GPU brute forcing an encrypted wallet

[Jutarul]

You realize if you are successful you could brute force ANY BTC wallet whether you had legitimate claim to it or not.

Try breaking the encryption for a wallet you don't have.

First rule of business: Keep savings wallets offline. Forever.
Encryption is only meant to create an economic barrier and give you some time, once you realize that the wallet has been compromised (i.e. uploaded to the internet).

[1715119583]

1715119583

[1715119583]

1715119583

[1715119583]

1715119583

[1715119583]

1715119583

[yourstruly]

I'm having trouble isolating the functions I need out of the bitcoin client.

So what I understand is that there is a built in 100ms delay. If I extract out the piece to unlock it and bypass the rpc I can avoid that or is that because of the algorithm used to encrypt it?

[ihopedso]

That sounds terrible. I keep a unencrypted wallet on disk, just for this reason.

[deepceleron]

You are out of your depth. Decrypt this message:

U2FsdGVkX1+b0djAYNFH7ci5sgIKVEVittOk11oml4C/ESACHoqEYrdz0pkCfIf7

The password is 1234

Code:

/*
Private key encryption is done based on a CMasterKey,
which holds a salt and random encryption key.

CMasterKeys are encrypted using AES-256-CBC using a key
derived using derivation method nDerivationMethod
(0 == EVP_sha512()) and derivation iterations nDeriveIterations.
vchOtherDerivationParameters is provided for alternative algorithms
which may require more parameters (such as scrypt).

Wallet Private Keys are then encrypted using AES-256-CBC
with the double-sha256 of the public key as the IV, and the
master key's key as the encryption key (see keystore.[ch]).
*/

What a cracker needs to do is extract the public and private(encrypted) ECDSA keys for some addresses out of the wallet, and perform a billion billion trial decryptions based on a passphrase iteration, generating encryption keys using the same formula Bitcoin does, then verify the decrypted privkey also will create the ECDSA pubkey. The first thing you will find challenging is to parallelize is 25000 rounds of hashing for every master key attempt.

https://www.cryptool.org/trac/CrypTool2/browser/trunk/CrypPlugins/AES/OpenCL/AESOpenCL.cl?rev=2061

[yourstruly]

You are out of your depth. Decrypt this message:

U2FsdGVkX1+b0djAYNFH7ci5sgIKVEVittOk11oml4C/ESACHoqEYrdz0pkCfIf7

The password is 1234

Code:

/*
Private key encryption is done based on a CMasterKey,
which holds a salt and random encryption key.

CMasterKeys are encrypted using AES-256-CBC using a key
derived using derivation method nDerivationMethod
(0 == EVP_sha512()) and derivation iterations nDeriveIterations.
vchOtherDerivationParameters is provided for alternative algorithms
which may require more parameters (such as scrypt).

Wallet Private Keys are then encrypted using AES-256-CBC
with the double-sha256 of the public key as the IV, and the
master key's key as the encryption key (see keystore.[ch]).
*/

What a cracker needs to do is extract the public and private(encrypted) ECDSA keys for some addresses out of the wallet, and perform a billion billion trial decryptions based on a passphrase iteration, generating encryption keys using the same formula Bitcoin does, then verify the decrypted privkey also will create the ECDSA pubkey. The first thing you will find challenging is to parallelize is 25000 rounds of hashing for every master key attempt.

https://www.cryptool.org/trac/CrypTool2/browser/trunk/CrypPlugins/AES/OpenCL/AESOpenCL.cl?rev=2061

I appreciate this message, to be clear, you are suggesting I extract the public/private key from the address the funds were sent to and just attack that?

I didn't attempt this method because I don't think I have the computing power necessary for that since bitcoin's wallet encryption algorithm is so crazy.

I came to the conclusion I would have a much better chance trying actual passwords from a large list of possibilites with substitutions, subtractions and additions. But my main problem now is the RPC used to interact with bitcoind is waay too slow. So instead of trying to run multiple clients at once, someone suggested I extract the portion of code the RPC interacts with. I have been trying to do that and I'm making progress but its slow.

Side note, is there a script that encrypts/decrypts the public/private from bitcoin to and from ascii?

I really appreciate everyone's input.

[deepceleron]

I appreciate this message, to be clear, you are suggesting I extract the public/private key from the address the funds were sent to and just attack that? ...

Brute-forcing the AES secret directly would require you brute force the entire key space, which is infeasible. I suggest that you must make your own native code that does the pass-phrase->master key computation using possible human pass-phrases. This is intentionally made hard to crack, a good CPU will only be able to manage a few hundred key attempts a second.

[veryveryinteresting]

Please update if you progress! I have been trying to modify Revalin's code for my password but have been unsuccessful. I too remember part of it.

Thanks

[yourstruly]

I appreciate this message, to be clear, you are suggesting I extract the public/private key from the address the funds were sent to and just attack that? ...

Brute-forcing the AES secret directly would require you brute force the entire key space, which is infeasible. I suggest that you must make your own native code that does the pass-phrase->master key computation using possible human pass-phrases. This is intentionally made hard to crack, a good CPU will only be able to manage a few hundred key attempts a second.

So you are also recommending that I cut up the bitcoin client too? I'm trying to do this but having trouble. My wallet is now worth 2,000 and growing so its only more worth it by the day, so I guess Ill keep trying.

[yourstruly]

Please update if you progress! I have been trying to modify Revalin's code for my password but have been unsuccessful. I too remember part of it.

Thanks

Do you have an idea of how large the extra stuff on the base password is? If you can give me a bit more info I can try to help you out with what I have learned so far.

Also write down EVERYTHING you remember about it now, this moment.

[KennyH]

I'm having trouble isolating the functions I need out of the bitcoin client.

So what I understand is that there is a built in 100ms delay. If I extract out the piece to unlock it and bypass the rpc I can avoid that or is that because of the algorithm used to encrypt it?

I'm also in the same spot as you and trying to run ruby scripts with bitcoind at about 25 passwords/second.

Where did you find the info about the 100ms delay?

I think I saw some timing when the keys are generated so that the decrypt will not be too slow. This timing sets the nDeriveIterations  value for the master key.

[KennyH]

I'm having trouble isolating the functions I need out of the bitcoin client.

So what I understand is that there is a built in 100ms delay. If I extract out the piece to unlock it and bypass the rpc I can avoid that or is that because of the algorithm used to encrypt it?

I'm also in the same spot as you and trying to run ruby scripts with bitcoind at about 25 passwords/second.

Where did you find the info about the 100ms delay?

I think I saw some timing when the keys are generated so that the decrypt will not be too slow. This timing sets the nDeriveIterations  value for the master key.

@yourstruly, you were right. When wallet is encrypted and every time the password is changed the decryption time is calculated
to about 100 ms and set in nDeriveIterations for the master key.
To effectively crack a strong password you would have to run the crack program on a computer with multi cpu or with a much
faster cpu than was used to encrypt the wallet.
I think multi cpu/gpu is the way to go.

[Ronya]

Sorry guys to bother you. And sorry for my bad english. I get straight to it. One year ago, in was interessed in BTC and i bought 1,0 for reasonable price. My Programm was Multibit because in the other boards, they told me it is most user-friendly and i can subcribe. So i thought 1,0 Bitcoin would raise and raise, but did not. So i want to sell it.
Problem i can remember the password and iam very desperated.Okey, its not the end of the world.
I google a lot and the majority said your pw is gone.
Some mentions Brute Force, Scripts atc. But i do not know how to use it. What i need is an exe.progamm where i put the pw-wallet, i wait a couple of hours. And i got my PW back.
Only thing remember, it was not jibberish, it was short 6 words and german.
Could you help me or is the case closse?
Best Regards

[btchris]

Sorry guys to bother you. And sorry for my bad english. I get straight to it. One year ago, in was interessed in BTC and i bought 1,0 for reasonable price. My Programm was Multibit because in the other boards, they told me it is most user-friendly and i can subcribe. So i thought 1,0 Bitcoin would raise and raise, but did not. So i want to sell it.
Problem i can remember the password and iam very desperated.Okey, its not the end of the world.
I google a lot and the majority said your pw is gone.
Some mentions Brute Force, Scripts atc. But i do not know how to use it. What i need is an exe.progamm where i put the pw-wallet, i wait a couple of hours. And i got my PW back.
Only thing remember, it was not jibberish, it was short 6 words and german.
Could you help me or is the case closse?
Best Regards

btcrecover might help, but only if you remember a decent amount of your password. It does support Multibit, although it doesn't support non-ASCII letters, so if your password had any umlauts it won't help. There's a tutorial with a quick start here (in English, sorry).

This thread has a lot of good information related to password recovery, but some of it is specific to Bitcoin Core (Bitcoin-Qt) wallets.

If you have any specific questions about btcrecover, let me know and I'll try to help (I'm the dev).

[Ronya]

I'll try but it is to complicated. I thought a bruteforce was build like bloodpatch or serial.exe, you click the button then you got it. I think to understand that you must know basics of codings. Apparertly a german guy called Rene78 has the same problem and solved it, but he stays offline It is like i got the cure for cancer Good luck guys

[btchris]

I'll try but it is to complicated. I thought a bruteforce was build like bloodpatch or serial.exe, you click the button then you got it.

Bitcoin wallets all (that I know of) use strong encryption. The point is to protect you from hackers. This also means that if you lose your password, you could be in trouble.

If you describe everything you remember about your password, I can try to help. You don't have to use specifics -- for example you could say "I know my password contained 3 - 5 of these words below, and then a 1 - 2 digit number" and give example words, but not the actual ones you had in mind.

If you want to use Bitcoin in the future, look into a "deterministic" wallet, such as Electrum or Armory. They have easy backup-to-paper and recovery mechanisms that can help.

[Ronya]

I really fight i click on these python cmd it appears for one second and then diseapers.

I know for certain it was short and german. Maximun 5-6 letters(no numbers). Normally the first Letter is Big, you know what i mean, not frog, but Frog.

Do can really help me, because in my timezone is soon sleepytime. :-)

When i put my wallet.key whatever into a editor than came a jibberish of digits and letters...so is there my pw hidden?

I try now this hashcat tgod know ifm it willhelp..

[btchris]

The different languages thing is hurting us... but I'll try.

From the Quick Start, follow Step 1 to install everything.

Next, open Notepad, and then copy and paste this into Notepad:

Code:

#--pause --no-dupchecks --wallet multibit.key
%ia%0,5a

Next, save the Notepad file into the btcrecover-master folder you unzipped from Step 1. The file name must be btcrecover-tokens-auto.txt

Next, follow Step 5 from the Tutorial Quick Start. After you find your Multibit .key file, copy it into the same btcrecover-master folder, and then rename the .key file to multibit.key

Finally, double-click btcrecover.py, and it should start.

If you installed PyCrypto in Step 1 (optional), it will take an hour or two to finish. If you didn't install PyCrypto, it will take around 6 - 24 hours to finish.

This will test every password from 1 to 6 letters long. The first letter is upper or lower case, the rest are all lower case. No numbers or symbols.

Good luck!

[Ronya]

From my bottom of my heart thank you chris.Unfournatly it did not work, because nothing happens when i click btcrecover.py. It appears  0000000,1 sec and than gone. If i type cmd it stays.
i do not know why btcrecover.py. is so bitchy.

[Ronya]

No I surrender. Python wants not open. But i found out i can idle this.This is Monster about all wallets, but nothing where it wrotes there is your password.

For a butterflly i could toke a picture, maybe you understands why pyton do like me

http://img5.fotos-hochladen.net/thumbnail/boardf9sxchg87w_thumb.jpg

[btchris]

Thank you for the picture, it is very helpful.

I understand what the problem is, but I can't fix it tonight, sorry about that.

I'll post an update tomorrow sometime...