This post will show how attackers can make use of Hashcat to crack an encrypted vault with a weak password, as seen in the LastPass breach of 2022, which included emails, home addresses, and names.
In this post, I will explain in detail how attackers can exploit the stolen encrypted vaults – by using tools like Hashcat to crack vault passwords and gain access to confidential login credentials.
I will simulate stolen data by using my test LastPass account to extract a vault from the Chrome Browser extension on macOS. To then access the contents of this vault, I will perform a brute-force attack with a wordlist, as the password is weak and can be easily guessed.
What happened to LastPass?
LastPass suffered a data breach in August 2022, where customer data and source code was stolen. which caused a lot of customers to panic. LastPass didn’t do a good job of letting the public (and customers) know about how bad the breach actually was.
What was stolen?
- a backup of customer vault data
- company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses
- source code and other intellectual property
What are the consequences of having a vault stolen by attackers?
It truly matters; there are several factors to consider. Several examples come to mind:
- How are the encrypted vaults stored in the cloud?
- Did a customer set a weak and easily guessed vault password?
- What is the key iteration (default or custom)?
- Other factors not covered?
This blog post is just a speculation, based on the available information, for example, the SQLite database and its content employed by the Browser add-on. As I have no idea what form the stolen data may take nor how it is encrypted, my theory can only be a calculated guess.
I will show in the following sections how to access the encrypted vault database from the Chrome extension and take out particular information to start using Hashcat for cracking.
LastPass Extension
The Lastpass Chrome Browser extension has a special identifier, which is hdokiejnpimakedhajhdlcegeplioahd. You can verify this by entering chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/vault.html into the address bar; it will take you to the vault log-in page.
Consider it a local site that uses HTML and JavaScript inside your browser.
Extracting encrypted vault password
All extensions have their own folders, which are kept locally on the system in different locations based on the system.
According to the LastPass support page’s online documentation, devices running Chrome on Windows computers save vault data in the following PATH:
%LocalAppData%\Google\Chrome\User Data\Default\databases\chrome-extension_hdokiejnpimakedhajhdlcegeplioahd_0The location is slightly different on macOS systems:
Note: I use two Profiles in Chrome, which is why you see Profile 1 rather than Default.
SQLite database
An SQLite file called 1 with the version: SQLite version 3039004 should be present in this folder. The extension stores and uses encrypted vault data in this location.
➜ file 1
1: SQLite 3.x database, last written using SQLite version 3039004, file counter 21, database pages 22, cookie 0x5, schema 4, largest root page 11, UTF-8, vacuum mode 1, version-valid-for 21The database contents may then be seen using a program such as DB Browser for SQLite.I also copied it to my Desktop and renamed it lastpass-vault-macos-chrome.sqlite to make it simpler to remember.
All of the important information is kept in a database named LastPassData.
These Three items are required to begin breaking Lastpass vault passwords with Hashcat:
- Key value
- Iteration count
- Account email address (hashed in the database)
These need to be formatted like so: KEY:ITERATION:EMAIL
Key Value
To obtain the key value, search column type where value key, and then choose the second row in the data column, e.g. T4vInfZ+6MGDeEendq4gvA==, as seen below:
You can also execute the following SQL query:
SELECT substr(data, -24) FROM LastPassData WHERE type = 'key';It is base64 encoded, which you can decode and get the hex value by:
echo "T4vInfZ+6MGDeEendq4gvA==" | base64 -d | xxd -pWe now have the first requirement: 4f8bc89df67ee8c1837847a776ae20bc
Iteration count
To retire the Iteration count, find column type where value accts, and then the first few characters before the; in the data column. In 2018, LastPass updated the default iteration from 5000 to 100100.
You can also execute the following SQL query:
SELECT SUBSTR(data,0,INSTR(data,';')) FROM LastPassData WHERE type = 'accts';We also now have the second requirement: 100100
A hashed email address value is stored in the database. However, because the latest LastPass hack includes email addresses, we know that attackers already have this information. I’m not going to reveal the email address I used for the purposes of this blog.
Formatted hash
With all the requirements the hash should look like this:
4f8bc89df67ee8c1837847a776ae20bc:100100:[email protected]Cracking Lastpass vaults with Hashcat
As a proof of concept( POC ), I cracked passwords on my MacBook Air with the M1 chip. The speed was absolutely atrocious 1110 H/s (hashes per second), but it worked. Attackers, on the other hand, can use multi-GPU device configurations with optimized drivers to achieve rates of 2,000,000+ H/s.
I downloaded the popular rockyou.txt wordlist and added my actual vault master plaintext password inside as an example of brute-forcing vaults with weak passwords. I then configured Hashcat with the following options:
hashcat -a 0 -m 6800 lastpass-hash.txt ~/Downloads/rockyou.txthashcat -a 0 -m 6800 lastpass-hash.txt ~/Downloads/rockyou.txt
- -a 0 attack mode Wordlist
- -m 6800 LastPass hash algorithm
- lastpass-hash.txt hash formatted (KEY:ITERATION:EMAIL)
- rockyou.txt wordlist of plaintext passwords + my password
And with that, the master vault plaintext password has been successfully obtained.
And also you can check alternatives for Lastpass here!
