We may have old wallet.dat files which we are unable to access or recover funds from. This could be because we have forgotten their passwords. To most people, those wallets are inaccessible, but there is still a chance that we may recover those wallets using a program named Bitcoin2john.
You can learn here how easily you can recover your wallet password through this simple program. This guide may be very handy for you.
Where to get the Bitcoin2john script from?
Bitcoin2john is a small Python script that extracts the hash out of Bitcoin core wallet.dat file. When it extracts the hash, then you use a hash recovery tool to recover the lost passwords. Usually, the program used for hash recovery is John The Ripper (hence why it’s called Bitcoin2john). But in the case of Bitcoin wallets, Hashcat is the tool of choice. It is a more advanced alternative to John The Ripper.
Bitcoin2john prerequisites
First of all, because Bitcoin2john only works with Bitcoin Core wallet.dat files, this is the file from a you must have. It also works with some wallet.dat files of altcoins derived from Bitcoin (e.g. Litecoin, Doge, etc.)
Obviously, you must also have Bitcoin2john on your computer, which you can get in one of two ways:
- Run
git clone https://github.com/openwall/john/, and the Bitcoin2john script will be available under the path./run/bitcoin2john.py(If you are on Windows then install Git for Windows first to get git) - Or just copy and paste the file from Github: https://github.com/openwall/john/blob/bleeding-jumbo/run/bitcoin2john.py
It is recommended (but not required) to have Python 2 installed to run Bitcoin2john. The reason is to avoid the Berkeley DB dependency installation process when you run Bitcoin2john on Python 3. For a long time, Pywallet was based on Python 2, and Bitcoin2john code was actually forked from it. Nevertheless, Bitcoin2john does support Python 3.
Choosing Your Weapon Of Choice
As we mentioned above, the two programs you can use for brute forcing Bitcoin wallet.dat password hashes are John The Ripper and Hashcat. Each one has its own advantages:
- John The Ripper is the classic program that can crack passwords via OpenCL GPU language and Intel AVX, AVX2, and AVX512 instruction sets. It does not natively support wallet.dat files (some dependencies need to be installed).
- Hashcat is a more modern cracker that supports NVIDIA CUDA, has a higher performance than Bitcoin2john, and natively supports cracking Bitcoin wallet.dat files.
John The Ripper needs some extra work to be able to crack wallet.dat files. In particular, you must already have a compatible version of Berkeley DB installed, because wallet.dat files are actually Berkeley DB files.
To quote Bitcoin2john creators Openwall…
1. Run bitcoin2john.py on Bitcoin or some altcoin wallet file(s).
E.g.
../run/bitcoin2john.py wallet.dat >> hashes2. Run john on the output of the bitcoin2john.py script.
E.g.
../run/john hashes3. Wait for the password(s) to get cracked.
Notes:
– This procedure also works with many altcoins historically forked from Bitcoin.
– The bitcoin2john.py script is compatible with both Python 2 and Python 3.
– Since Python 3 no longer provides Berkeley DB support out of the box, to getthe script to work with Python 3 you need to install the corresponding module:
pip3 install bsddb3(maybe with “sudo”, depending on your setup).
For the command above to work you also need to have Berkeley DB itself
installed first, so e.g. on Fedora you need to start by running:
https://github.com/openwall/john/blob/bleeding-jumbo/doc/README.bitcoinsudo dnf install libdb-devel python3-devel
[Editor’s note: And on Ubuntu:sudo apt-get install libdb-dev libpython-dev]
You will also need to download the hashcat program. You will use this to brute-force the password of the wallet file. If the wallet had a simple password, it would be easy to recover as compare to the one with the more complex password. The longer the password, the more time it will take for the hashcat recovery tool to recover and decrypt it.
Step by Step Guide to use Bitcoin2john
- Copy your wallet.dat file to the Documents folder. You may also copy it to another folder but if you do then you must change the paths accordingly.
- Install Python 2.7 on your computer. The final release of Python 2.7 is 2.7.18, and it can be installed alongside Python 3. Bitcoin2john currently does not work with Python 3.
- Open a text editor and copy the Bitcoin2john script from github. (Link is provided at the end of this tutorial). Save it as bitcoin2john.py in your Documents folder.
Now to extract the hash of the bitcoin wallet, we will run the saved python script bitcoin2john.py. We will need a terminal in order to run it though, so we provide instructions for how to open the system terminal on each operating system.
Windows
- Press <Windows Key> + R (that’s the Windows key first, then R at the same time and hold them) to open the Run dialog box, then type cmd.exe and press Enter.
- Or you can go to the Taskbar and click on the Search button if you are on Windows 10, and type cmd.exe.
- Also you can open Task Manager, and go to the File > Run menu item, which will also open the Run dialog box where you can type cmd.exe.
Mac
- Open Launchpad by clicking on the Launchpad icon (it looks like a rocket ship) on the Dock.
- Look for the Terminal app, which is in the Utilities category.
Linux
- Generally, each Linux distribution will have a menu entry called Terminal, Konsole, or something similar.
- If you are using the GNOME window system, it is called Terminal under the Applications menu on the top bar.
- If you are using KDE or another desktop, it will be inside the start menu on the bottom left called something like Konsole, Console, Terminal, or xterm.
Now run the following command inside the terminal:
python Documents/bitcoin2john.py Documents/wallet.dat > Documents/walletRecovery.hash
This command will create the walletRecovery.hash file. The walletRecovery.hash file should look like this.
$bitcoin$64$f6f82a9f0cb0eda2659fa8fb6e8a69ab72c753165427959c9828637f4142fef1$16$4f4634841b9617e4$194354$2$00$2$00
We will now use hashcat for recovering the hash. The hashcat will decrypt the password using different techniques like Dictionary Attack, Brute Force Attack , Mask Attack or Hybrid Attack. You can use that password to recover your wallet.
Using Hashcat to crack the wallet.dat
Hashcat is an open-source program that we will use to crack bitcoin wallet.dat using the hash we extracted earlier. It is a command-line program that runs on Windows, Mac and Linux, and has five main attack modes:
- Dictionary which just tries each word in a wordlist like Bitcoin2john
- Combinator which concatenates two words in a wordlist to make a longer word
- Mask, which uses one or more patterns to find the password
- Hybrid – like Combinator but the other word is a result of Dictionary method
- Rule-based, using rule files
Downloading and Installing Hashcat
There is no installation process for Hashcat. This is because hashcat is a portable binary which you can run in any folder. You simply need to download the binaries from the Hashcat website. The Windows, MacOS, and Linux versions are all included inside the binary archive.
In Hashcat, we have rules, patterns, and wordlists. Wordlists are, as you might have expected, lists of password combinations for Hashcat to try. However, it is often more efficient to use rules and patterns. They can cover thousands, or even millions of different password combinations without having to put each one on its own line.
Patterns are a bit similar to regular expressions. Rules are more of a scripting language that can use logic and operators to select the patterns to use.
Fortunately, you don’t have to spend hours learning how to create rulesets in order to recover your lost bitcoin. Somebody already did all that hard work for you.
One Rule To Rule Them All
There is literally a rule on the internet with this name, which you can obtain here. It includes dumps and variations of real-world passwords that have been used online. They are spread across multiple wordlists. It has been very effective in recovering lost wallet.dat passwords. Here, we will show in two simple commands how to combine Hashcat with the OneRuleToRuleThemAll:
- Download the OneRuleToRuleThemAll rulelist from https://github.com/NotSoSecure/password_cracking_rules/blob/master/OneRuleToRuleThemAll.rule
- Run the following command in a terminal:
hashcat.exe --stdout wordlist0.txt -r rules/OneRuleToRuleThemAll.rule | hashcat.exe -m 11300 hash.txt. Make sure thathash.txtis the name of the hash file you extracted using Bitcoin2john. It should also be accessible from the current directory.
