Skip to content
RealinfoSec.net

RealinfoSec.net

InfoSec News, Cybersecurity Awareness

  • Home
  • InfoSec News
    • Data Breach News
    • Latest Vulnerabilities
  • What Is InfoSec
  • CyberSecurity Newsletter
  • Cyber Academy
  • Cyber Help Desk
  • Cyber Knowledge Base
  • Contact Us
    • Contribute
  • My Bookmarks
  • Subscribers
    • Knowledge Quizzes
    • Register
  • Login
    • Password Reset
  • Register
  • Privacy Policy
    • Legal
  • Toggle search form

Cracking encrypted Lastpass vaults

Posted on 25 December 202225 December 2022 By RiSec.Mitch No Comments on Cracking encrypted Lastpass vaults

Table of Contents

  • What happened?
  • What can attackers do with the stolen vaults?
    • Lastpass Browser extension
    • Extracting encrypted vault
    • Lastpass SQLite database
      • Key value
      • Iteration count
      • Email
      • Formatted hash
  • Cracking Lastpass vaults with Hashcat
  • Useful Links and References
    • Please login to bookmark

The recent (2022) compromise of Lastpass included email addresses, home addresses, names, and encrypted customer vaults. In this post I will demonstrate how attackers may leverage tools like Hashcat to crack an encrypted vault.

Lastpass rusty lock cover

In this post I will go into technical details on what attackers could do with the stolen encrypted vaults, specifically how they could use tools like Hashcat to crack the master vault password and get access to sensitive log-in credentials.

To simulate the stolen data, I will use my test Lastpass account to extract an encrypted vault from the Chrome Browser extension on macOS. Following this, I will bruteforce the vault.

What happened?

The Verge published an article which includes a great summary of the breach. There is also a blog post by Lastpass themselves. To summarise, in August 2022 Lastpass suffered a data breach where customer data and source code was stolen. Lastpass didn’t do a good job at letting the public (and customers) know of how bad the breach actually was.

What was stolen?

  • a backup of customer vault data
  • company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses
  • source-code and other intellectual property

What can attackers do with the stolen vaults?

It really depends, there are a lot of things to consider. A few things that spring to mind are:

  • How are the encrypted vaults stored in the cloud?
  • Did a customer set a weak and easily guessed vault password?
  • What is the key iteration (default or custom)?
  • Other factors not covered?
Recommended:  Warning: Log4j Still Lurks Where Dependency Analysis Can’t Find It

And since I don’t know what the stolen data looks like, or how it may be encrypted, this blog post is only a theory and estimation based on data I have access to. This includes the SQLite database used by the Browser extension and data within it.

In the next sections I will demostrate how to extract the encrypted vault database from the Chrome extension and pull out specific information to start cracking with Hashcat.

Lastpass Browser extension

On Chrome Browsers each extension has a unique ID. The Lastpass extension uses hdokiejnpimakedhajhdlcegeplioahd as the ID. You can confirm this by visiting the URL chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/vault.html in your address bar. You will be presented with the vault log-in page.

You can think of it as a local site that uses HTML and JavaScript within your Browser.

Extracting encrypted vault

All extensions have their own folders which are stored locally on the system in various locations depending on OS.

As per online documentation the Lastpass support page states devices using Chrome Browsers on Windows systems store the vault data in the following PATH:

%LocalAppData%\Google\Chrome\User Data\Default\databases\chrome-extension_hdokiejnpimakedhajhdlcegeplioahd_0

On macOS systems the location is slightly different:

Note: I use two Profiles on Chrome, hence why you see Profile 1 instead of Default.

Lastpass SQLite database

In this folder a SQLite file named 1 with the version: SQLite version 3039004 should be present. This is where encrypted vault data is stored and used by the extension.

➜  file 1
1: SQLite 3.x database, last written using SQLite version 3039004, file counter 21, database pages 22, cookie 0x5, schema 4, largest root page 11, UTF-8, vacuum mode 1, version-valid-for 21

You can then use a tool like DB Browser for SQLite to view the database contents. I also copied it to Desktop and renamed the file to lastpass-vault-macos-chrome.sqlite so it’s easier to remember.

Recommended:  500,000+ Android Users Downloaded a New Joker Malware App from Play Store

All the interesting data is stored in a table called LastPassData.

To start cracking Lastpass vault passwords using Hashcat you need three things:

  1. Key value
  2. Iteration count
  3. Account email address (hashed in database)

These need be formatted like so: KEY:ITERATION:EMAIL

Key value

To retrieve the key value, search column type where value key, and then in the data column select the second row e.g. T4vInfZ+6MGDeEendq4gvA== as shown below:

You can also execute the following SQL query:

SELECT substr(data, -24) FROM LastPassData WHERE type = 'key';

It is base64 encoded, which you can decode and get the hex value by:

echo "T4vInfZ+6MGDeEendq4gvA==" | base64 -d | xxd -p

We now have the first requirement: 4f8bc89df67ee8c1837847a776ae20bc

Iteration count

To retireve the Iteration count, search column type where value accts, and then in the data column the first few charaters before the ;. Lastpass changed the default iteration in 2018 from 5000 to 100100.

You can also execute the following SQL query:

SELECT SUBSTR(data,0,INSTR(data,';')) FROM LastPassData WHERE type = 'accts';

We also now have the second requirement: 100100

Email

The database contains a hashed email address value. But we do know that attackers already have this info since the recent Lastpass compromise included email addresses. For the purposes of this blog, I am not going to share the email address which I used.

Formatted hash

With all the requirements the hash should look like this:

4f8bc89df67ee8c1837847a776ae20bc:100100:[email protected]

Cracking Lastpass vaults with Hashcat

As a proof of concept I used my MacBook Air with the M1 chip to crack passwords. The speed was absolutely horrible 1110 H/s (hashes per second), but it did work. Attackers on the other hand can leverage multi-GPU device setups with optimised drivers that could easily reach speeds of 2,000,000+ H/s.

I downloaded the popular rockyou.txt wordlist and put my actual vault master plaintext password inside (using a quarter of the wordlist), otherwise it would take 6 hours+ to crack. I then set the following Hashcat options:

hashcat -a 0 -m 6800 lastpass-hash.txt ~/Downloads/rockyou.txt
  • -a 0 attack mode Wordlist
  • -m 6800 Lastpass hash algorithm
  • lastpass-hash.txt hash formatted (KEY:ITERATION:EMAIL)
  • rockyou.txt wordlist of plaintext passwords
Recommended:  French data protection authority says Google Analytics is in violation of GDPR

And there we have it, the master vault plaintext password successfully recovered.

Useful Links and References

  • Lastpass Data Breach covered by The Verge (2022)
  • Lastpass new App hash extraction on Hashcat Forums (2020)
  • Lastpass hashes on Hashcat Forums (2013)
  • Hashcat lastpass benchmark (2013)
  • Breaking Lastpass by Elcomsoft (2020)

Suggest an edit to this article

Cybersecurity Knowledge Base

Homepage

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark

Please login to bookmark

Social Comments Box
  • About
  • Latest Posts
RiSec.Mitch
Just your average information security researcher from Delaware US.
Latest posts by RiSec.Mitch (see all)
  • Google Open-Source Vulnerability Scanning Tool - 18 January 2023
  • Polymorphic Malware Produced by ChatGPT - 18 January 2023
  • Russian Hackers Repurpose Decade-Old Malware Infrastructure to Deploy New Backdoors - 8 January 2023
Share the word, let's increase Cybersecurity Awareness as we know it

No related articles.

InfoSec News Tags:LastPass

Post navigation

Previous Post: IT infrastructure at Queensland University of Technology shut down following a Ransomware attack
Next Post: Vice Society Expands Its Armory with Custom-Branded Payload PolyVice

Related Posts

data breach BREAKING: Access broker claims to have hacked Deutsche Bank, Offers access to its systems for sale on Telegram Data Breach News
Firefox Vulnerability Firefox Vulnerability: Exploited in The Wild – Update Now! InfoSec News
CVEs You May Have Missed While Log4j Stole The Headlines InfoSec News
cyberexer CybExer Tasked With Enhancing Luxembourg’s Cyber-Defense Capabilities InfoSec News
north korea Report: In 2021 North Korea Hacked Nearly $400M in Crypto InfoSec News
Research: Preventative Approach Could Block 90% of Cyber-attacks InfoSec News

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

RiSec Captcha 3 + 2 =

AbuseIPDB Contributor Badge

Follow Our Socials:

Latest InfoSec News

Data Breach News InfoSec News

JD Sports: Cyber Attack affects 10 million customers

RiSec.n0tst3
30 January 2023 0
what is infosec
Cybersecurity Academy

InfoSec – A Newbie Guide – InfoSecurity

RiSec.n0tst3
25 January 2023 0
google
Cybersecurity Academy How to

Google Open-Source Vulnerability Scanning Tool

RiSec.Mitch
18 January 2023 0
InfoSec News

Polymorphic Malware Produced by ChatGPT

RiSec.Mitch
18 January 2023 0
russia
InfoSec News

Russian Hackers Repurpose Decade-Old Malware Infrastructure to Deploy New Backdoors

RiSec.Mitch
8 January 2023 0
latest cybersecurity news
InfoSec News

Dridex Banking Malware Targets MacOS users with a new delivery method

RiSec.Mitch
8 January 2023 0
ransomware
InfoSec News

Microsoft Discloses Methods Employed by 4 Ransomware Families Aiming at macOS

RiSec.Mitch
8 January 2023 0
InfoSec News

$8 billion in cryptocurrency withdrawals strike US bank Silvergate

RiSec.Mitch
8 January 2023 0

Featured Posts

cve-2022-38970
Data Security Featured How to InfoSec News Vulnerabilities

ieGeek Security Vulnerabilities still prevalent in 2022 IG20

RiSec.n0tst3
28 August 2022 6
Data Security Featured InfoSec News

Hacking Campaign Steals 10,000 Login Credentials From 130 Different Organizations

RiSec.n0tst3
27 August 2022 0
DDoS
Featured InfoSec News

Google mitigates largest DDoS Attack in History – Peaked at 46 Million RPS

RiSec.n0tst3
19 August 2022 1
Security researcher contacted me
Cybersecurity Academy Featured How to

A Security Researcher Contacted Me – What should I do?

RiSec.n0tst3
30 June 2022 0
google chrome
Featured InfoSec News

Google Chrome extensions can be easily fingerprinted to track you online

RiSec.n0tst3
19 June 2022 0
MFA
Cybersecurity Academy Data Security Featured

3 Steps To Better Account Security

RiSec.n0tst3
21 February 2022 0
hardening vps security
Cybersecurity Academy Featured

HARDEN YOUR VPS: Steps to Hardening your VPS Security

RiSec.n0tst3
10 January 2022 2

Share the joy

Copyright © 2022 RealinfoSec.net. CyberSecurity News & Awareness. All Trademarks, Logos And Brand Names Are The Property Of Their Respective Owners

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of the cookies. Cookie & Privacy Policy
Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT
en English
af Afrikaanssq Albanianam Amharicar Arabichy Armenianaz Azerbaijanieu Basquebe Belarusianbn Bengalibs Bosnianbg Bulgarianca Catalanceb Cebuanony Chichewazh-CN Chinese (Simplified)zh-TW Chinese (Traditional)co Corsicanhr Croatiancs Czechda Danishnl Dutchen Englisheo Esperantoet Estoniantl Filipinofi Finnishfr Frenchfy Frisiangl Galicianka Georgiande Germanel Greekgu Gujaratiht Haitian Creoleha Hausahaw Hawaiianiw Hebrewhi Hindihmn Hmonghu Hungarianis Icelandicig Igboid Indonesianga Irishit Italianja Japanesejw Javanesekn Kannadakk Kazakhkm Khmerko Koreanku Kurdish (Kurmanji)ky Kyrgyzlo Laola Latinlv Latvianlt Lithuanianlb Luxembourgishmk Macedonianmg Malagasyms Malayml Malayalammt Maltesemi Maorimr Marathimn Mongolianmy Myanmar (Burmese)ne Nepalino Norwegianps Pashtofa Persianpl Polishpt Portuguesepa Punjabiro Romanianru Russiansm Samoangd Scottish Gaelicsr Serbianst Sesothosn Shonasd Sindhisi Sinhalask Slovaksl Slovenianso Somalies Spanishsu Sudanesesw Swahilisv Swedishtg Tajikta Tamilte Teluguth Thaitr Turkishuk Ukrainianur Urduuz Uzbekvi Vietnamesecy Welshxh Xhosayi Yiddishyo Yorubazu Zulu