KeePass 1.x File Cracking

TL;DR

This guide explains how to attempt cracking KeePass 1.x (.kdb) database files using John the Ripper and Hashcat. It covers downloading tools, preparing the file for cracking, and running common attack types.

Prerequisites

• A .kdb file you have permission to test.
• John the Ripper installed: https://www.openwall.com/john/
• Hashcat installed: https://hashcat.net/wiki/
• Basic command-line knowledge.

Step 1: Exporting the KeePass Database

KeePass 1.x databases need to be converted into a format John or Hashcat can understand. Use KeePass itself for this.

1. Open your .kdb file in KeePass.
2. Go to File > Export > CSV (Comma Separated Values).
3. Choose a filename and location, and select ‘All Entries’ as the scope. Save the file. This will create a CSV file containing the database entries.

Step 2: Converting the CSV to John/Hashcat Format

The CSV file needs converting into a format compatible with cracking tools.

Using John the Ripper

1. Use the john --format=keepass csv_file.csv command. This will create a .kdbx file that John can use.

john --format=keepass database.csv

Using Hashcat

Hashcat requires a different approach, using a custom rule to extract the hashes from the CSV.

1. Create a rules file (e.g., hashcat_rule.txt) with the following content. This is a basic example and may need adjusting based on your CSV format.

# Hashcat rule for KeePass CSV export
$username=$1
$password=$2
$hash=$3

Then, run the following command:

hashcat -m 3800 database.csv hashcat_rule.txt ?a?a?a?a?a?a?a?a --force

-m 3800 specifies the KeePass CSV format, and ?a?a?a?a?a?a?a?a is a basic mask for testing. Adjust this as needed.

Step 3: Cracking with John the Ripper

1. Navigate to the directory containing your .kdbx file in the command line.
2. Run a wordlist attack using the john --wordlist=rockyou.txt kdbx_file.kdbx command. Replace rockyou.txt with the path to your chosen wordlist.

john --wordlist=/usr/share/wordlists/rockyou.txt database.kdbx

Running a Rule-Based Attack

Apply rules to the wordlist for better results.

1. Use the john --rule=best64 kdbx_file.kdbx command. This applies the ‘best64’ rule set, which is a common starting point.

john --rule=best64 database.kdbx

Step 4: Cracking with Hashcat

Hashcat offers more attack modes and flexibility.

1. Run a wordlist attack using the following command:

hashcat -m 3800 database.csv rockyou.txt --force

Running a Mask Attack

Use a mask to define the password pattern.

1. Run a mask attack using:

hashcat -m 3800 database.csv ?a?a?a?a --force

Step 5: Interpreting Results

• John the Ripper will display cracked passwords in the console and save them to a file named ‘john.pot’.
• Hashcat displays results in real-time and can be configured to save output to a file using the --outfile=results.txt option.

Important Considerations

• Wordlists: Use strong, comprehensive wordlists like RockYou or custom lists based on known information about the target.
• Rules: Experiment with different rule sets to modify passwords and increase your chances of success.
• Hardware: Cracking is computationally intensive. A powerful GPU significantly speeds up the process.
• Legal: Only attempt cracking databases you have explicit permission to test. Unauthorized access is illegal.