Wallet.dat recovery
#1
Hi guys,

I have wallet.dat btc which I didnt use for long time and forgot passphrase. I have some candidates for it and it doesnt work. 

My question is related to this great software which I started for hashing. So I hashed out wallet.dat and import it in .bat file which is starting hashcat.exe. I am doing this with 3x1060 6gb gpus and those are working good on 100% but...

1. I didnt import words in it cause when tried it says need -a 0, when try to make -a 0 it doesnt recognize hash. So how to import words?

2. when will I know if it found passphrase?

3. What about masking, I read it a lot about it but do not have clue of passphrases?

4. what rules is best in my case?

edit:
5. if electricity stops what about log file?

I am on win7 64bit 

Thanks in advance for help and maybe this will hlp somebody else Smile
Reply
#2
https://hashcat.net/wiki/doku.php?id=hashcat has all the answers you're looking for.

1. See -help: Usage: hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]...
2. Hashcat has 3 status' : Running, Cracked, Exhausted
3. Also on the wiki https://hashcat.net/wiki/doku.php?id=mask_attack
4. Also on the wiki https://hashcat.net/wiki/doku.php?id=rule_based_attack
5. Also on the wiki https://hashcat.net/wiki/doku.php?id=restore

Bitcoin wallets are a very slow hash, unless you have a general idea of what your password is with very few alterations you should have no issues recovering it. Bruteforcing a wallet is nearly impossible after guessing more than 5 characters so again as I mentioned, unless you have a general idea you're not going to have any luck bruteforcing a large keyspace. 

To get a general idea of your timespan heres the example hash  running rockyou.txt /w best64.rule on 1070. 
Code:
Session..........: hashcat
Status...........: Running
Hash.Type........: Bitcoin/Litecoin wallet.dat
Hash.Target......: $bitcoin$96$d011a1b6a8d675b7a36d0cd2efaca32a9f8dc1d...760525
Time.Started.....: Fri Jan 10 16:51:04 2020 (3 secs)
Time.Estimated...: Tue Jan 14 22:19:39 2020 (4 days, 5 hours)
Guess.Base.......: File (rockyou.txt), Left Side
Guess.Mod........: File (rules/best64.rule), Right Side
Speed.#1.........:    4005 H/s (5.91ms) @ Accel:64 Loops:16 Thr:256 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 0/1463127168 (0.00%)
Rejected.........: 0/0 (0.00%)
Restore.Point....: 0/14344384 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:7136-7152
Candidates.#1....: 123456## nothing, reverse, case... base stuff -> dolphins6## nothing, reverse, case... base stuff
Hardware.Mon.#1..: Temp: 37c Fan: 23% Util: 97% Core:2075MHz Mem:4104MHz Bus:16
Reply
#3
(01-11-2020, 12:56 AM)slyexe Wrote: https://hashcat.net/wiki/doku.php?id=hashcat has all the answers you're looking for.

1. See -help: Usage: hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]...
2. Hashcat has 3 status' : Running, Cracked, Exhausted
3. Also on the wiki https://hashcat.net/wiki/doku.php?id=mask_attack
4. Also on the wiki https://hashcat.net/wiki/doku.php?id=rule_based_attack
5. Also on the wiki https://hashcat.net/wiki/doku.php?id=restore

Bitcoin wallets are a very slow hash, unless you have a general idea of what your password is with very few alterations you should have no issues recovering it. Bruteforcing a wallet is nearly impossible after guessing more than 5 characters so again as I mentioned, unless you have a general idea you're not going to have any luck bruteforcing a large keyspace. 

To get a general idea of your timespan heres the example hash  running rockyou.txt /w best64.rule on 1070. 
Code:
Session..........: hashcat
Status...........: Running
Hash.Type........: Bitcoin/Litecoin wallet.dat
Hash.Target......: $bitcoin$96$d011a1b6a8d675b7a36d0cd2efaca32a9f8dc1d...760525
Time.Started.....: Fri Jan 10 16:51:04 2020 (3 secs)
Time.Estimated...: Tue Jan 14 22:19:39 2020 (4 days, 5 hours)
Guess.Base.......: File (rockyou.txt), Left Side
Guess.Mod........: File (rules/best64.rule), Right Side
Speed.#1.........:    4005 H/s (5.91ms) @ Accel:64 Loops:16 Thr:256 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 0/1463127168 (0.00%)
Rejected.........: 0/0 (0.00%)
Restore.Point....: 0/14344384 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:7136-7152
Candidates.#1....: 123456## nothing, reverse, case... base stuff -> dolphins6## nothing, reverse, case... base stuff
Hardware.Mon.#1..: Temp: 37c Fan: 23% Util: 97% Core:2075MHz Mem:4104MHz Bus:16

Thanks for answers.

Could you send me code line for .bat file where I include:
- .txt candidates file 
- with output file and 
- mask attacks

...and another one with all above mentioned just with bruteforce.

It looks like I put it on stock bruteforce and it is working but as you said it wouldnt help much.

Thanks again

EDIT: OK I did it, but next question is how to use it with combination of password parameters, so for example if have two pass try21 and example22 to make combination of every letter and numbers?
Reply
#4
What it sounds like you're wanting to do is use a wordlist and add digits to the end. In this situation using a hybrid attack will fulfill that attack.

Code:
hashcat64.exe -m 11300 -a 6 -w 3 -o output.txt hash.bat wordlist.txt ?d?d
Reply
#5
(01-11-2020, 10:28 AM)Frang Wrote:
(01-11-2020, 12:56 AM)slyexe Wrote: https://hashcat.net/wiki/doku.php?id=hashcat has all the answers you're looking for.

1. See -help: Usage: hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]...
2. Hashcat has 3 status' : Running, Cracked, Exhausted
3. Also on the wiki https://hashcat.net/wiki/doku.php?id=mask_attack
4. Also on the wiki https://hashcat.net/wiki/doku.php?id=rule_based_attack
5. Also on the wiki https://hashcat.net/wiki/doku.php?id=restore

Bitcoin wallets are a very slow hash, unless you have a general idea of what your password is with very few alterations you should have no issues recovering it. Bruteforcing a wallet is nearly impossible after guessing more than 5 characters so again as I mentioned, unless you have a general idea you're not going to have any luck bruteforcing a large keyspace. 

To get a general idea of your timespan heres the example hash  running rockyou.txt /w best64.rule on 1070. 
Code:
Session..........: hashcat
Status...........: Running
Hash.Type........: Bitcoin/Litecoin wallet.dat
Hash.Target......: $bitcoin$96$d011a1b6a8d675b7a36d0cd2efaca32a9f8dc1d...760525
Time.Started.....: Fri Jan 10 16:51:04 2020 (3 secs)
Time.Estimated...: Tue Jan 14 22:19:39 2020 (4 days, 5 hours)
Guess.Base.......: File (rockyou.txt), Left Side
Guess.Mod........: File (rules/best64.rule), Right Side
Speed.#1.........:    4005 H/s (5.91ms) @ Accel:64 Loops:16 Thr:256 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 0/1463127168 (0.00%)
Rejected.........: 0/0 (0.00%)
Restore.Point....: 0/14344384 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:7136-7152
Candidates.#1....: 123456## nothing, reverse, case... base stuff -> dolphins6## nothing, reverse, case... base stuff
Hardware.Mon.#1..: Temp: 37c Fan: 23% Util: 97% Core:2075MHz Mem:4104MHz Bus:16

Thanks for answers.

Could you send me code line for .bat file where I include:
- .txt candidates file 
- with output file and 
- mask attacks

...and another one with all above mentioned just with bruteforce.

It looks like I put it on stock bruteforce and it is working but as you said it wouldnt help much.

Thanks again

EDIT: OK I did it, but next question is how to use it with combination of password parameters, so for example if have two pass try21 and example22 to make combination of every letter and numbers?

if you run windows you can use the combinator tool to combine all your words to pipe to hashcat or create a custom or rule list that will add whatever you want to each word. for example run mp64 ?d?d?d?d --increment=1:4 > numer1-4.txt and then combine with your wordlist or use attach -6 to add it in hashcat.

/DH
Reply