The recent (2022) compromise of Lastpass included email addresses, home addresses, names, and encrypted customer vaults. In this post I will demonstrate how attackers may leverage tools like Hashcat to crack an encrypted vault.
In this post I will go into technical details on what attackers could do with the stolen encrypted vaults, specifically how they could use tools like Hashcat to crack the master vault password and get access to sensitive log-in credentials.
To simulate the stolen data, I will use my test Lastpass account to extract an encrypted vault from the Chrome Browser extension on macOS. Following this, I will bruteforce the vault.
What happened?
The Verge published an article which includes a great summary of the breach. There is also a blog post by Lastpass themselves. To summarise, in August 2022 Lastpass suffered a data breach where customer data and source code was stolen. Lastpass didn’t do a good job at letting the public (and customers) know of how bad the breach actually was.
What was stolen?
- a backup of customer vault data
- company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses
- source-code and other intellectual property
What can attackers do with the stolen vaults?
It really depends, there are a lot of things to consider. A few things that spring to mind are:
- How are the encrypted vaults stored in the cloud?
- Did a customer set a weak and easily guessed vault password?
- What is the key iteration (default or custom)?
- Other factors not covered?
And since I don’t know what the stolen data looks like, or how it may be encrypted, this blog post is only a theory and estimation based on data I have access to. This includes the SQLite database used by the Browser extension and data within it.
In the next sections I will demostrate how to extract the encrypted vault database from the Chrome extension and pull out specific information to start cracking with Hashcat.
Lastpass Browser extension
On Chrome Browsers each extension has a unique ID. The Lastpass extension uses hdokiejnpimakedhajhdlcegeplioahd as the ID. You can confirm this by visiting the URL chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/vault.html in your address bar. You will be presented with the vault log-in page.
You can think of it as a local site that uses HTML and JavaScript within your Browser.
Extracting encrypted vault
All extensions have their own folders which are stored locally on the system in various locations depending on OS.
As per online documentation the Lastpass support page states devices using Chrome Browsers on Windows systems store the vault data in the following PATH:
%LocalAppData%\Google\Chrome\User Data\Default\databases\chrome-extension_hdokiejnpimakedhajhdlcegeplioahd_0
On macOS systems the location is slightly different:
Note: I use two Profiles on Chrome, hence why you see Profile 1 instead of Default.
Lastpass SQLite database
In this folder a SQLite file named 1 with the version: SQLite version 3039004 should be present. This is where encrypted vault data is stored and used by the extension.
➜ file 1
1: SQLite 3.x database, last written using SQLite version 3039004, file counter 21, database pages 22, cookie 0x5, schema 4, largest root page 11, UTF-8, vacuum mode 1, version-valid-for 21
You can then use a tool like DB Browser for SQLite to view the database contents. I also copied it to Desktop and renamed the file to lastpass-vault-macos-chrome.sqlite so it’s easier to remember.
All the interesting data is stored in a table called LastPassData.
To start cracking Lastpass vault passwords using Hashcat you need three things:
- Key value
- Iteration count
- Account email address (hashed in database)
These need be formatted like so: KEY:ITERATION:EMAIL
Key value
To retrieve the key value, search column type where value key, and then in the data column select the second row e.g. T4vInfZ+6MGDeEendq4gvA== as shown below:
You can also execute the following SQL query:
SELECT substr(data, -24) FROM LastPassData WHERE type = 'key';
It is base64 encoded, which you can decode and get the hex value by:
echo "T4vInfZ+6MGDeEendq4gvA==" | base64 -d | xxd -p
We now have the first requirement: 4f8bc89df67ee8c1837847a776ae20bc
Iteration count
To retireve the Iteration count, search column type where value accts, and then in the data column the first few charaters before the ;. Lastpass changed the default iteration in 2018 from 5000 to 100100.
You can also execute the following SQL query:
SELECT SUBSTR(data,0,INSTR(data,';')) FROM LastPassData WHERE type = 'accts';
We also now have the second requirement: 100100
The database contains a hashed email address value. But we do know that attackers already have this info since the recent Lastpass compromise included email addresses. For the purposes of this blog, I am not going to share the email address which I used.
Formatted hash
With all the requirements the hash should look like this:
4f8bc89df67ee8c1837847a776ae20bc:100100:[email protected]
Cracking Lastpass vaults with Hashcat
As a proof of concept I used my MacBook Air with the M1 chip to crack passwords. The speed was absolutely horrible 1110 H/s (hashes per second), but it did work. Attackers on the other hand can leverage multi-GPU device setups with optimised drivers that could easily reach speeds of 2,000,000+ H/s.
I downloaded the popular rockyou.txt wordlist and put my actual vault master plaintext password inside (using a quarter of the wordlist), otherwise it would take 6 hours+ to crack. I then set the following Hashcat options:
hashcat -a 0 -m 6800 lastpass-hash.txt ~/Downloads/rockyou.txt
-a 0attack mode Wordlist-m 6800Lastpass hash algorithmlastpass-hash.txthash formatted (KEY:ITERATION:EMAIL)rockyou.txtwordlist of plaintext passwords
And there we have it, the master vault plaintext password successfully recovered.
Useful Links and References
- Lastpass Data Breach covered by The Verge (2022)
- Lastpass new App hash extraction on Hashcat Forums (2020)
- Lastpass hashes on Hashcat Forums (2013)
- Hashcat lastpass benchmark (2013)
- Breaking Lastpass by Elcomsoft (2020)
Suggest an edit to this article
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.
- Google Open-Source Vulnerability Scanning Tool - 18 January 2023
- Polymorphic Malware Produced by ChatGPT - 18 January 2023
- Russian Hackers Repurpose Decade-Old Malware Infrastructure to Deploy New Backdoors - 8 January 2023
English
Afrikaans
Albanian
Amharic
Arabic
Armenian
Azerbaijani
Basque
Belarusian
Bengali
Bosnian
Bulgarian
Catalan
Cebuano
Chichewa
Chinese (Simplified)
Chinese (Traditional)
Corsican
Croatian
Czech
Danish
Dutch
Esperanto
Estonian
Filipino
Finnish
French
Frisian
Galician
Georgian
German
Greek
Gujarati
Haitian Creole
Hausa
Hawaiian
Hebrew
Hindi
Hmong
Hungarian
Icelandic
Igbo
Indonesian
Irish
Italian
Japanese
Javanese
Kannada
Kazakh
Khmer
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latin
Latvian
Lithuanian
Luxembourgish
Macedonian
Malagasy
Malay
Malayalam
Maltese
Maori
Marathi
Mongolian
Myanmar (Burmese)
Nepali
Norwegian
Pashto
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Samoan
Scottish Gaelic
Serbian
Sesotho
Shona
Sindhi
Sinhala
Slovak
Slovenian
Somali
Spanish
Sudanese
Swahili
Swedish
Tajik
Tamil
Telugu
Thai
Turkish
Ukrainian
Urdu
Uzbek
Vietnamese
Welsh
Xhosa
Yiddish
Yoruba
Zulu