Blockchain Wallet
#1
Hello everyone.

I am very new to this. I literally spent my whole day reading and watching videos. I have stupidly lost my password for my old blockchain wallet. I have the user ID but this is all. Blockchain are unable to help me reset the password and I really don't want to lose my crypto. 
I was hoping someone could point me to the best tutorial on how to brute force my password if all I have is the login ID. 

Any help would really be appreciated.
Reply
#2
If you would like to provide more details regarding potential passwords there may be something we can help with. Common things might be 4 words, specifically under x amount of characters may make a wordlist plausible to help. But without any details we're not going to get very far. Bruteforcing anything over 10 characters will most likely not be feasible with typical hardware so just a heads up.

As for additional information somethings that can help is your computer hardware at hand:

CPU
RAM
GPU

Type of wallet were working with, see example hashes for different types of wallets.

https://hashcat.net/wiki/doku.php?id=example_hashes

If were looking at hashmode 15200 then we may have a better opportunity in cracking as it is much faster than other wallets.
Reply
#3
Thanks for the help.

I honestly don't remember the password. I used a password generator years ago and have since lost access to it. The password would have likely been around 6-8 digits with a mixture of letters, numbers and special characters. 
 
CPU - Intel I9-7980XE 
RAM - 64GB
GPU - Nvidia 1080ti 

wallet - www.blockchain.com/login. I THINK its SHA-256 but Im not 100% sure how to check. You used to be able to download the JSON file but I cant see an option for this anymore.

Am I screwed ? Sad

(06-17-2020, 05:29 AM)slyexe Wrote: If you would like to provide more details regarding potential passwords there may be something we can help with. Common things might be 4 words, specifically under x amount of characters may make a wordlist plausible to help. But without any details we're not going to get very far. Bruteforcing anything over 10 characters will most likely not be feasible with typical hardware so just a heads up.

As for additional information somethings that can help is your computer hardware at hand:

CPU
RAM
GPU

Type of wallet were working with, see example hashes for different types of wallets.

https://hashcat.net/wiki/doku.php?id=example_hashes

If were looking at hashmode 15200 then we may have a better opportunity in cracking as it is much faster than other wallets.
Reply
#4
my guess is that you already should have a backup of your JSON file downloaded beforehand, ready to be used for recovery and saved to your disk ?
If you didn't make any backups and don't have any files, you probably can only try to get help by contacting the support (and also they need to somehow verify that you are the true account holder).
Reply
#5
Oh no that doesn't sound good Sad

I have contacted support and verified my identity but the problem is the wallet function is a noncustody wallet. So the company can not access the funds or the password. 
What they told me was. They have lifted the password attempt limit on my account so I can try as many passwords as I like without it having a negative effect. As I used a password generator I cant simply guess the password.
I was hoping I could use Hashcat to simply cycle through every combination of letters and numbers up to 8digits long and crack it that way. Is this not possible? I've been practising and have figured out how to crack basic hashes using attack mode and word lists but I cant quite find any videos that show me how to point hashcat at my particular login page and then try to brute force using random letters and numbers within the login portal itself. 
Thank you for all the help. I really appreciate it


(06-17-2020, 01:00 PM)philsmd Wrote: my guess is that you already should have a backup of your JSON file downloaded beforehand, ready to be used for recovery and saved to your disk ?
If you didn't make any backups and don't have any files, you probably can only try to get help by contacting the support (and also they need to somehow verify that you are the true account holder).
Reply
#6
hashcat cannot be used to attack websites.
Reply
#7
oh, this is actually interesting that the support team is offering you to kind of spam them with login requests. My guess is that there will still be a limit, it might just be a little bit larger (for instance a few dozens tries per minute or hour).

It would probably make much more sense if they could somehow tell you how they verify your login credentials (a hash algorithm used for the database-stored password probably)... and maybe even somehow sent you in a very secure manner the "hash" that they have stored (of course only for your specific user id) to verify that your login name and password are correct. It wouldn't probably be a problem for them to do so... but my guess is they won't do that nevertheless. They will probably say that they can't do it for legal reasons etc etc etc... but the real problem would be that they "leak" the information about how they store the passwords and how they verify login requests.
Of course you could argue against that, that otherwise you probably need to DOS / spam them with requests because your password is "random"/complicated. I think even a lawyer might NOT be able to make the company hand out the user login hash. They will try to find several arguments that this is not possible....

The problem with online cracking (i.e. cracking by sending web/http/https requests), is that it is both very slow (because of the network overhead etc), might not be 100% reliable and they could suddently send you wrong answers or block you (even if they told you there is no limit, they will/can do that, because otherwise you could risk to disrupt their services).

There are many such "online cracking tools", I think hydra was (or still is?) one of the most known one https://github.com/vanhauser-thc/thc-hydra ... but in this case you could also just develop a simple python/perl/php or whatever script that uses for instance the CURL library to send login requests (and basically automatically fill out the login form). Otherwise you could also use headless browsers, like most scrapers (or scraping tools/software) do... this is sometimes needed if there is some javascript involved on the page while logging in (basically a new way or alternative to the phantomjs approaches that were used some years ago to scrap or send web requests with some scripting).

There might also be new / better alternatives to hydra, that do these step all automatically. Maybe you find something on google+github etc.

.... but the problem still remains... it's not good to send a lot of web requests and just because some dude at the support team told you that you can now send more requests and that there is no limit in login attempts, it doesn't mean that you can DOS / spam the service and that you couldn't face some legal threats if you do so (that's also the problem of big companies, the administrators, security team might not even know that you are "allowed to try to login more often", they might just log your IP and send it to the legal team).
That means that I for sure wouldn't even try/risk to send dozens of requests per minute... if anything, you should really keep a very, very low amount of tries per day ... and this probably wouldn't allow you to find the correct password in years Sad

Therefore, I would recommend to still try to get more info and good will from the support team, also some clear written statements about what is allowed and what not. how many requests per hour or day etc. and ... maybe they are even allowed / willing to tell you how they verify your login credentials and give you another means to unlock the account (e.g. the user login hash approach, but I REALLY doubt that).

at the end it's also important to analyze / realize if this is really worth it. is the value stored that high ? or even somehow try to find backups of the password you have used (stored in a password manager or similar), or remember as much as possible from the password and somehow "log"/store your attempts to avoid trying the same password again and again (which for sure is a waste for your time and also a resource waste for the login server).
Reply