john icon indicating copy to clipboard operation
john copied to clipboard
verified publisher icon openwall

Keepass2John Support | Extract hash only from keyfile

Open IlluminatiWave opened this issue 3 years ago • 3 comments

Keepass2John can extract the hash of the master key in files with keyfile, but it needs the keyfile to extract the hash of the password. keepass2john [-k <keyfile>] <.kdbx database(s)> = Password Hash

Is it possible to extract the hash of the keyfile knowing the master key, or is it not contemplated to add this feature? keepass2john [-pw <password>] <.kdbx database(s)> = keyfile Hash

--- /

  • OS: Windows (11)
  • Version: 1.9.0-jumbo-1+bleeding-8998390 2022-09-16 09:07:46 -0300 /
  • Command line: keepass2john.exe file.kdbx

IlluminatiWave avatar Mar 21 '23 09:03 IlluminatiWave

Isn't the keyfile a human readable xml or json file, with a cleartext hex hash? Or do I mix things up.

magnumripper avatar Mar 21 '23 14:03 magnumripper

Isn't the keyfile a human readable xml or json file, with a cleartext hex hash? Or do I mix things up.

As far as I understand, any file can be used as a keyfile. So it actually has nothing to do with the keyfile generated by keepass itself.

This is quite useful in some specific scenarios:

Your drive suffered a damage that corrupted the directory table. When trying to retrieve the information, the program groups everything by file type, making it difficult to find the file that was used as the keyfile. By having the hash of the file, one can simply create a directory of hashes of all the files and simply look for the hash extracted from keepass2john in the directory.

IlluminatiWave avatar Mar 21 '23 16:03 IlluminatiWave

@IlluminatiWave I'm not familiar with KeePass, but I doubt that what you envision is possible. While we colloquially and for historical reasons call the strings output by the *2john tools "hashes", they often are not literally hashes, but are some other kinds of preprocessed data that john then works on.

Further, even if there were literal keyfile hashes found somewhere in the KeePass database files, you'd nevertheless need to compute the same kind of hashes out of every recovered potential keyfile. In other words, you'd need to run a program of ours on every potential keyfile. And this is something you can do already, producing "hashes" of them for use with john. You can then attack those "hashes" all at once (by one invocation of john). If you know the password and just need to identify which keyfile is the right one, you put the correct password into a wordlist and let john crack the "hashes". By seeing which one got cracked, you'll know which keyfile was right.

This is assuming that I got your problem scenario right. I've never used KeePass myself, so I might not have...

solardiz avatar Apr 02 '23 14:04 solardiz

Looks like we were done with the discussion here. The requested feature looked likely both impossible and unneeded, as I had explained in my previous comment. Closing.

solardiz avatar Jul 06 '24 18:07 solardiz