hashcat Forum
LastPass new App hash extraction explanation - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html)
+--- Thread: LastPass new App hash extraction explanation (/thread-9201.html)



LastPass new App hash extraction explanation - philsmd - 05-07-2020

Thanks to @Chick3nman, I came to the attention that LastPass has a new native App and is NOT directly using the browser extension architecture on macOS anymore, see:
https://www.theverge.com/2020/1/29/21113505/lastpass-native-mac-app-store-replacement-web-safari-extension-update

also see the "LastPass Mac App" from https://lastpass.com/misc_download2.php#tab-mac (click on "Mac" tab)


It seems to work similar to older versions, but I couldn't immediately find the place where the iteration count was stored (see some explanation of the older ways to extract data from LastPass for instance here: https://hashcat.net/forum/thread-2701-post-16028.html#pid16028)

I've played around with this a little bit a while ago and it seems that the stored data is still using some browser data ("local storage") and on a test system I could play for a few hours, I found the IndexedDB sqlite3 database in:
Code:
~/Library/WebKit/com.lastpass.lastpassmacdesktop/WebsiteData/IndexedDB/file__0/lp/IndexedDB.sqlite

therefore, it is a IndexedDB.sqlite file in the WebKit folder (and "com.lastpass.lastpassmacdesktop" subfolder)

The data of those IndexedDB.sqlite file is of course very generic, because these local storage containers/databases can store of course any values/blobs... Therefore, the format is a little bit strange...

anyway, you could easily find a key-value pair within that "lastpassmacdesktop" WebKit Local storage IndexedDB.sqlite file containing the sub-string "iterations="

Code:
SELECT HEX (value) FROM Records WHERE LOWER(HEX(value)) LIKE '%697465726174696f6e733d%';

note the hex value 697465726174696f6e733d is just iterations= if you convert it from hex to ASCII.


At the end, I use a SQL query like this to get the needed data for the hashcat hash type -m 6800 = LastPass

Code:
SELECT SUBSTR(i,0,INSTR(i,';')) FROM (SELECT SUBSTR(value,INSTR(value,X'697465726174696F6E733D')+11) AS i FROM Records WHERE INSTR(value,X'697465726174696F6E733D'));
100100

so the value for the iterations is 100100 (default), but this value of course could be changed

You need to combine this information with the actual hash information from a _lpall.slps file that can be found in:
Code:
/Library/Containers/com.lastpass.LastPass/Data/Library/Application Support/LastPass/

This is the data location of the native macOS APP (not the local storage data from webkit).

The old _key.itr is basically replaced with some entries in the local storage database and the hash info (including username/email hash etc) is in the _lpall.slps file.