1password agilebits conversion - doesn't match sample?
#1
Hello - yet another noob here...

I'm trying to recover a 1password master password from the older version Agilebits had circa 2011. This is the sort that was known to "leak user metadata" in that it had a folder structure (perhaps so it could use Dropbox as a distribution/syncing method?).

I followed the recipe to convert to a hashcat friendly format using:

$ ./agilekc2john.py 1password.agilekeychain/ > myhashfile.txt

The python script worked and I have a hashfile that, to my untrained eye, looks similar to:

https://hashcat.net/misc/example_hashes/...lekeychain

As a test, I fed the example hashfile into my hashcat64.exe and the program went to work as expected.

When I fed my agilekc2john.py derived hashfile into the program, I get the dreaded "No hashes loaded."

Command wise, the only difference was the input file (I used -m 6600 as mode selector).

Here's a gutted cat of my hashfile:

Code:
./my.agilekeychain/:$agilekeychain$2*1000*8*3XXXXXXXXXX3b9*1040*f5XXXXXXXXXX...

The sample hashfile does not have any asterisks nor dollar signs, nor references to source filenames and I do not know if this is significant or not:

Code:
1000:9e55bd14cb90f5e1:99a89704bc67d6921ab393ca...

Any guidance would be most appreciated.

Thanks!
Reply
#2
The format for hashcat is just:
decimal_iteration_count:hexadecimal_salt:hexadecimal_digest

you could just read the encryptionKeys.js file (and base64 convert the salt and digest) or use some other tools like this: https://github.com/philsmd/1password_agi...to_hashcat (command should look like this: perl 1password_agilekeychain_to_hashcat encryptionKeys.js)
Reply
#3
(08-30-2017, 06:27 PM)philsmd Wrote: The format for hashcat is just:
decimal_iteration_count:hexadecimal_salt:hexadecimal_digest

you could just read the encryptionKeys.js file (and base64 convert the salt and digest) or use some other tools like this: https://github.com/philsmd/1password_agi...to_hashcat (command should look like this: perl 1password_agilekeychain_to_hashcat encryptionKeys.js)

Thank you for the reply. I ran the perl script on encryptionKeys.js and sent the output to hashcat:

Code:
OpenCL Platform #2: NVIDIA Corporation
======================================
* Device #3: GeForce GTX 1080 Ti, 2816/11264 MB allocatable, 28MCU
* Device #4: GeForce GTX 1080 Ti, 2816/11264 MB allocatable, 28MCU

hashfile is empty or corrupt.

Started: Wed Aug 30 17:18:57 2017
Stopped: Wed Aug 30 17:18:57 2017

The same encryptionKeys.js loaded (as the directory) in 1Password GUI is staring at me waiting for a password.

Can your perl script eat the whole agilekeychain directory?

Thanks!
Reply
#4
Maybe format changed in the meanwhile?
Reply