08-13-2023, 10:15 AM
Hello. I found a KeePass 1.x database from a very long time ago that I have a snowball's chance in hell of cracking, and which may not even contain any useful passwords anymore. But I want to try, at the very least, and learn a little bit along the way.
My hashcat has worked on the sample keys for KeePass 1 and 2, but for this one it is running into a Salt-Value Exception on the hash obtained from keepass2john. I looked around the forums and only saw a few other cases where things like this were happening:
https://hashcat.net/forum/thread-9376.html
https://hashcat.net/forum/printthread.php?tid=6762
https://hashcat.net/forum/thread-6462.html
https://hashcat.net/forum/thread-8601.html
First of all, I am curious why the specific version of keepass2john should matter -- as long as the output is eventually formatted correctly, shouldn't the hash be independent of the version? Secondly, I was unable to make keepass2john on WSL due to errors, so I eventually gave in and used a binary. The particular version was "1.9.0-jumbo-1 64-bit", which should be up-to-date (per https://www.openwall.com/john/). I am using hashcat 6.2.6.
The particular format of the hash is the following, where one replaces newlines with asterisks to get the actual contents of the .hash file:
In other words, I have removed the database name and any newlines so that the format should be okay. This matches the example hashes, for what it's worth, though I apparently used the default value of 6000 instead of the KeePass 1 example's 50000. Out of curiously, what do the other numbers mean?
The output I get when I run it is:
Does the mask string matter for this? Where exactly should the salt value be? I do not see any particular syntax issues with my hash compared to the example ones, so I do not know where the error is creeping in. Thanks.
My hashcat has worked on the sample keys for KeePass 1 and 2, but for this one it is running into a Salt-Value Exception on the hash obtained from keepass2john. I looked around the forums and only saw a few other cases where things like this were happening:
https://hashcat.net/forum/thread-9376.html
https://hashcat.net/forum/printthread.php?tid=6762
https://hashcat.net/forum/thread-6462.html
https://hashcat.net/forum/thread-8601.html
First of all, I am curious why the specific version of keepass2john should matter -- as long as the output is eventually formatted correctly, shouldn't the hash be independent of the version? Secondly, I was unable to make keepass2john on WSL due to errors, so I eventually gave in and used a binary. The particular version was "1.9.0-jumbo-1 64-bit", which should be up-to-date (per https://www.openwall.com/john/). I am using hashcat 6.2.6.
The particular format of the hash is the following, where one replaces newlines with asterisks to get the actual contents of the .hash file:
Code:
$keepass$
1
6000
0
<32 hex digits>
<64 hex digits>
<32 hex digits>
<64 hex digits>
1
20656
<20656 bytes, i.e. 20656*2 = 41312 hex digits>
In other words, I have removed the database name and any newlines so that the format should be okay. This matches the example hashes, for what it's worth, though I apparently used the default value of 6000 instead of the KeePass 1 example's 50000. Out of curiously, what do the other numbers mean?
The output I get when I run it is:
Code:
...\hashcat-6.2.6> .\hashcat.exe kdb.hash -m 13400 -a 3 ?a?a?a?a
hashcat (v6.2.6) starting
kdb.hash: Byte Order Mark (BOM) was detected
hiprtcCompileProgram is missing from HIPRTC shared library.
OpenCL API (OpenCL 2.1 AMD-APP (3444.0)) - Platform #1 [Advanced Micro Devices, Inc.]
=====================================================================================
* Device #1: Radeon RX 570 Series, 8064/8192 MB (6745 MB allocatable), 32MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashfile 'kdb.hash' on line 1 ($): Salt-value exception
No hashes loaded.
Does the mask string matter for this? Where exactly should the salt value be? I do not see any particular syntax issues with my hash compared to the example ones, so I do not know where the error is creeping in. Thanks.