hashcat for keepass using combination of the same wordslist
#1
Hello,

I am a newbie of hashcat.
But I find this activity very interesting.
Here is an exercise that I play with.

I have created a KeePass database "demo.kdbx" with a master password.
The master password is 'B0B!3-S@M!3'.

The master password match the following template XXXXSYYYY,
where XXXX and YYYY come from a given words list,
and S is a symbol.
XXXX or YYYY may be a variant of an original word by replacing some character by symbols or numbers.
Examples:
BOBIE -> B0B!3
SAMIE -> S@M!3

Symbol S can be one of "!@+-..." and other symbols.

I have created file words.txt with content:
Code:
BOBIE
B0B!3
SAMIE
S@M!3

And use the following command :

Code:
$ keepass2john demo.kdbx > demo.hash

Then remove at the beginning of line the word 'demo:'.

Code:
$ cat demo.hash
$keepass$*2*100000*0*36c1b27ee73ab987d4f76330ae22d91b2cf8341832b118ae532faefc71fa1c5e*8cd7d38e010a3cce065bfcd69c4f3ccbb4318d58436f063fb8ee4f1a7fd323a8*758ed74daa44027c1fc29fa0039af3e0*31c6c1caf044b519c98068ad92a2711e72349783ad60301ecb3209ef1a0ec715*d587dcaf78693bf1b4669fa3d8f2029398164bdc70bdf2e8456ad74b35287d26

Code:
$ hashcat -a 1 -m 13400 -j '$-' demo.hash words.txt words.txt

But the password was not found !?

Here is the output :

Code:
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-AMD Ryzen 5 3500U with Radeon Vega Mobile Gfx, 2048/4455 MB allocatable, 8MCU

Dictionary cache built:
* Filename..: words.txt
* Passwords.: 5
* Bytes.....: 25
* Keyspace..: 5
* Runtime...: 0 secs

Dictionary cache built:
* Filename..: words.txt
* Passwords.: 5
* Bytes.....: 25
* Keyspace..: 5
* Runtime...: 0 secs

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=8 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=13400 -D _unroll'
Dictionary cache built:
* Filename..: words.txt
* Passwords.: 5
* Bytes.....: 25
* Keyspace..: 25
* Runtime...: 0 secs

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted. 

$keepass$*2*100000*0*36c1b27ee73ab987d4f76330ae22d91b2cf8341832b118ae532faefc71fa1c5e*8cd7d38e010a3cce065bfcd69c4f3ccbb4318d58436f063fb8ee4f1a7fd323a8*758ed74daa44027c1fc29fa0039af3e0*31c6c1caf044b519c98068ad92a2711e72349783ad60301ecb3209ef1a0ec715*d587dcaf78693bf1b4669fa3d8f2029398164bdc70bdf2e8456ad74b35287d26:B0B!3-S@M!3
                                               
Session..........: hashcat
Status...........: Cracked
Hash.Type........: KeePass 1 (AES/Twofish) and KeePass 2 (AES)
Hash.Target......: $keepass$*2*100000*0*36c1b27ee73ab987d4f76330ae22d9...287d26
Time.Started.....: Mon Jun 20 12:58:39 2022 (3 secs)
Time.Estimated...: Mon Jun 20 12:58:42 2022 (0 secs)
Guess.Base.......: File (words.txt), Left Side
Guess.Mod........: File (words.txt), Right Side
Speed.#1.........:        7 H/s (0.07ms) @ Accel:256 Loops:64 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 20/25 (80.00%)
Rejected.........: 0/20 (0.00%)
Restore.Point....: 0/5 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:3-4 Iteration:99968-100000
Candidates.#1....: BOBIE-S@M!3 -> -S@M!3

Started: Mon Jun 20 12:58:33 2022
Stopped: Mon Jun 20 12:58:43 2022

When I try to see potfile, nothing Sad

Code:
$ hashcat --show demo.hash
Hashfile 'demo.hash' on line 1 ($keepa...98164bdc70bdf2e8456ad74b35287d26): Token length exception
No hashes loaded.

I need some help please Smile
Thanks.

Dominique
Reply
#2
You need to precise the modus; try your --show command again with -m 13400

Bonus tip: make sure to use the latest Hashcat; you can find it on this website Wink
Reply
#3
(06-20-2022, 01:37 PM)Banaanhangwagen Wrote: You need to precise the modus; try your --show command again with -m 13400

Bonus tip: make sure to use the latest Hashcat; you can find it on this website Wink

Thank you ! You are right ! Smile

Code:
$ hashcat --show -m 13400 demo.hash
$keepass$*2*100000*0*36c1b27ee73ab987d4f76330ae22d91b2cf8341832b118ae532faefc71fa1c5e*8cd7d38e010a3cce065bfcd69c4f3ccbb4318d58436f063fb8ee4f1a7fd323a8*758ed74daa44027c1fc29fa0039af3e0*31c6c1caf044b519c98068ad92a2711e72349783ad60301ecb3209ef1a0ec715*d587dcaf78693bf1b4669fa3d8f2029398164bdc70bdf2e8456ad74b35287d26:B0B!3-S@M!3

The password has been found !
Great !
Reply
#4
Is there any mean to put in the words list "words.txt" only original words like this :

Code:
BOBIE
SAMIE

And to tell to hashcat to generate patterns like B0B!3, S@M!3 ?
Or to add condidates like them using options ?
Reply
#5
you need to play with rules for that; see https://hashcat.net/wiki/doku.php?id=rule_based_attack
Reply
#6
(06-20-2022, 02:02 PM)Banaanhangwagen Wrote: you need to play with rules for that; see https://hashcat.net/wiki/doku.php?id=rule_based_attack

Words file "words.txt is now :

Code:
BOBIE
SAMIE

And I have created the rule file "rules.txt"

Code:
:
#Lowercase
l
#Uppercase
u
#Capitalise first character
c
#Substitute 'a' for '@', 'e' for '3', 'l' for '1'
sa@ se3 sl1
#Substitute 'a' for '4', 'e' for '3', 'l' for '1'
sa4 se3 sl1

But when I want to use it, I get :

Code:
$ hashcat -a 1 -m 13400 -j '$-' -r rules.txt demo.hash words.txt words.txt
Use of -r/--rules-file and -g/--rules-generate only allowed in attack mode 0.

So, I can't use mode 0 (attack) since I work with mode 1 (combinator) !?
Reply
#7
Correct.
There are different techniques/approaches to tackle this, for example working with princeprocessor...
Reply
#8
(06-20-2022, 02:45 PM)Banaanhangwagen Wrote: Correct.
There are different techniques/approaches to tackle this, for example working with princeprocessor...

Thank you for your help.
But I don't know this technique/approache Sad
Reply
#9
I've just seen the url https://github.com/hashcat/princeprocessor
I'll take a look at this and will try to adapt my exercise.

Thank you.
Reply