Salt-Value Exception for KeePass 1.x after keepass2john
#1
Hello. I found a KeePass 1.x database from a very long time ago that I have a snowball's chance in hell of cracking, and which may not even contain any useful passwords anymore. But I want to try, at the very least, and learn a little bit along the way.

My hashcat has worked on the sample keys for KeePass 1 and 2, but for this one it is running into a Salt-Value Exception on the hash obtained from keepass2john. I looked around the forums and only saw a few other cases where things like this were happening:
https://hashcat.net/forum/thread-9376.html
https://hashcat.net/forum/printthread.php?tid=6762
https://hashcat.net/forum/thread-6462.html
https://hashcat.net/forum/thread-8601.html

First of all, I am curious why the specific version of keepass2john should matter -- as long as the output is eventually formatted correctly, shouldn't the hash be independent of the version? Secondly, I was unable to make keepass2john on WSL due to errors, so I eventually gave in and used a binary. The particular version was "1.9.0-jumbo-1 64-bit", which should be up-to-date (per https://www.openwall.com/john/). I am using hashcat 6.2.6.

The particular format of the hash is the following, where one replaces newlines with asterisks to get the actual contents of the .hash file:

Code:
$keepass$
1
6000
0
<32 hex digits>
<64 hex digits>
<32 hex digits>
<64 hex digits>
1
20656
<20656 bytes, i.e. 20656*2 = 41312 hex digits>

In other words, I have removed the database name and any newlines so that the format should be okay. This matches the example hashes, for what it's worth, though I apparently used the default value of 6000 instead of the KeePass 1 example's 50000. Out of curiously, what do the other numbers mean?

The output I get when I run it is:

Code:
...\hashcat-6.2.6> .\hashcat.exe kdb.hash -m 13400 -a 3 ?a?a?a?a
hashcat (v6.2.6) starting

kdb.hash: Byte Order Mark (BOM) was detected
hiprtcCompileProgram is missing from HIPRTC shared library.

OpenCL API (OpenCL 2.1 AMD-APP (3444.0)) - Platform #1 [Advanced Micro Devices, Inc.]
=====================================================================================
* Device #1: Radeon RX 570 Series, 8064/8192 MB (6745 MB allocatable), 32MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashfile 'kdb.hash' on line 1 ($): Salt-value exception
No hashes loaded.

Does the mask string matter for this? Where exactly should the salt value be? I do not see any particular syntax issues with my hash compared to the example ones, so I do not know where the error is creeping in. Thanks.
Reply
#2
This is the error:
kdb.hash: Byte Order Mark (BOM) was detected

Download and install this powerful free text editor: Notepad++

Open the file you want to verify/fix in Notepad++

In the top menu select Encoding > Convert to UTF-8 (option without BOM)

Save the file

Done.
Reply
#3
Lol @ "powerful free text editor." I had been using Notepad++ to edit the key already; I had noticed the encoding was different than usual, but it did not occur to me to look in detail at what hashcat expected. Changing the encoding indeed allowed it to run; thanks for the help.

On that note, all I could find in the hashcat documentation for encodings were the flags --encoding-to and --encoding-from, and those look to apply only to the "internal wordlist". What even is the "internal wordlist"? That's not a term I see elsewhere. Does it have to do with the encoding of the plaintext, or of something else?

Also, what are the other parts of the hash? The hex strings of 32 and 64 characters.
Reply