Keepass 1.x issue

[sandokan]

Hi.

I have an issue with importing keepass 1.x hashes. I created a test database with passphrase "test". I ran keepass2john on the .kdb file and i got this


test:$keepass$[hash removed by philsmd]*test

However, hashcat doesn't import the hash. What's the problem?
I did this because i noticed i have some old .kdb files that weren't imported, either in jtr or hashcat, and i extracted them all the same way with keepass2john. I even did it with the python script that was suggested in one of the previous threads ( https://gist.github.com/HarmJ0y/116fa1b5...4d7d367bbc ) and it's still not recognised. The files that aren't recognised all have this
*1*6000* and then some have *1*50000*

The hashes from kdbx database are recognised and can be ran with the same process. The databases are also not corrupted because i can open them with passphrase "test" in the keepass.
What's the issue and how to correct it? I use keepass2john from the jumbo patch john 1.8. I get "signature unmatched" when i use -m 13400 mode.

[philsmd]

Example hashes can be found here: https://hashcat.net/example_hashes
Make sure that the format is the same, e.g. it starts with $keepass$*

If you want to prepend the username (or file name) then you need to use the --username option.

For the next time, please do not forget that:
1. it is not allowed to post hashes here
2. always double check and compare with the example hashes page
3. show the full command line (for instance, I do not know if you used --username or not, which is crucial information here)
4. also make sure you display the whole error message (or preferably the whole output without the hashes)

[sandokan]

Hi.

That is not my hash in the kdb, i just opened a test .kdb with passphtrase "test" and created it to see if that would be picked up by hashcat, but it was the same as with my real hash, that is why i left the hash. I know hashes are not allowed but it's just a test hash so someone could compare and check because passphrase for this is "test".

I did not use the --username because this was not the username. This is just how keepass2john outputed the format. If my .kdb is named "test.kdb" when i run keepass2john.exe on it outputs it that way
test:$keepass$hash*test

I would really need to include hashes here because there are some discrepancies i noticed in jtr and not sure if it's the same for hashcat, and if i dont include the hash how can i explain the discrepancies?

To answer your questinos
1. I did not post the real hash, but a hash example that is the same format as my real hash and both are not being picked up by hashcat
2. I double checked with example hash from jtr list details and there are differences, but im not sure why is keepass2john not outputting the same format as the one in it's details and what the actual differences are since i know this keepass should be a sha256 from some other page where i quote

In order to generate the 256-bit key for the block ciphers, the Secure Hash Algorithm SHA-256 is used. This algorithm compresses the user key provided by the user (consisting of password and/or key file) to a fixed-size key of 256 bits. This transformation is one-way, i.e. it is computationally infeasible to invert the hash function or find a second message that compresses to the same hash.

The recently discovered attack against SHA-1 [2] doesn't affect the security of SHA-256. SHA-256 is still considered as being very secure [3].

Key Derivation:
If only a password is used (i.e. no key file), the password plus a 128-bit random salt are hashed using SHA-256 to form the final key (but note there is some preprocessing: Protection against Dictionary Attacks). The random salt prevents attacks that are based on pre-computed hashes.

but why is the length of the one i get from keepass2john different then the one in the example and im not even sure what keepass hash consists in the example as it consists of 2-3 sha256 length hashes.

3. Full command was just that
hashcat64 -m 13400 test.txt
Where test.txt was the has above in the above format, but i did test with the hash when test was removed (instead of test:$keepass$hash*test) i tried $keepass$hash* but that didnt work as well.

4. Here is the full output but nothing else there

Code:

D:\downloads\hashcat-3.5>hashcat64 -m 13400 test.txt
hashcat (v3.5.0) starting...

* Device #1: WARNING! Kernel exec timeout is not disabled.
            This may cause "CL_OUT_OF_RESOURCES" or related errors.
            To disable the timeout, see: https://hashcat.net/q/timeoutpatch
OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 970, 1024/4096 MB allocatable, 13MCU

Hashfile 'test.txt' on line 1 (test:$keepass$*1*6000*0*hash*0*test): Signature unmatched
No hashes loaded.

Started: Mon Apr 17 19:45:39 2017
Stopped: Mon Apr 17 19:45:39 2017

D:\downloads\hashcat-3.5>

Problem here is that keepass2john is outputting out wrong format from the .kdb as the length is not the same as in examples, but why? I tried the python script as mentioned, it gives the same stuff keepass2john does. The .kdb are also not corrupt because, as i said i open the db normaly in keepass (the test kdb i created)