The wordlist for this scenario will be the well known “rockyou” wordlist. For this scenario, we will be using the “Straight” mode (attack ID “0”), which is a simple dictionary attack based on a wordlist. Hashcat supports typical password cracking attack types, such as dictionary and brute-force, but also includes things like masking, which is filtering down the cracking attempts to certain patterns (for example, a mask of five letters and two numbers will attempt all combinations of that order, such as March18 or Tgyhj37). Hashcat has a number of different options, but for this scenario, we’re going to focus on two: attack mode and hash type. The next step is to take this hash string (first saved into a file called “keepass.txt”) and pass it through Hashcat. Thankfully, John the Ripper ships with a useful tool to do just that! The utility is called “keepass2john” and simply needs the KeePass database passed in as a parameter:Īs you can see, running this utility produces the following hash, which is in the perfect form to be consumed by Hashcat (The only thing that needs to be done is the first section “MadCityHacker:” removed, as this is just a friendly name for the hash):
With the KeePass database, we now need to extract the master password hash from the file. We start out with our KeePass database on our Kali instance: MadCityHacker.kdbx – This is a test KeePass database created for this scenario. MCH-Kali (192.168.1.13) – Kali 2018.3 (Hashcat and John the Ripper are installed as part of the Kali distribution). While KeePass is the focus of this particular post, it is important to note that these steps can also be used for other password repository programs, such as LastPass, Password Safe, and 1Password.
In this post, we will be going through the steps to crack the master password for a KeePass database, a commonly used program to secure passwords. With tools like John the Ripper and Hashcat available, not necessarily. The question is, however, whether or not these programs are as safe as they seem to be. These databases or safes are generally encrypted with a master password, in order to make sure all of a person’s sensitive account passwords are safe. A common method of storing all these passwords is to use a program to store them in a secure database or safe. From social media sites like Facebook or Twitter to more sensitive items like bank or credit card accounts, passwords are used everywhere. Nearly every aspect of a person’s digital life involves a password in some fashion or another. Passwords are an integral part of modern society.
0 kommentar(er)
