Where to get wallet.dat files
- Thread starter Robot999
- Start date
-
- Tags
- wallet.dat
Hacker
Professional
- Messages
- 1,044
- Reaction score
- 804
- Points
- 113
Hello.
You can hack through anything.
One of the most common questions I get asked is what can be hacked through. What data is the minimum required in order to hack a person? I rarely paint the full picture. Often I only answer about the basic hacking methods. In fact, you can hack through anything: mp3 files, photos, archives, even a picture on the site!
I rarely talk about these methods because they are not universal and based on vulnerabilities. Getting information about such a vulnerability is already a difficult task. For an independent search, you need solid knowledge, and buying a ready-made version costs a lot of money.
It is much easier for a person without knowledge of the intricacies of the matter to start with an executable file. Anyway, as a result of any attack, the ultimate goal is to execute your code on the machine. But this time I have a reason to tell you more about the practical part. In a recent attack, I had to exploit vulnerabilities in installed programs in order to get to the machine.
The attack began as usual. I found a promising cryptocurrency holder. And I found it in a rather interesting place, on the bitcoin core support forum.
Bitcoin core is the original application for storing and exchanging Bitcoin. Its peculiarity is that the wallet data is stored locally in the wallet.dat file, and not on the server as in all online wallets. Moreover, in many cases this file is not encrypted in any way. Initially, the encryption function did not exist at all, and most of the old wallets are in plaintext.
To intercept a wallet without a password, just drain wallet.dat, and full access to funds in your pocket. Password-protected wallets are encrypted, the only way to get into such a wallet is to enter the correct password. Here you can act head-on and choose the right combination using the brute-force method (program brute-force). Since all data is stored offline, you can make as many attempts as you like and on any number of devices, no one can block access, even no notification will come to the owner. But I was able to find a nicer way to get hold of the password.
By the activity of the target on the forum, one could assume that he had a decent amount on his account. But still, the first thing I did was find out the exact amount on his account in the bitcoin core. I understood this information as a result of correspondence with him.
In the forum thread where I found him, he was dealing with a dll error when trying to sign a message. This function is needed to confirm ownership of the address. On the screenshot in the subject, the balance of the wallet was not visible, it was blocked by the sign message menu with an error.
I needed to get a screenshot of the main window where the balance is written. I write to him in a personal, saying that I had the same problem, and it can be removed by installing dependencies. To do this, there is the install dependencies item in the settings menu. In fact, there is no such item. As soon as he wrote to me that he could not find it, I asked him to send a screenshot of the settings menu to tell me which menu item he had. I ended up getting this
The rates are known. He has almost 9 cue ball on his account. This is good news, and bad news - wallet.dat is encrypted. And the method of obtaining the password for him depends on what kind of access I can get to his machine.
To start the attack, I tried the most obvious method. Find a program to fix driver problems, glue it with a virus and drop it on it. If you can convince him to run the program on the host (and the drivers are needed there), then part of the job is done, and I will get wallet.dat. It remains to hack it, but this is a problem of the next order.
Throwing an .exe insolently would be too pale and I didn't want to risk it. A small landing page was developed to upload the file. All of its design was taken from an existing site, the description was borrowed from a similar program. Only the file was replaced with a viral version, and the error description was adjusted to fit it. From the outside, the impression was created that the page of a well-established program.
I am contacting him. I say that if the menu does not have a function for loading everything you need, then you need to install the missing components with a third-party program. And I send him a link to the landing page. I figured that he was not so paranoid that he would not download software from the "official" site.
Things didn't go according to plan. The next message from him was that he would install a version like mine, with the function of installing dependencies, motivating it by the fact that it is more reliable. And he asked me for the version number I am using. Then it became obvious that creating a new landing page with a viral bitcoin core is hardly a good idea, he monitors what is pumping.
Then I went to the server to check if it had visited the landing page at all. I went in, a new entry with a different browser appeared in the logs, I got his IP in my hands. And I decided to try to get access to the system through it. First, I scanned for open ports. It turned out that many programs on the machine listen to different ports.
First of all, attention fell on port 22, which usually contains ssh. It can be found everywhere on Linux, but on windows it is rare. SSH gives the right to remotely execute commands on behalf of the user, so there is a lot of scope for attack here. Connecting directly to the port, I saw this:
After looking for information about RebexSSH, I realized that this is not just ssh, but an sftp server. Like ftp, only encrypted. Apparently, this is not a very popular program, and it is not actively supported. An ideal target for an attack. I didn't have a ready-made exploit for it; I also had time to mess with the source code.
For help with hacking, I turned to a friend who was engaged in hacking ssh. I hoped that he would tell you what weak or outdated authorization algorithms are in the program. Instead, he said that he had a ready-made exploit for this version of rebexssh. It was impossible to find him on the Internet, so the fact that he shared it with me greatly accelerated the process. The vulnerability I received allowed me to bypass authorization. With ftp access you can download wallet.dat. And then I came up with an idea how to get a password using my access to files. To begin with, I wanted to drive him a virus. Ftp does not allow you to run programs, but why not replace some frequently used program with a virus! For example, a browser. Then when I try to open my browser, it will activate my virus. And there you can already run a keylogger and intercept the password. Only here the encryption password is not requested at any startup. At this point, a brilliant idea came to my mind. Replace the bitcoin core itself! And not on a bundle with a virus, but to embed the function of requesting a decryption key into the program.
This is impossible to notice, no matter how attentive the person is. You start the wallet, and you are asked to enter the password to decrypt it. Everything is very logical. And the entered password is sent to me in addition from wallet.dat.
I asked the coder to patch the wallet for a password request. I do not know how, but the working program was already the next day. Through the vulnerability, I replaced the wallet executable, and by the evening in the admin panel there was a wallet with a password for it.
One of the longest stages turned out to be waiting for the download of the bitcoin core. To import wallet.dat, I had to wait for the entire blockchain to load. After synchronization, I had full access to his wallet in my hands. I transferred the money from it to a new blockchain wallet, the private key to which only I have.
You can get more information in this thread:
You can hack through anything.
One of the most common questions I get asked is what can be hacked through. What data is the minimum required in order to hack a person? I rarely paint the full picture. Often I only answer about the basic hacking methods. In fact, you can hack through anything: mp3 files, photos, archives, even a picture on the site!
I rarely talk about these methods because they are not universal and based on vulnerabilities. Getting information about such a vulnerability is already a difficult task. For an independent search, you need solid knowledge, and buying a ready-made version costs a lot of money.
It is much easier for a person without knowledge of the intricacies of the matter to start with an executable file. Anyway, as a result of any attack, the ultimate goal is to execute your code on the machine. But this time I have a reason to tell you more about the practical part. In a recent attack, I had to exploit vulnerabilities in installed programs in order to get to the machine.
The attack began as usual. I found a promising cryptocurrency holder. And I found it in a rather interesting place, on the bitcoin core support forum.
Bitcoin core is the original application for storing and exchanging Bitcoin. Its peculiarity is that the wallet data is stored locally in the wallet.dat file, and not on the server as in all online wallets. Moreover, in many cases this file is not encrypted in any way. Initially, the encryption function did not exist at all, and most of the old wallets are in plaintext.
To intercept a wallet without a password, just drain wallet.dat, and full access to funds in your pocket. Password-protected wallets are encrypted, the only way to get into such a wallet is to enter the correct password. Here you can act head-on and choose the right combination using the brute-force method (program brute-force). Since all data is stored offline, you can make as many attempts as you like and on any number of devices, no one can block access, even no notification will come to the owner. But I was able to find a nicer way to get hold of the password.
By the activity of the target on the forum, one could assume that he had a decent amount on his account. But still, the first thing I did was find out the exact amount on his account in the bitcoin core. I understood this information as a result of correspondence with him.
In the forum thread where I found him, he was dealing with a dll error when trying to sign a message. This function is needed to confirm ownership of the address. On the screenshot in the subject, the balance of the wallet was not visible, it was blocked by the sign message menu with an error.
I needed to get a screenshot of the main window where the balance is written. I write to him in a personal, saying that I had the same problem, and it can be removed by installing dependencies. To do this, there is the install dependencies item in the settings menu. In fact, there is no such item. As soon as he wrote to me that he could not find it, I asked him to send a screenshot of the settings menu to tell me which menu item he had. I ended up getting this
The rates are known. He has almost 9 cue ball on his account. This is good news, and bad news - wallet.dat is encrypted. And the method of obtaining the password for him depends on what kind of access I can get to his machine.
To start the attack, I tried the most obvious method. Find a program to fix driver problems, glue it with a virus and drop it on it. If you can convince him to run the program on the host (and the drivers are needed there), then part of the job is done, and I will get wallet.dat. It remains to hack it, but this is a problem of the next order.
Throwing an .exe insolently would be too pale and I didn't want to risk it. A small landing page was developed to upload the file. All of its design was taken from an existing site, the description was borrowed from a similar program. Only the file was replaced with a viral version, and the error description was adjusted to fit it. From the outside, the impression was created that the page of a well-established program.
I am contacting him. I say that if the menu does not have a function for loading everything you need, then you need to install the missing components with a third-party program. And I send him a link to the landing page. I figured that he was not so paranoid that he would not download software from the "official" site.
Things didn't go according to plan. The next message from him was that he would install a version like mine, with the function of installing dependencies, motivating it by the fact that it is more reliable. And he asked me for the version number I am using. Then it became obvious that creating a new landing page with a viral bitcoin core is hardly a good idea, he monitors what is pumping.
Then I went to the server to check if it had visited the landing page at all. I went in, a new entry with a different browser appeared in the logs, I got his IP in my hands. And I decided to try to get access to the system through it. First, I scanned for open ports. It turned out that many programs on the machine listen to different ports.
First of all, attention fell on port 22, which usually contains ssh. It can be found everywhere on Linux, but on windows it is rare. SSH gives the right to remotely execute commands on behalf of the user, so there is a lot of scope for attack here. Connecting directly to the port, I saw this:
After looking for information about RebexSSH, I realized that this is not just ssh, but an sftp server. Like ftp, only encrypted. Apparently, this is not a very popular program, and it is not actively supported. An ideal target for an attack. I didn't have a ready-made exploit for it; I also had time to mess with the source code.
For help with hacking, I turned to a friend who was engaged in hacking ssh. I hoped that he would tell you what weak or outdated authorization algorithms are in the program. Instead, he said that he had a ready-made exploit for this version of rebexssh. It was impossible to find him on the Internet, so the fact that he shared it with me greatly accelerated the process. The vulnerability I received allowed me to bypass authorization. With ftp access you can download wallet.dat. And then I came up with an idea how to get a password using my access to files. To begin with, I wanted to drive him a virus. Ftp does not allow you to run programs, but why not replace some frequently used program with a virus! For example, a browser. Then when I try to open my browser, it will activate my virus. And there you can already run a keylogger and intercept the password. Only here the encryption password is not requested at any startup. At this point, a brilliant idea came to my mind. Replace the bitcoin core itself! And not on a bundle with a virus, but to embed the function of requesting a decryption key into the program.
This is impossible to notice, no matter how attentive the person is. You start the wallet, and you are asked to enter the password to decrypt it. Everything is very logical. And the entered password is sent to me in addition from wallet.dat.
I asked the coder to patch the wallet for a password request. I do not know how, but the working program was already the next day. Through the vulnerability, I replaced the wallet executable, and by the evening in the admin panel there was a wallet with a password for it.
One of the longest stages turned out to be waiting for the download of the bitcoin core. To import wallet.dat, I had to wait for the entire blockchain to load. After synchronization, I had full access to his wallet in my hands. I transferred the money from it to a new blockchain wallet, the private key to which only I have.
You can get more information in this thread:
Will appreciate if you send it. Will give you some %
Do you still have it?
Similar threads
