Lastpass hashes
#1
I am attempting to extract the hash for the Lastpass account following the instructions on this page:
https://hashcat.net/wiki/doku.php?id=example_hashes

The number of iterations is indeed located in AppData\LocalLow\LastPass\(hash)_key.itr and after base64 decoding (hash)_lpall.slps I see what could be 2 possible candidates for the 16-byte hashes I need to crack, as well as a 32-byte field. Here I am confused by the instructions of "2nd line is interesting / base64 decode it", as _lpall.slps contains only 1 base64 encoding.

Neither of these succeed, running the same command as https://twitter.com/hashcat/status/326648723008532482 but running that command against the example hash works.

Investigating further, I changed the number of rounds required in Lastpass (from 5000 to the 500 rounds as in the example) and repeated the process. _key.itr changed as expected, but _lpall.slps did not change either of the two 16-byte fields, but the 32-byte field instead. It looks from the example page that I am indeed expecting a 16-byte hash.

In addition, Lastpass allows you to export a base64 encoded encrypted file for use in their pocket software (as mentioned on example hashes page). Here, the iteration count and the hash are clearly delineated in the file, but yet base64 decoding brings yet another hash that doesn't fall.

Now I have 4 hashes: 1. from the example hashes; 2. & 3. from _lpall.slps; and 4. from the encrypted Lastpass export. Each of these hashes are different, only hashcat breaks hash 1, and all are derived from identical username/password/iterations.

I have even attempted to base64 *encode* the example hash and search for it, but it's not anywhere I can see.

My question is, how exactly do you get the required hash out of Lastpass to crack? What steps am I missing?
#2
Under linux / Ubuntu:
you have a .lastpass directory in your home folder.
There is a file that ends with _lpall.slps. This file contains 2 lines.
The second line is what we want (length: 24 ascii - base64 - characters). You need to base64 decode it. But you need the hexed version of this base64 string, in linux you simply do:
$ tail -1 *_lpall.slps | base64 -d | xxd -p
so you have a 32byte hex representation of the base64 string
Then you use this in you hash.txt file:
hex:iterations:email
#3
Success.

I checked this under Linux, and the _lpall.slps file is indeed as you mentioned, containing two lines.

In addition, in Windows, if you open up the SQLite database for Opera/Chrome as mentioned in the example hashes, where type = key, you can see the same 2nd line as the linux _lpall.slps file.

The problem I was having is Firefox under Windows was appearing to have only one base64 line. When I read this page: https://lastpass.com/support.php?cmd=showfaq&id=425 I learned that not only does Firefox also use the same cache as Internet Explorer, but it is encrypted under Protected Storage.

So I wrote a quick little C# program with:
Code:
using System.Security.Cryptography;
byte[] decryptedData = ProtectedData.Unprotect(entireFileInByteArray, (byte[])null, DataProtectionScope.CurrentUser);
where entireFileInByteArray is the base64 decoded version of the Windows version of _lpall.slps
the decryptedData will be the linux version of the _lpall.slps file.

Mentioned on the example hashes page is that the LastPass Pocket can open these stored files. This is true, but not all files that Pocket can open appear to have the hashes in them... The base64 encoded encrypted file generated by LastPass's export function does not contain the needed hash, what I thought appears to be the hash is actually the initialization vector for AES.