I think I read somewhere (a while ago) that the new file where the data is stored is just called profile.js
Are you able to locate a file file called profile.js ?
Update: I think this is just the difference between the Agilekeychain (which uses encryptionKeys.js, hashcat mode -m 6600) and the Cloudkeychain (which uses profile.js, hashcat mode -m 8200)
Update 2: it seems that there is even a 3rd variant that uses the file OnePassword.sqlite (see https://github.com/magnumripper/JohnTheR...ssues/2713 , https://github.com/mpage/onepassword/blo...go#L93-L94 and http://sosedoff.com/2015/05/30/exploring...rypto.html )
The tests here https://github.com/mpage/onepassword/blo....go#L9-L24 suggest that it uses the hashing+encryption algorithm used by Cloudkeychain (and therefore -m 8200 and therefore PBKDF2-HMAC-SHA512). This could mean that it could be easy to run the above linked sql command and convert the output to the -m 8200 format (I didn't test it yet, so you should definitely first try it with a test database for which you know the password)
update 3: I was lucky enough to get access to a mac where I was able to generate a similar .sqlite file (actually there are 2 versions, one stored in B5.sqlite which is mainly used for the "online" version which is synced with the "cloud" and the second variant of sqlite file can be generated by using the advanced option (not default) to only use a local file... it will be stored in OnePassword.sqlite instead of B5.sqlite).
After I got the OnePassword.sqlite file (which as said was generated with the local/offline settings, not the default cloud setting) I could simple extract the hash (for the master password) like this:
This SQL query needs to be run with sqlite3 on the OnePassword.sqlite file. If you have this hash you can crack it with hashcat mode -m 8200 (the SQL command already formats the output in the way hashcat expects it), i.e. $hash . ":" . $salt . ":" . $iterations . ":" . $data
note: the || is the sqlite syntax for concatenation
The hashcat command to crack it could be as easy as this one (for instance for -a 0 word list attack):
where hash.txt contains the whole output line from the above sqlite command
Are you able to locate a file file called profile.js ?
Update: I think this is just the difference between the Agilekeychain (which uses encryptionKeys.js, hashcat mode -m 6600) and the Cloudkeychain (which uses profile.js, hashcat mode -m 8200)
Update 2: it seems that there is even a 3rd variant that uses the file OnePassword.sqlite (see https://github.com/magnumripper/JohnTheR...ssues/2713 , https://github.com/mpage/onepassword/blo...go#L93-L94 and http://sosedoff.com/2015/05/30/exploring...rypto.html )
The tests here https://github.com/mpage/onepassword/blo....go#L9-L24 suggest that it uses the hashing+encryption algorithm used by Cloudkeychain (and therefore -m 8200 and therefore PBKDF2-HMAC-SHA512). This could mean that it could be easy to run the above linked sql command and convert the output to the -m 8200 format (I didn't test it yet, so you should definitely first try it with a test database for which you know the password)
update 3: I was lucky enough to get access to a mac where I was able to generate a similar .sqlite file (actually there are 2 versions, one stored in B5.sqlite which is mainly used for the "online" version which is synced with the "cloud" and the second variant of sqlite file can be generated by using the advanced option (not default) to only use a local file... it will be stored in OnePassword.sqlite instead of B5.sqlite).
After I got the OnePassword.sqlite file (which as said was generated with the local/offline settings, not the default cloud setting) I could simple extract the hash (for the master password) like this:
Code:
SELECT lower (hex (substr (master_key_data, length (master_key_data) - 32 + 1, 32))) || ":" || lower (hex (salt)) || ":" || iterations || ":" || lower (hex (substr (master_key_data, 1, length (master_key_data) - 32))) FROM profiles;
note: the || is the sqlite syntax for concatenation
The hashcat command to crack it could be as easy as this one (for instance for -a 0 word list attack):
Code:
hashcat -m 8200 hash.txt dict.txt