton]

All of this got me thinking, wouldn't it be crazy if after all the bitcoins were handed out the infrastructure once used to mine was turned to hack wallets because of their value.

Sure, but first you'd have to get ahold of the wallet.dat file somehow.  Then, even if you could do that, keep in mind that miners get the transaction fees of all the transactions in the block in addition to the newly minted bitcoins.  So in 136 years when all new bitcoins have been issued, you'd probably still be more profitable continuing to mine (and receiving the transaction fees), unless you could get ahold of the wallet.dat of someone who had a REALLY large number of bitcoins AND an insecure password.

[yourstruly]

All of this got me thinking, wouldn't it be crazy if after all the bitcoins were handed out the infrastructure once used to mine was turned to hack wallets because of their value.

Sure, but first you'd have to get ahold of the wallet.dat file somehow.  Then, even if you could do that, keep in mind that miners get the transaction fees of all the transactions in the block in addition to the newly minted bitcoins.  So in 136 years when all new bitcoins have been issued, you'd probably still be more profitable continuing to mine (and receiving the transaction fees), unless you could get ahold of the wallet.dat of someone who had a REALLY large number of bitcoins AND an insecure password.

I had not realized that the mining would continue because of ongoing transactions which makes sense now that you say it. Thanks for that insight.

[Jutarul]

You realize if you are successful you could brute force ANY BTC wallet whether you had legitimate claim to it or not.

Try breaking the encryption for a wallet you don't have.

First rule of business: Keep savings wallets offline. Forever.
Encryption is only meant to create an economic barrier and give you some time, once you realize that the wallet has been compromised (i.e. uploaded to the internet).

[yourstruly]

I'm having trouble isolating the functions I need out of the bitcoin client.

So what I understand is that there is a built in 100ms delay. If I extract out the piece to unlock it and bypass the rpc I can avoid that or is that because of the algorithm used to encrypt it?

[ihopedso]

That sounds terrible. I keep a unencrypted wallet on disk, just for this reason.

[deepceleron]

You are out of your depth. Decrypt this message:

U2FsdGVkX1+b0djAYNFH7ci5sgIKVEVittOk11oml4C/ESACHoqEYrdz0pkCfIf7

The password is 1234

Code:

/*
Private key encryption is done based on a CMasterKey,
which holds a salt and random encryption key.

CMasterKeys are encrypted using AES-256-CBC using a key
derived using derivation method nDerivationMethod
(0 == EVP_sha512()) and derivation iterations nDeriveIterations.
vchOtherDerivationParameters is provided for alternative algorithms
which may require more parameters (such as scrypt).

Wallet Private Keys are then encrypted using AES-256-CBC
with the double-sha256 of the public key as the IV, and the
master key's key as the encryption key (see keystore.[ch]).
*/

What a cracker needs to do is extract the public and private(encrypted) ECDSA keys for some addresses out of the wallet, and perform a billion billion trial decryptions based on a passphrase iteration, generating encryption keys using the same formula Bitcoin does, then verify the decrypted privkey also will create the ECDSA pubkey. The first thing you will find challenging is to parallelize is 25000 rounds of hashing for every master key attempt.

https://www.cryptool.org/trac/CrypTool2/browser/trunk/CrypPlugins/AES/OpenCL/AESOpenCL.cl?rev=2061

[yourstruly]

You are out of your depth. Decrypt this message:

U2FsdGVkX1+b0djAYNFH7ci5sgIKVEVittOk11oml4C/ESACHoqEYrdz0pkCfIf7

The password is 1234

Code:

/*
Private key encryption is done based on a CMasterKey,
which holds a salt and random encryption key.

CMasterKeys are encrypted using AES-256-CBC using a key
derived using derivation method nDerivationMethod
(0 == EVP_sha512()) and derivation iterations nDeriveIterations.
vchOtherDerivationParameters is provided for alternative algorithms
which may require more parameters (such as scrypt).

Wallet Private Keys are then encrypted using AES-256-CBC
with the double-sha256 of the public key as the IV, and the
master key's key as the encryption key (see keystore.[ch]).
*/

What a cracker needs to do is extract the public and private(encrypted) ECDSA keys for some addresses out of the wallet, and perform a billion billion trial decryptions based on a passphrase iteration, generating encryption keys using the same formula Bitcoin does, then verify the decrypted privkey also will create the ECDSA pubkey. The first thing you will find challenging is to parallelize is 25000 rounds of hashing for every master key attempt.

https://www.cryptool.org/trac/CrypTool2/browser/trunk/CrypPlugins/AES/OpenCL/AESOpenCL.cl?rev=2061

I appreciate this message, to be clear, you are suggesting I extract the public/private key from the address the funds were sent to and just attack that?

I didn't attempt this method because I don't think I have the computing power necessary for that since bitcoin's wallet encryption algorithm is so crazy.

I came to the conclusion I would have a much better chance trying actual passwords from a large list of possibilites with substitutions, subtractions and additions. But my main problem now is the RPC used to interact with bitcoind is waay too slow. So instead of trying to run multiple clients at once, someone suggested I extract the portion of code the RPC interacts with. I have been trying to do that and I'm making progress but its slow.

Side note, is there a script that encrypts/decrypts the public/private from bitcoin to and from ascii?

I really appreciate everyone's input.

[deepceleron]

I appreciate this message, to be clear, you are suggesting I extract the public/private key from the address the funds were sent to and just attack that? ...

Brute-forcing the AES secret directly would require you brute force the entire key space, which is infeasible. I suggest that you must make your own native code that does the pass-phrase->master key computation using possible human pass-phrases. This is intentionally made hard to crack, a good CPU will only be able to manage a few hundred key attempts a second.

[veryveryinteresting]

Please update if you progress! I have been trying to modify Revalin's code for my password but have been unsuccessful. I too remember part of it.

Thanks

[yourstruly]

I appreciate this message, to be clear, you are suggesting I extract the public/private key from the address the funds were sent to and just attack that? ...

Brute-forcing the AES secret directly would require you brute force the entire key space, which is infeasible. I suggest that you must make your own native code that does the pass-phrase->master key computation using possible human pass-phrases. This is intentionally made hard to crack, a good CPU will only be able to manage a few hundred key attempts a second.

So you are also recommending that I cut up the bitcoin client too? I'm trying to do this but having trouble. My wallet is now worth 2,000 and growing so its only more worth it by the day, so I guess Ill keep trying.

[yourstruly]

Please update if you progress! I have been trying to modify Revalin's code for my password but have been unsuccessful. I too remember part of it.

Thanks

Do you have an idea of how large the extra stuff on the base password is? If you can give me a bit more info I can try to help you out with what I have learned so far.

Also write down EVERYTHING you remember about it now, this moment.

[KennyH]

I'm having trouble isolating the functions I need out of the bitcoin client.

So what I understand is that there is a built in 100ms delay. If I extract out the piece to unlock it and bypass the rpc I can avoid that or is that because of the algorithm used to encrypt it?

I'm also in the same spot as you and trying to run ruby scripts with bitcoind at about 25 passwords/second.

Where did you find the info about the 100ms delay?

I think I saw some timing when the keys are generated so that the decrypt will not be too slow. This timing sets the nDeriveIterations  value for the master key.

[KennyH]

I'm having trouble isolating the functions I need out of the bitcoin client.

So what I understand is that there is a built in 100ms delay. If I extract out the piece to unlock it and bypass the rpc I can avoid that or is that because of the algorithm used to encrypt it?

I'm also in the same spot as you and trying to run ruby scripts with bitcoind at about 25 passwords/second.

Where did you find the info about the 100ms delay?

I think I saw some timing when the keys are generated so that the decrypt will not be too slow. This timing sets the nDeriveIterations  value for the master key.

@yourstruly, you were right. When wallet is encrypted and every time the password is changed the decryption time is calculated
to about 100 ms and set in nDeriveIterations for the master key.
To effectively crack a strong password you would have to run the crack program on a computer with multi cpu or with a much
faster cpu than was used to encrypt the wallet.
I think multi cpu/gpu is the way to go.

[Ronya]

Sorry guys to bother you. And sorry for my bad english. I get straight to it. One year ago, in was interessed in BTC and i bought 1,0 for reasonable price. My Programm was Multibit because in the other boards, they told me it is most user-friendly and i can subcribe. So i thought 1,0 Bitcoin would raise and raise, but did not. So i want to sell it.
Problem i can remember the password and iam very desperated.Okey, its not the end of the world.
I google a lot and the majority said your pw is gone.
Some mentions Brute Force, Scripts atc. But i do not know how to use it. What i need is an exe.progamm where i put the pw-wallet, i wait a couple of hours. And i got my PW back.
Only thing remember, it was not jibberish, it was short 6 words and german.
Could you help me or is the case closse?
Best Regards

[btchris]

Sorry guys to bother you. And sorry for my bad english. I get straight to it. One year ago, in was interessed in BTC and i bought 1,0 for reasonable price. My Programm was Multibit because in the other boards, they told me it is most user-friendly and i can subcribe. So i thought 1,0 Bitcoin would raise and raise, but did not. So i want to sell it.
Problem i can remember the password and iam very desperated.Okey, its not the end of the world.
I google a lot and the majority said your pw is gone.
Some mentions Brute Force, Scripts atc. But i do not know how to use it. What i need is an exe.progamm where i put the pw-wallet, i wait a couple of hours. And i got my PW back.
Only thing remember, it was not jibberish, it was short 6 words and german.
Could you help me or is the case closse?
Best Regards

btcrecover might help, but only if you remember a decent amount of your password. It does support Multibit, although it doesn't support non-ASCII letters, so if your password had any umlauts it won't help. There's a tutorial with a quick start here (in English, sorry).

This thread has a lot of good information related to password recovery, but some of it is specific to Bitcoin Core (Bitcoin-Qt) wallets.

If you have any specific questions about btcrecover, let me know and I'll try to help (I'm the dev).

[Ronya]

I'll try but it is to complicated. I thought a bruteforce was build like bloodpatch or serial.exe, you click the button then you got it. I think to understand that you must know basics of codings. Apparertly a german guy called Rene78 has the same problem and solved it, but he stays offline It is like i got the cure for cancer Good luck guys

[btchris]

I'll try but it is to complicated. I thought a bruteforce was build like bloodpatch or serial.exe, you click the button then you got it.

Bitcoin wallets all (that I know of) use strong encryption. The point is to protect you from hackers. This also means that if you lose your password, you could be in trouble.

If you describe everything you remember about your password, I can try to help. You don't have to use specifics -- for example you could say "I know my password contained 3 - 5 of these words below, and then a 1 - 2 digit number" and give example words, but not the actual ones you had in mind.

If you want to use Bitcoin in the future, look into a "deterministic" wallet, such as Electrum or Armory. They have easy backup-to-paper and recovery mechanisms that can help.

[Ronya]

I really fight i click on these python cmd it appears for one second and then diseapers.

I know for certain it was short and german. Maximun 5-6 letters(no numbers). Normally the first Letter is Big, you know what i mean, not frog, but Frog.

Do can really help me, because in my timezone is soon sleepytime. :-)

When i put my wallet.key whatever into a editor than came a jibberish of digits and letters...so is there my pw hidden?

I try now this hashcat tgod know ifm it willhelp..

[btchris]

The different languages thing is hurting us... but I'll try.

From the Quick Start, follow Step 1 to install everything.

Next, open Notepad, and then copy and paste this into Notepad:

Code:

#--pause --no-dupchecks --wallet multibit.key
%ia%0,5a

Next, save the Notepad file into the btcrecover-master folder you unzipped from Step 1. The file name must be btcrecover-tokens-auto.txt

Next, follow Step 5 from the Tutorial Quick Start. After you find your Multibit .key file, copy it into the same btcrecover-master folder, and then rename the .key file to multibit.key

Finally, double-click btcrecover.py, and it should start.

If you installed PyCrypto in Step 1 (optional), it will take an hour or two to finish. If you didn't install PyCrypto, it will take around 6 - 24 hours to finish.

This will test every password from 1 to 6 letters long. The first letter is upper or lower case, the rest are all lower case. No numbers or symbols.

Good luck!

[Ronya]

From my bottom of my heart thank you chris.Unfournatly it did not work, because nothing happens when i click btcrecover.py. It appears  0000000,1 sec and than gone. If i type cmd it stays.
i do not know why btcrecover.py. is so bitchy.

[Ronya]

No I surrender. Python wants not open. But i found out i can idle this.This is Monster about all wallets, but nothing where it wrotes there is your password.

For a butterflly i could toke a picture, maybe you understands why pyton do like me

http://img5.fotos-hochladen.net/thumbnail/boardf9sxchg87w_thumb.jpg

[btchris]

Thank you for the picture, it is very helpful.

I understand what the problem is, but I can't fix it tonight, sorry about that.

I'll post an update tomorrow sometime...

[Ronya]

How kind of you. I can not say hot excited i am, to find resolution. I hope it's just touching the right buttons and notw. Please reinstall windows.lol

[btchris]

No I surrender. Python wants not open. But i found out i can idle this.This is Monster about all wallets, but nothing where it wrotes there is your password.

For a butterflly i could toke a picture, maybe you understands why pyton do like me

I should have caught this sooner, but now I see the problem.

You have Python 3 installed. btcrecover only works with Python 2. (They are similar, but different programming languages.)

You can have them both installed at the same time, but it's probably safest to:

  1. Uninstall PyCrypto
  2. Uninstall Python 3
  3. Install Python 2.7.8 Windows X86-64 Installer from here.
  4. (optional) Install PyCrypto 2.6 for Python 2.7 64bit from here.

[MakeBelieve]

So if you know 4 words out of 8 characters is that possible to crack or not?

[btchris]

So if you know 4 words out of 8 characters is that possible to crack or not?

I'm not understanding you... can you describe in more detail? A bunch of examples would help.

It also depends on which wallet you're using.

[Ronya]

@btcchris
Big Thanks and Respect....12 hours to go....and i will not forget you, when i got lil bit more coins in my pocket, you get a lil thank you, a share

I just hope it find the pw

[btchris]

@btcchris
Big Thanks and Respect....12 hours to go....and i will not forget you, when i got lil bit more coins in my pocket, you get a lil thank you, a share

I just hope it find the pw

I hope so too. If not, but you remember something new about your password, we can always try again.

[Ronya]

Quick Questions in the cmd i understand everythings ETA 11 means 11 hours to go

But[###-----------------------] is written there at the momemt, should this my pw at the end, i am confused it was never so long

[Kipsy89]

Is it really possible to do this with brute force? I mean a ruby or python script won't do you any good, that's sure... they're interpreted languages. I guess it totally depends on the size of your key then.... A GPU could do this. But of course it is still futile for a real bitcoin private key! They're safe!

[Ronya]

Please do not discourage me 

[btchris]

Quick Questions in the cmd i understand everythings ETA 11 means 11 hours to go

But[###-----------------------] is written there at the momemt, should this my pw at the end, i am confused it was never so long

It should look something like this:

Code:

Read additional options from tokenlist file: --pause --no-dupchecks --wallet multibit.key
Counting passwords ...
Done
Using 4 worker threads
116668178 of 642544812 [#####--------------------------] 0:06:26, ETA:  0:29:01

In this example, it's been running for 6 minutes so far, and it has 29 minutes before it's tried every combination.

If it finds the password, it will look like this:

Code:

Read additional options from tokenlist file: --pause --no-dupchecks --wallet multibit.key
Counting passwords ...
Done
Using 4 worker threads
116668178 of 642544812 [#####--------------------------] 0:06:26, ETA:  0:29:01
Password found: 'Passwd'
Press Enter to exit ...

Or if it tries every combination and the password is something else (e.g. maybe it's longer, or has numbers), it will look like this:

Code:

Read additional options from tokenlist file: --pause --no-dupchecks --wallet multibit.key
Counting passwords ...
Done
Using 4 worker threads
642544812 of 642544812 [#######################] 0:35:27, Time: 0:35:27
Password search exhausted
Press Enter to exit ...

Does that answer your question?

[btchris]

Is it really possible to do this with brute force? I mean a ruby or python script won't do you any good, that's sure... they're interpreted languages. I guess it totally depends on the size of your key then.... A GPU could do this. But of course it is still futile for a real bitcoin private key! They're safe!

You're right, Bitcoin keys cannot be feasibly brute-forced.

But this thread is talking about brute-forcing the password on wallets. If the password is weak enough, or if you know enough about the password, it's certainly feasible (and a GPU can help, depending on the wallet).

As far as using a scripting language goes: yes they are slower, but many scripting languages implement the time-consuming portions (e.g. SHA) in native code, so using a scripting language isn't as big of a performance hit as you may think (btcrecover is written in Python, for example, but most of the crypto uses native code libraries (not written by me) or OpenCL for GPU acceleration).

Moral of the story is: use strong passwords.

[Ronya]

@btcchris

Absoutley it answers my question. 9 hours to go

[MakeBelieve]

@btcchris

Absoutley it answers my question. 9 hours to go

You must know the majority of the password do you? how many characters don't you know? 12 hours seems like a very short time to wait.

[Ronya]

I know it is a german word. And Maximun 5-6 Letters. No Numbers or+-*/ a german word

But I remember not a single Letter. My Style is that i start my word with Capital Letter. not perfume But Perfume

[CryptKeeper]

Use this service: http://www.walletrecoveryservices.com/

These guys are experts in wallet hacking and are reliable.

[Sonny]

Is it really possible to do this with brute force? I mean a ruby or python script won't do you any good, that's sure... they're interpreted languages. I guess it totally depends on the size of your key then.... A GPU could do this. But of course it is still futile for a real bitcoin private key! They're safe!

Brute-forcing a 256bit bitcoin private key is statistically impossible, but brute-forcing the password of an encrypted wallet is completely doable if there are only a few unknown characters in the password.

[MakeBelieve]

I've used: https://bitcointalk.org/index.php?topic=717334.0

Sorted out my problem in little to no time and was pretty cheap can't recommend him enough I found a post on reddit about his service and decided to ask him a few questions which he answered straight away and then contacted in through email which I found on the reddit post. Think it took no longer than 2 hours from sending him the details.

But there is also: http://www.walletrecoveryservices.com/

These are suppose to be good but take a bigger fee which wasn't worth it in my opinion.  I've heard great things though

Or of course you can try and use btcrecover but it seems these guys who offer the service do it much faster and have custom hardware and custom scripts.

[Ronya]

Half-time...six hours to got...I go to sleep...maybe a surprise when i wake up

Thanks again BTchris for patience,knowlegde and Help

[elliwilli]

You are kinda screwed...
the wallet is encrypted with multiple rounds of AES making it much, much harder to crack by almost any means.
Try getting a quantum computer 

[Welsh]

You are kinda screwed...
the wallet is encrypted with multiple rounds of AES making it much, much harder to crack by almost any means.
Try getting a quantum computer  

Wrong. It's indeed very possible to crack a password if you know a little about it. I've found around 8 passwords within a week. That is because they knew a little bit about their password. If you know the majority of your password you should be able to get it. If you are certain you used it but, might of made a typo(s) then it takes under a hour usually to find. The less you know about the password the more the chance of recovery failing.

Remember, we are not trying to crack a private key, but a password. It's much easier and is possible.


If anyone, needs help. Feel free to contact me about the matter.

[elliwilli]

You are kinda screwed...
the wallet is encrypted with multiple rounds of AES making it much, much harder to crack by almost any means.
Try getting a quantum computer  

Wrong. It's indeed very possible to crack a password if you know a little about it. I've found around 8 passwords within a week. That is because they knew a little bit about their password. If you know the majority of your password you should be able to get it. If you are certain you used it but, might of made a typo(s) then it takes under a hour usually to find. The less you know about the password the more the chance of recovery failing.

Remember, we are not trying to crack a private key, but a password. It's much easier and is possible.


If anyone, needs help. Feel free to contact me about the matter.

Ahh OK, I misunderstood, in that case than sure, just bruteforce it to death.

[Sonny]

You are kinda screwed...
the wallet is encrypted with multiple rounds of AES making it much, much harder to crack by almost any means.
Try getting a quantum computer 

Wrong. It's indeed very possible to crack a password if you know a little about it. I've found around 8 passwords within a week. That is because they knew a little bit about their password. If you know the majority of your password you should be able to get it. If you are certain you used it but, might of made a typo(s) then it takes under a hour usually to find. The less you know about the password the more the chance of recovery failing.

Remember, we are not trying to crack a private key, but a password. It's much easier and is possible.


If anyone, needs help. Feel free to contact me about the matter.

Not sure about OP's case, but for Ronya, his password is very short and simple, and it is not really hard to brufe-force it.

I know for certain it was short and german. Maximun 5-6 letters(no numbers). Normally the first Letter is Big, you know what i mean, not frog, but Frog.

[Welsh]

Not sure about OP's case, but for Ronya, his password is very short and simple, and it is not really hard to brufe-force it.

Yes. Ronya should be able to crack it pretty soon, I'm surprised it's taking as long as  it is though, guess it depends on the hardware you got pumping that script. I'm unsure how fast btcrecover is though.(a quick glance and the code is actually pretty clean and should run at decent speeds depending on hardware and whether it is able to utilize cores) I've had some similar scenarios and it's taken a few hours at most.

I wish you the best of luck Ronya and hope you can get access back, if you can't you can always send me a message and we'll discuss more about the issue.

[aronnov]

You realize if you are successful you could brute force ANY BTC wallet whether you had legitimate claim to it or not.

In other words, bitcoin would be essentially dead, since you could take from any arbitrary wallet.  You would start with the biggest ones, of course, and eventually word would get out, and bitcoin would be officially dead.

So far, since the 2009 release of the bitcoin protocol, nobody has hacked an arbitrary wallet.  This is presumably not for lack of trying.

I would, to quote Justin Bieber, "Never say never," but if you want a way to open a wallet, you might be brute forcing for a long, long time.

Maybe you are confusing cracking the user password for the wallet with cracking a private key? A wallet password would crack easier or harder depending on what the password was.

i hope this program cannot open my wallet and the others
make something useful for humankind, not a kind of destructable
ok ...

[Ronya]

So bad news....exhausted...
But i am so sure short word 5-6 letters and it is a word, not jibberish like adjkgs. But I think this is it, of course i could pay fees, i am not greedy, just it would be nice get just my old bitcoin..

But thabnks for all the help

[MakeBelieve]

So bad news....exhausted...
But i am so sure short word 5-6 letters and it is a word, not jibberish like adjkgs. But I think this is it, of course i could pay fees, i am not greedy, just it would be nice get just my old bitcoin..

But thabnks for all the help

Sad to hear I would keep trying and if you do fail and cant think of any thing else I should think you wouldn't mind paying much of a fee.

[HarmonLi]

Does anyone have a comparison of how long this would take with a script/interpreter language like Ruby or Python, vs. a compiled and highly parallized computation on a GPU? I guess we're talking 4-5 orders of magnitude here?

[Ronya]

What i can do now? Just restart but it would provide the same results. Or i was wrong about password, but it is unusual that is a long pw, i am too lazy, It is 100% a word not combination of letters and numbers. But maybe something like Number1, but is ridicolous such a word i would not write.

So what should i do write notepad to enlarge the bruteforce?

[Wilhelm]

Does anyone have a comparison of how long this would take with a script/interpreter language like Ruby or Python, vs. a compiled and highly parallized computation on a GPU? I guess we're talking 4-5 orders of magnitude here?

Much much faster. Try 20x.
Still it will take many years to bruteforce.
Dictionary attack will be faster if they have a weak password.
Maybe you could program rainbow tables if you have many wallet.dat files to crack

[btchris]

What i can do now? Just restart but it would provide the same results. Or i was wrong about password, but it is unusual that is a long pw, i am too lazy, It is 100% a word not combination of letters and numbers. But maybe something like Number1, but is ridicolous such a word i would not write.

So what should i do write notepad to enlarge the bruteforce?

First, just a reminder, if there was an umlaut over any of the vowels, btcrecover will never find it. It can't handle non-ASCII.

The only option would be to try more passwords. I guess I'd try this:

Code:

#--pause --no-dupchecks --wallet multibit.key --autosave progress.sav
%ia%0,5a%d %ia%6a 

This tries passwords that have a single number at the end, and also passwords that are 7 letters long. It will take 36 times longer to run, so it's pretty important that you install PyCrypto 2.6 for Python 2.7 64bit from here first.

It will autosave to a file in the same directory, so you can close it and restart it without losing any progress (but only after the initial counting phase). I just added a small improvement related to autosave, so you should probably download a new copy of btcrecover first.

[btchris]

Does anyone have a comparison of how long this would take with a script/interpreter language like Ruby or Python, vs. a compiled and highly parallized computation on a GPU? I guess we're talking 4-5 orders of magnitude here?

Much much faster. Try 20x.
Still it will take many years to bruteforce.
Dictionary attack will be faster if they have a weak password.
Maybe you could program rainbow tables if you have many wallet.dat files to crack

The wallet.dat password is seeded, rainbow tables wouldn't help.

While there is a speed difference between Python and native code, for this particular application it's much closer than 20x. Most of the time is spent inside cryptographic code, and most scripting languages implement cryptographic primitives in native code.

Here's a comparison between btcrecover and John the Ripper, including columns which show what language each cryptographic primitive is actually written in. The interesting comparisons are the Bitcoin Core lines, which show a speedup of 2.75x from 44 P/s to 128 when going from btcrecover to JtR, and the speedups that you get with GPU acceleration (pretty good speedups with Bitcoin, but a measly 4 - 6x speedup for Armory which uses a memory-hard KDF).

All of these tests were run on my aging i5-2500k and 2x 560 Ti's. Wallets were created on the same system using default KDF parameters, except for the Blockchain.info wallet with 10,000 iterations (10 is the default).

BBcode tables are pretty ugly, the original spreadsheet if you want to see it is here.

Wallet

Software

Language

KDF

Hash

AES-256

ECDSA?

Iterations

Memory

GPUs

P/s

Armory

BTCR

Python 2.7

ROMix

C++

SHA-512

C++

C++

Yes

4

2 MiB

20

Armory

BTCR

Python 2.7

ROMix

OpenCL (GPU)

SHA-512

OpenCL (GPU)

C++

Yes

4

2 MiB

1

79

Armory

BTCR

Python 2.7

ROMix

OpenCL (GPU)

SHA-512

OpenCL (GPU)

C++

Yes

4

2 MiB

2

128

Bitcoin Core

BTCR

Python 2.7

PBKDF1

Python

SHA-512

C

C

No

67,908

44

Bitcoin Core

JtR

C w/OpenMP

PBKDF1

C

SHA-512

asm

asm w/AES-NI

No

67,908

121

Bitcoin Core

BTCR

Python 2.7

PBKDF1

OpenCL (GPU)

SHA-512

OpenCL (GPU)

C

No

67,908

1

1,070

Bitcoin Core

BTCR

Python 2.7

PBKDF1

OpenCL (GPU)

SHA-512

OpenCL (GPU)

C

No

67,908

2

2,110

Blockchain.info

BTCR

Python 2.7

PBKDF2

Python

SHA-1

C

C

No

10

27,000

Blockchain.info

BTCR

Python 2.7

PBKDF2

C

SHA-1

C

C

No

10

82,000

Blockchain.info

JtR

C w/OpenMP

PBKDF2

C

SHA-1

C w/SSE4.1

asm w/AES-NI

No

10

533,000

Blockchain.info

JtR

C w/OpenMP

PBKDF2

OpenCL (GPU)

SHA-1

OpenCL (GPU)

asm w/AES-NI

No

10

1

3,996,000

Blockchain.info

BTCR

Python 2.7

PBKDF2

Python

SHA-1

C

C

No

10,000

41

Blockchain.info

BTCR

Python 2.7

PBKDF2

C

SHA-1

C

C

No

10,000

262

Electrum

BTCR

Python 2.7

PBKDF1

Python

SHA-256

C

Python

No

2

25,000

Electrum

BTCR

Python 2.7

PBKDF1

Python

SHA-256

C

C

No

2

396,000

MultiBit

BTCR

Python 2.7

custom

Python

MD5

C

Python

No

3

26,000

MultiBit

BTCR

Python 2.7

custom

Python

MD5

C

C

No

3

415,000

[MakeBelieve]

Does anyone have a comparison of how long this would take with a script/interpreter language like Ruby or Python, vs. a compiled and highly parallized computation on a GPU? I guess we're talking 4-5 orders of magnitude here?

Much much faster. Try 20x.
Still it will take many years to bruteforce.
Dictionary attack will be faster if they have a weak password.
Maybe you could program rainbow tables if you have many wallet.dat files to crack

The wallet.dat password is seeded, rainbow tables wouldn't help.

While there is a speed difference between Python and native code, for this particular application it's much closer than 20x. Most of the time is spent inside cryptographic code, and most scripting languages implement cryptographic primitives in native code.

Here's a comparison between btcrecover and John the Ripper, including columns which show what language each cryptographic primitive is actually written in. The interesting comparisons are the Bitcoin Core lines, which show a speedup of 2.75x from 44 P/s to 128 when going from btcrecover to JtR, and the speedups that you get with GPU acceleration (pretty good speedups with Bitcoin, but a measly 4 - 6x speedup for Armory which uses a memory-hard KDF).

All of these tests were run on my aging i5-2500k and 2x 560 Ti's. Wallets were created on the same system using default KDF parameters, except for the Blockchain.info wallet with 10,000 iterations (10 is the default).

BBcode tables are pretty ugly, the original spreadsheet if you want to see it is here.

Wallet

Software

Language

KDF

Hash

AES-256

ECDSA?

Iterations

Memory

GPUs

P/s

Armory

BTCR

Python 2.7

ROMix

C++

SHA-512

C++

C++

Yes

4

2 MiB

20

Armory

BTCR

Python 2.7

ROMix

OpenCL (GPU)

SHA-512

OpenCL (GPU)

C++

Yes

4

2 MiB

1

79

Armory

BTCR

Python 2.7

ROMix

OpenCL (GPU)

SHA-512

OpenCL (GPU)

C++

Yes

4

2 MiB

2

128

Bitcoin Core

BTCR

Python 2.7

PBKDF1

Python

SHA-512

C

C

No

67,908

44

Bitcoin Core

JtR

C w/OpenMP

PBKDF1

C

SHA-512

asm

asm w/AES-NI

No

67,908

121

Bitcoin Core

BTCR

Python 2.7

PBKDF1

OpenCL (GPU)

SHA-512

OpenCL (GPU)

C

No

67,908

1

1,070

Bitcoin Core

BTCR

Python 2.7

PBKDF1

OpenCL (GPU)

SHA-512

OpenCL (GPU)

C

No

67,908

2

2,110

Blockchain.info

BTCR

Python 2.7

PBKDF2

Python

SHA-1

C

C

No

10

27,000

Blockchain.info

BTCR

Python 2.7

PBKDF2

C

SHA-1

C

C

No

10

82,000

Blockchain.info

JtR

C w/OpenMP

PBKDF2

C

SHA-1

C w/SSE4.1

asm w/AES-NI

No

10

533,000

Blockchain.info

JtR

C w/OpenMP

PBKDF2

OpenCL (GPU)

SHA-1

OpenCL (GPU)

asm w/AES-NI

No

10

1

3,996,000

Blockchain.info

BTCR

Python 2.7

PBKDF2

Python

SHA-1

C

C

No

10,000

41

Blockchain.info

BTCR

Python 2.7

PBKDF2

C

SHA-1

C

C

No

10,000

262

Electrum

BTCR

Python 2.7

PBKDF1

Python

SHA-256

C

Python

No

2

25,000

Electrum

BTCR

Python 2.7

PBKDF1

Python

SHA-256

C

C

No

2

396,000

MultiBit

BTCR

Python 2.7

custom

Python

MD5

C

Python

No

3

26,000

MultiBit

BTCR

Python 2.7

custom

Python

MD5

C

C

No

3

415,000

OH wow great information there thanks for the information chris.

[Ronya]

@Chris
This file is getting complicated, they ask me if i repair/remove/change...I do not I klick somewhere--But i think i did not right cuz,warning: can't find pycrypto..maybe give me a more detail Hoe to put pycrypto in btc-recover

[MakeBelieve]

If you can't do it yourself and find your self struggling you should probably just hire a more technical person they will probably find it in no time if its near the correct password.

[MakeBelieve]

I did try first myself on trying to recover my wallet but then I gave up and contacted someone over at the services section and they finally found it wasn't far from my prediction but I probably would of never got it...or would of took me a long time for a small amount.

[btchris]

@Chris
This file is getting complicated, they ask me if i repair/remove/change...I do not I klick somewhere--But i think i did not right cuz,warning: can't find pycrypto..maybe give me a more detail Hoe to put pycrypto in btc-recover

Please give this a try.

  1. Go to Start -> Control Panel.
  2. Click on Uninstall a Program.
  3. Find everything that has "Python" in the program name, you should find at least two, maybe more.
  4. Double-click each one to remove it.
  5. Install Python 2.7.8 Windows X86-64 Installer from here.
  6. Install PyCrypto 2.6 for Python 2.7 64bit from here.

Let me know if you still get the "warning: can't find pycrypto" message...

[Ronya]

I want proudly annonce that Btcris made it. I gave my key-file and then crack/hack/brute-force(for all jibberish) and he is a man of Honor, he could steal 1,0 Btc, but he got his fee,w hat was negoniated under us 10%, so 0,1 Btc

So he is the Heisenberg of BTC

[Sonny]

It is nice to know that the problem is finally solved now, and it is nice to see you haven't trusted the wrong person.
Well done, btchris.

[DhaniBoy]

It is not so easy to encrypted a wallet with GPU brute forcing, because encryted wallet has a very complicated security, as example in blockchain.info, if you lost your passwrod, you must enter some random words, which given at the time of first registration, hopefully you can find the lost password wallet

[Gumbork]

I want proudly annonce that Btcris made it. I gave my key-file and then crack/hack/brute-force(for all jibberish) and he is a man of Honor, he could steal 1,0 Btc, but he got his fee,w hat was negoniated under us 10%, so 0,1 Btc

So he is the Heisenberg of BTC

Nice that you finally get your bitcoin back.

[silverfuture]

btchris I sent you a PM.

[btchris]

btchris I sent you a PM.

Been away for a while and I'm slowly catching up. I did get it, will hopefully reply soon...

[silverfuture]

Just wanted to let folks know that btchris cracked a password for me and I would consider him a trustworthy individual.  He could have stolen the btc but did not.

[Simon8x]

silverfuture and btchris, would you mind telling me (or through PM) about how complicated the password is (length? consists of upper-case/lower-case/special/numeric characters?) and how long the brute-forcing process takes?

[btchris]

silverfuture and btchris, would you mind telling me (or through PM) about how complicated the password is (length? consists of upper-case/lower-case/special/numeric characters?) and how long the brute-forcing process takes?

I hope you'll understand that I will not... that's up to silverfuture to decide.

Although if you have a set of password criteria in mind, I might be able to estimate such a thing for your circumstances, but you'd need to be fairly specific (about the password, about your wallet software, and possibly about your PC as well).

[ashraful1980]

I lost my password to a wallet that had 20 bitcoins in it, its now worth my effort to retrieve it. I tried using Revalins script found here https://bitcointalk.org/index.php?topic=85495.msg942171#msg942171 without any luck.

So I have modified it to brute force based off a base password that I know is correct, so I'm only have to brute force between 6-8 characters which is feasible.

Code:

#!/usr/bin/ruby -w
class Cracker
  def initialize(char_array, password_range)
    @char_array = char_array
    @password_range = password_range
  end

  def password_correct?(phrase)
    print "basepassword" + phrase, "\t"
    system("./bitcoind walletpassphrase basepassword#{phrase} 20")
    case $?.exitstatus
    when 0
      puts "Found it!  basepassword#{phrase}"
      exit 0
    end
    return false
  end

  def generate_password( perm_number, password_length )
    password=""
    (1..password_length).each do |char_number| # loop through characters
      char_reference = (perm_number / @char_array.length**(char_number-1)).floor % @char_array.length
      character = @char_array[char_reference]
      password << character
    end
    password
  end

  def do_combination( num_combinations, password_length )
    (0..num_combinations-1).each do |perm_number| # loop through combinations for a given length
      password = generate_password( perm_number, password_length )
      return password, perm_number if password_correct?(password)
    end
  end

  def crack()
    (@password_range).each do |password_length|  # loop to gradually increase password length
      num_combinations=@char_array.length**password_length
      password, perm_number = do_combination(num_combinations, password_length)
      if password
        puts "#{password} | Access Granted | #{perm_number} / #{num_combinations}"
        return password
      end
    end
  end
end

# I removed characters I was sure I didn't use
characters = "!$@01235@ABCDEFGIKLMNOSTWYZabcdefgiklmnopqrstuwyz".split(//)

cracker = Cracker.new( characters, (6..8) )
password = cracker.crack()

puts "No luck."
exit 1

This is going terribly slow though, but that is because I'm using CPU to try to crack this and I should take a lesson from the mining community and try to use my GPU through CUDA or OpenCL. I was wondering if anyone could help me adapt this script to python or a ruby OpenCL/CUDA library so that I can harness my GPU power to try to crack my password to recover it.

If not perhaps this will help someone else who ends up losing their wallet password and needs to brute force it. At 3-5 characters this would work find with a Quadcore.

Dear Sir,
I have many time tried to find tested password as "abc11" but it is not find. Could you please give me a guideline to operate the script. I have run your script before i have run the C:\Program Files (x86)\Bitcoin\daemon\bitcoind.exe please ask me anything wrong......

[sapce]

I only remember part of the wallet password. What command can I use in btcrecover to find it?