Problems cracking KeePass 1 db (AES)
#1
I've used johntheripper and hashcat before so I expected this to be easy but I am running into problems. I followed this post and the utility in there which gives me the hash in this format
Code:
kpdb:$keepass$*1*9367424*0*f4885dfa619f813----deleted-----4493770a73bd*0*kpdb
 however when I try to use hashcat on it via 
Code:
.\hashcat.exe -m 13400 kpdb.txt -a 0 passwords2.txt
 I get

Code:
Hashfile 'kpdb.txt' on line 1 (kpdb:$...49b1d9aa19ad04493770a73bd*0*kpdb): Salt-value exception No hashes loaded

Deleting the filename from the hash doesn't help either.
Reply
#2
example hashes are here: https://hashcat.net/wiki/doku.php?id=example_hashes
you could also use
Code:
-m 13400 --example-hashes

I would guess that your hash needs to start with $keepass$* and end with 49b1d9aa19ad04493770a73bd

btw: it's not allowed to post hashes here, it doesn't matter if you think that it could be a hashcat problem or it's just a "test" / "example" (see forum rules)
Reply
#3
(07-10-2020, 10:39 AM)philsmd Wrote: example hashes are here: https://hashcat.net/wiki/doku.php?id=example_hashes
you could also use
Code:
-m 13400 --example-hashes

I would guess that your hash needs to start with $keepass$* and end with 49b1d9aa19ad04493770a73bd

btw: it's not allowed to post hashes here, it doesn't matter if you think that it could be a hashcat problem or it's just a "test" / "example" (see forum rules)

Thanks, it was the first thing I tried but I either get the same error or 'Separator unmatched' if I start and end where you say.

Quote:btw: it's not allowed to post hashes here, it doesn't matter if you think that it could be a hashcat problem or it's just a "test" / "example" (see forum rules)


My bad, I looked at the rules in more detail and deleted most of the hash so just the format is visible.


Quote:example hashes are here: https://hashcat.net/wiki/doku.php?id=example_hashes


Hmm, those hashes seem to be in the same format but way longer and I can't find another utility for converting the .kdb file to a hash.
Reply
#4
maybe the root of the problem depends on which keepass2john tool you use.

I would highly recommend to use the "official" repository: https://github.com/magnumripper/johntheripper (this is also much more up to date)

compile it and use this up-to-date keepass2john tool to extract the data (the "hash" from the keepass database)
Reply
#5
(07-10-2020, 11:12 AM)philsmd Wrote: maybe the root of the problem depends on which keepass2john tool you use.

I would highly recommend to use the "official" repository: https://github.com/magnumripper/johntheripper (this is also much more up to date)

compile it and use this up-to-date keepass2john tool to extract the data (the "hash" from the keepass database)

Thanks! Compiling and using it directly worked! Silly of me to not try it and expect that a port of something so simple should give the same thing. 90 h/s though ouch. Didn't realize how slow cracking AES is.
Reply
#6
technically, you are not "cracking AES". AES is a cipher, an encryption/decryption algorithm with fixed key lengths (the keys are just a bunch of random bytes).

what you are instead doing is to crack a keepass hash, which has a KDF (key derivation function) that starts from a password and derives a random key. This sometimes is directly the AES key that decrypts the data, but often (especially when it comes to full disk encryption software, like TrueCrypt/VeraCrypt/Bitlocker etc) is a layer above i.e. a key that decrypts another key to make the "password change" mechanism fast and unproblematic (less data change/corruption possible).

Therefore, while AES is an encryption algorithm that can be reversed (you can go either way, encrypt and decrypt), there is a step before that (the heavy part) that derives a key from the user password (one-way hashing function) ... so you aren't really cracking AES, but I would say, you are cracking a "keepass hash" (because AES is not the heavy part, the KDF is)
Reply