KeePass is a free and open-source password manager that helps you manage your passwords securely. You can put all your passwords in a single database that is locked with a single master key or a key file. So you only need to remember one master password or select a key file to unlock the entire database. Databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).
KeePass is really free, and more: open source (OSI certified). You take a look its full source check if the encryption algorithms are implemented correctly.
Cracking KeePass Databases with Hashcat
Passwords are an integral part of modern society. Nearly every aspect of a person’s digital life involves a password in some fashion or another. From social media sites like Facebook or Twitter to more sensitive items like bank or credit card accounts,
passwords are used everywhere. A common method of storing all these passwords is to use a program to store them in a secure database or safe. These databases or safes are generally encrypted with a master password, in order to make sure all of a person’s sensitive account passwords are safe.
The question is, however, whether or not these programs are as safe as they seem to be. With tools like John the Ripper and Hashcat available, not necessarily. In this post, we will be going through the steps to crack the master password for a KeePass database
a commonly used program to secure passwords. While KeePass is the focus of this particular post, it is important to note that these steps can also be used for other password repository programs, such as LastPass, Password Safe, and 1Password.
MCH-Kali (192.168.1.13) – Kali 2018.3 (Hashcat and John the Ripper are installed as part of the Kali distribution).
MadCityHacker.kdbx – This is a test KeePass database created for this scenario.
We start out with our KeePass database on our Kali instance:
With the KeePass database, we now need to extract the master password hash from the file. Thankfully, John the Ripper
ships with a useful tool to do just that! The utility is called “keepass2john” and simply needs the KeePass database passed in as a parameter:
As you can see, running this utility produces.
the following hash, which is in the perfect form to be consumed by Hashcat (The only thing that needs to be done is the first section “MadCityHacker:” removed, as this is just a friendly name for the hash):
$keepass$*2*60000*222*5d073d1d92f19a9b9eec0dc 213d7dba0b6dc53f1f0d4ca483cea2b60dfaefe9a *1ed0d6b61edd401 46f7c936449a2f0f4774742218449496142064f2fb7ec02c1 *cedc2dc9987b0fc328929fd0b1d2cbc5 *2fba97d4b24f1446080a e85dc1067b7301f572a3b4f601c3d0c7d7c9c1429cbb*f1217fee4bd3 f96a02d498ac570ccebea2e52f69d5af7d34dd1c25416 6e8733e
The next step is to take this hash string (first saved into a file called “keepass.txt”) and pass it through Hashcat. Hashcat has a number of different options, but for this scenario, we’re going to focus on two: attack mode and hash type.
Hashcat supports typical password cracking attack types
such as dictionary and brute-force, but also includes things like masking, which is filtering down the cracking attempts to certain patterns (for example, a mask of five letters and two numbers will attempt all combinations of that order, such as March 18 or Tgyhj37). For this scenario, we will be using the “Straight” mode (attack ID “0”), which is a simple dictionary attack based on a wordlist. The wordlist for this scenario will be the well known “RockYou” wordlist.
Hashcat also has a plethora of hash types that it will attempt to crack; the full list can be found on Hashcat’s help page or on their website here. Since we have a KeePass database, we will be using hash ID “13400” which correlates to “KeePass 1 (AES/Twofish) and KeePass 2 (AES).”
Now that we have the appropriate options ready, let’s get cracking! The command to initiate the cracking will look like the following:
hashcat -a 0 -m 13400 keepass.txt /usr/share/wordlists/rockyou.txt
For real password cracking, using a GPU is the best option, as they are able to process a much larger amount of hashes per second than a typical CPU. For this scenario, I am doing simple CPU cracking on an older system as I know the master password for this database exists in the RockYou wordlist. If you are using this to test the strength of your own KeePass database, I highly recommend using atleast one GPU instead as it will be a more accurate test of strength against an adversary.
With that out of the way, let’s run the aforementioned Hashcat command:
The password for the KeePass database has been cracked successfully! As you can see in the middle of the above screenshot, Hashcat listed out the input hash and it’s associated cracked password of “qwerty.” We can also see, with the
“Time. Started” and “Time.Estimated” fields
- be that as it may that the crack took a mere seven seconds to complete.
- A nice feature of Hashcat is that you can monitor how long it’s been running and it’s overall progress
- even so / though (as well as estimated time of completion) throughout the cracking lifecycle.
- Since this one only took seven seconds, we didn’t need to monitor
- it for long, but it’s a handy thing to note regardless.
- in spite of While password databases and safes are
- at the same time a good way to protect your various passwords,
- on the contrary, it is important to remember that the master
- on the other hand password for these needs to be well protected as well.
- The best way to do this is to make sure
you make very strong master passwords:
- 12+ characters (including both upper and lowercase letters,
- numbers and special characters), nondictionary words,
- and nothing personally identifiable, such as birth years or names of family.
- The best route to take with these master passwords is to actually make them passphrases, as in long
- of course …, but and easy to remember strings of words, such as “
- although this may be true The dog taken over to the dog park to burn off some energy.” The longer
- the master password (or phrase), in contrast, the better off you will be with protecting your different from sensitive information.
in contrast KeePass 2.46 for Windows
Windows 7, 8, Vista, 8.1, 10, XP, 2003, 2000