Lastpass hashes
#1
I am attempting to extract the hash for the Lastpass account following the instructions on this page:
https://hashcat.net/wiki/doku.php?id=example_hashes

The number of iterations is indeed located in AppData\LocalLow\LastPass\(hash)_key.itr and after base64 decoding (hash)_lpall.slps I see what could be 2 possible candidates for the 16-byte hashes I need to crack, as well as a 32-byte field. Here I am confused by the instructions of "2nd line is interesting / base64 decode it", as _lpall.slps contains only 1 base64 encoding.

Neither of these succeed, running the same command as https://twitter.com/hashcat/status/326648723008532482 but running that command against the example hash works.

Investigating further, I changed the number of rounds required in Lastpass (from 5000 to the 500 rounds as in the example) and repeated the process. _key.itr changed as expected, but _lpall.slps did not change either of the two 16-byte fields, but the 32-byte field instead. It looks from the example page that I am indeed expecting a 16-byte hash.

In addition, Lastpass allows you to export a base64 encoded encrypted file for use in their pocket software (as mentioned on example hashes page). Here, the iteration count and the hash are clearly delineated in the file, but yet base64 decoding brings yet another hash that doesn't fall.

Now I have 4 hashes: 1. from the example hashes; 2. & 3. from _lpall.slps; and 4. from the encrypted Lastpass export. Each of these hashes are different, only hashcat breaks hash 1, and all are derived from identical username/password/iterations.

I have even attempted to base64 *encode* the example hash and search for it, but it's not anywhere I can see.

My question is, how exactly do you get the required hash out of Lastpass to crack? What steps am I missing?


Messages In This Thread
Lastpass hashes - by ZNemesis - 10-10-2013, 04:59 PM
RE: Lastpass hashes - by philsmd - 10-10-2013, 05:26 PM
RE: Lastpass hashes - by ZNemesis - 10-15-2013, 01:20 PM