hashcat Forum
First time trying to "crack" something - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Deprecated; Previous versions (https://hashcat.net/forum/forum-29.html)
+--- Forum: Old hashcat Support (https://hashcat.net/forum/forum-20.html)
+--- Thread: First time trying to "crack" something (/thread-5436.html)



First time trying to "crack" something - Trib - 05-06-2016

Hi,
I'm trying to figure if what I'm trying to do is feasible with Hashcat(or the beta of oclHashcat for OS X). This is my first time using hashcat/oclhashcat.

I got the file where it's supposed to be the hash for my 1Password vault. But it's the last version of 1Password and the file is from a "container" called "1Password.opvault", it is not a ".filevault" extension one.

In this file I've found(among others) the file "profile.js" which seems to have my password. The fields in this file are(among less interesting ones) salt, masterKey, passwordHint(just text), iterations, uuid, overviewKey.

iteration is 25000
salt is 24 char long.
masterKey is 449 char long
overviewKey is 196 char long

The passwordHint one is not interesting for cracking but for making sure this is where the masterpassword is stored. I'm assuming masterKey is the hash and I have no idea what overviewKey is.

The problem is that I don't know what king of hash I have here, and thus I don't know what mode to use. If I try the -m 6600 I get the "Line-length exception" error. I've tried with padding(based on this question) so the hash is 2080 char long but I get the same error(the hash without padding is 449 char long).

With the mode 8200 I get the "Hash-length exception" with both padding and without padding.

Is it even possible to get this hash solved with either oclhashcat or hashcat on OS X? And if so, a little help, please?

BTW, this is from an old 1Password that I can't remember the password. I have a new one since some months ago, but this is just for fun/is interesting.


RE: First time trying to crack something - Trib - 05-06-2016

Updating this:

I've found the example hashes in the wiki and I've noticed my "hash" is different, it has more variety of characters, what makes me think it is not in hexadecimal form maybe? I've tried to convert it with:

echo "<hash>" | xxd -p
(and I've also tried with echo "<hash>" | xxd -p | base64, btw)

and I've tried the 6600 mode with both padded(to 2080 characters) and not padded, but I always get a "Line-length exception" message. I guess the length problem is also in the salt?

Also I've tried to crack the example hash(password is hashcat) and despite I don't get the lenght exception message it just gets stuck at "Checking for weak hashes...", which discourages me a lot because it makes me think even if I eventually solve the problem with the length, maybe the mode 6600 doesn't work on mac yet?


RE: First time trying to &quot;crack&quot; something - Trib - 05-08-2016

Updating:

According to AgileBits the new OPVault design uses PBKDF2-SHA512. I found no option in hashcat or oclhascat for this.

I can't find more info about this. Can anybody give me a clue? It's just currently impossible?


RE: First time trying to "crack" something - epixoip - 05-08-2016

If neither -m 6600 or -m 8200 work, then the algorithm is not supported.