Locked out of Keepass 1.x
#1
Question 
Hi.

I've managed to lock myself out of my own KeePass database. I know some details about length and characters used so I can whittle it down to a reasonable bruteforce.

My only issue is that I'm unable to crack the example hash on the front page despite supplying the following input:
Code:
./hashcat64.exe -m 13400 -a 3 $keepass$*1*50000*0*375756b9e6c72891a8e5645a3338b8c8*82afc053e8e1a6cfa39adae4f5fe5e59f545a54d6956593d1709b39cacd7f796*c698fbfc7d1b71431d10611e2216ab21*24a63140f4eb3bfd7d59b7694eea38d1d93a43bc3af989755d2b326286c4d510*1*192*1a65072f436e9da0c9e832eca225a04ab78821b55d9f550860ade2ef8126a2c4050cf4d033374abd3dac6d0c5907c6cbb033643b203825c12e6c9853b5ac17a4809559fe723e01b4a2ab87cc83c8ba7ee4a757b8a0cf1674106f21f6675cba12064443d65436650df10ea0923c4cadfd4bfe341a6f4fa23a1a67f7d12a489fc5410ef6db9f6607905de491d3b3b915852a1b6c231c96366cbdee5ea9bd7f73ffd2f7a579215528ae1bf0ea540947ebfe39ca84bc6cbeded4f8e8fb6ed8f32dd5 ?l?l?l?l?l?l?l

Which yields the following output:
Code:
Hash '1*50000*0*375756b9e6c72891a8e5645a3338b8c8*82afc053e8e1a6cfa39adae4f5fe5e59f545a54d6956593d1709b39cacd7f796*c698fbfc7d1b71431d10611e2216ab21*24a63140f4eb3bfd7d59b7694eea38d1d93a43bc3af989755d2b326286c4d510*1*192*1a65072f436e9da0c9e832eca225a04ab78821b55d9f550860ade2ef8126a2c4050cf4d033374abd3dac6d0c5907c6cbb033643b203825c12e6c9853b5ac17a4809559fe723e01b4a2ab87cc83c8ba7ee4a757b8a0cf1674106f21f6675cba12064443d65436650df10ea0923c4cadfd4bfe341a6f4fa23a1a67f7d12a489fc5410ef6db9f6607905de491d3b3b915852a1b6c231c96366cbdee5ea9bd7f73ffd2f7a579215528ae1bf0ea540947ebfe39ca84bc6cbeded4f8e8fb6ed8f32dd5': Signature unmatched

I'm not quite clued up as to what that means and why it is occurring.

I've tried the very basic MD5 one too and that's working for me alright so I'm not entirely sure what is happening with the KeePass hashes in particular.

Any help would be greatly appreciated.
#2
Oh my, I should have added.

I've tried actually hashing a test database with the password "test" and it always appears shorter than the example one given.
Despite supplying hashcat with the true password against that hash, I get salt-length exceptions.

I've ran the keepass2john.c algorithm and despite trimming the start of the excess characters as told by https://www.rubydevices.com.au/blog/how-to-hack-keepass I still cannot get it close to the example hash.

Should I be using something else to hash my .kdb file?
#3
if you do not know how to escape special characters within your command, you should just use a hash file.
Code:
hashcat64.exe -m 13400 -a 3 hash_file.txt ?l?l?l?l?l?l?l

of course the file "hash_file.txt" must contain the full hash.

I'm also not sure why you use the linux-style way to execute commands e.g. "./hashcat64.exe" instead of just hashcat64.exe. You do not need to use mingw/mysys etc on windows, hashcat just works in the native cmd.exe. You also do not need powershell if that is what your are using there.
#4
Thank you for the fast response.

Yes, I was using cygwin but seemingly saving the example hash to a .hash locally and running it through cmd seems to allow me to crack it properly.

Unfortunately, I still can't even crack my test file.

If I run this:
Code:
keepass2john.exe test.kdb > test.hash
I get the following output:
Code:
Not inlining test.kdb
test.kdb:$keepass$[hash removed by philsmd]*0*test.kdb

I've tried trimming the front and end of it but I cannot get any acceptable hash.
I constantly get salt length exceptions or signature unmatched.
#5
you are not allowed to post hashes here.
Respect the forum rules or you get banned immediately.

It also can't be that difficult to use the same format of the example hash also for your hash.
You need to remove the file name and colon at the front and the file name and the *0* at the end.

You could also just put both example hash and your hash into a file and compare the 2 "hashes"... the fields must be the same (just the values are different for your hash).
#6
While I do greatly appreciate the help, I did explicitly state the hash I supplied was a test hash made solely to test the hashing algorithm. That hash only contained 1 test entry that had no real account details.

When I do try trimming the file names and the *0* at the end, I get the following error: "Salt-Length Exception"

Ultimately, the hash generated from the john2keepass is significantly shorter with different fields.
I'm not too sure as to what to do.
#7
(08-08-2017, 02:30 PM)AConcernedLad Wrote: While I do greatly appreciate the help, I did explicitly state the hash I supplied was a test hash made solely to test the hashing algorithm. That hash only contained 1 test entry that had no real account details.

When I do try trimming the file names and the *0* at the end, I get the following error: "Salt-Length Exception"

Ultimately, the hash generated from the john2keepass is significantly shorter with different fields.
I'm not too sure as to what to do.

Good day!

Have you found a solution to this? I get the same thing and google is not very helpful Smile

Thanks!