Topic: Blackcoin Wallet Passphrase mistyped - Bruteforce (Read 196 times)

Summary: I executed a (limited!) brute force attack on a wallet where I mistyped the passphrase. Attached is a short tutorial how to make it.

Long story: In March 2017 I created a wallet. I keyed in my passphrase with 70 characters long (yes it is long), wrote it down, bought Blackcoin. Next day I tried to open it, but it seems to be that I mistyped (two times) the passphrase. So I started to make a long research how to "hack" it. I finally figured that I can make a limited brute force attack by using RPC. So, I got familiar with curl (RPC tool) and created a batch-script with Excel where I just changed one character per try. I ended with 5200 tries.

And boom: It worked! It was try number 2814 which worked. So, I really just mistyped one single character.
The wallet has been opened once again. So now I have access to my Blackcoins.

TUTORIAL

I was using the old blackcoin-qt (on windows) because the wallet was created with this one. I do not know if it is compatible with lore.
Situation is that you remember (more or less) the passphrase, but you think that you just mistyped one character.
Idea is to make a limited brute force attack on the wallet - so, to test different passphrase which are similar to your remembered one.

we will create a script (batch) which calls the blackcoin-qt (as server) via RPC and try to open the wallet with different passphrases.

What did not work

I found some hints concerning hashcat and bitcoin2john (also for Blackcoin), which enable you to retrieve the seed out of the wallet and to make a bruteforce on the hash of the seed (with hashcat).
But it did not work, because the blackcoin wallet seems to be different than the bitcoin wallet.

There is also no direct commandline parameter for opening the wallet with passphrase. So I started to work with RPC.

Using the blackcoin-qt as a server

Switch into C:\Users\myusername\AppData\Roaming\BlackCoin and place a blackcoin.conf file here. This should contain (at least) these entries:
# server=1 tells BlackCoin to accept JSON-RPC commands.
server=1

# You must set rpcuser and rpcpassword to secure the JSON-RPC api
rpcuser=user
rpcpassword=password

# Listen for RPC connections on this TCP port:
rpcport=15715

# You can use BlackCoin or blackcoind to send commands to Bitcoin/bitcoindBlackCoin/blackcoind
# running on another host using this option:
rpcconnect=127.0.0.1

Start blackcoin from the commandline with the server parameter like this:
blackcoin-qt -server=1

Test RPC Calls with curl

Download curl (an RPC tool for the commandline):
https://curl.haxx.se/

For this test you should use a new generated wallet with a password you know.

First test with the getinfo method, which shows you if the connection to the Blackcoin Daemon is established:
curl --header "Content-Type: application/json" --data-binary "{\"jsonrpc\":\"1.0\",\"id\":\"curltest\",\"method\":\"getinfo\",\"params\":[]}" http://user:[email protected]:15715/

If you do not get any connection, you can also use netstat -a to see if your machine is listening on the port 15715.

Finally, the method to open the wallet via RPC (uses two parameters)
curl --header "Content-Type: application/json" --data-binary "{\"jsonrpc\":\"1.0\",\"id\":\"curltest\",\"method\":\"walletpassphrase\",\"params\":[\"mySecretWalletPassword\",50]}" http://user:[email protected]:15715/

Note the output you get, when you use the correct password:
{"result":null,"error":null,"id":"curltest"}
Later we want to search in a logfile for the expression "error":null in order to identify the correct password

Generating the Bruteforce Script
I used an Excel file to create a script. On the basis of the so-far-remembered-passphrase and a selection of possible characters this scripts changes for each row only one character.
I ended up with roughly 5000 rows, but I used a very long passphrase (70 characters).
Using the Excel output you can create a script out of it.

If you are interested in the Excel file please send me an PM.

Execution
Start the script (batch) and pipe the output into a log:
myScript.bat > log.txt

When the batch finished search for the expression "error":null
If you found it, you found the password in the line above the expression.

Limitations
I used the old blackcoin-qt (not Lore), because the wallet has been generated with blackcoin-qt. Lore should use the same RPC implementation, but it is untested if this tutorial also works with Lore.
I used this on Windows I do not know if this will also work on Linux.
Some special characters are a little bit tricky in curl, because some of them like "<" let curl crashes. Perhaps you can escape these special characters somehow.