Hi all,

I encountered a problem while trying to crack WPA/WPA2 hccapx file with hashcat 4.1.0, I am running Windows 10, after the "Initializing device kernels and memory...Insufficient memory available" hashcat32.exe has stopped working popped up and the whole process stopped, any guidance will be deeply appreciated.

hashcat32.exe -m 2500 -D 2 -a 0 -O test.hccapx passwords.txt
hashcat (v4.1.0) starting...

* Device #1: Intel's OpenCL runtime (GPU only) is currently broken.
             We are waiting for updated OpenCL drivers from Intel.
             You can use --force to override, but do not report related errors.
OpenCL Platform #1: Intel(R) Corporation
========================================
* Device #1: Intel(R) HD Graphics 530, skipped.
* Device #2: Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz, skipped.

OpenCL Platform #2: NVIDIA Corporation
======================================
* Device #3: GeForce GTX 1060, 1536/6144 MB allocatable, 10MCU

./OpenCL/m02500-optimized.cl: Optimized OpenCL kernel requested but not needed - falling back to pure OpenCL kernel
Hashes: 2 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP

Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Initializing device kernels and memory...Insufficient memory available
Dictionary cache built:
* Filename..: passwords.txt
* Passwords.: 14347949
* Bytes.....: 154295673
* Keyspace..: 14347942
* Runtime...: 2 secs

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>

I'm noticing that a file named show.log is being created on my server, even though I don't intend for it. Does that get created any time I use --show or is there some other combination of flags making that be created?

Hi,

I need to unlock a few old excel files and I chanced into hashcat by reading this article:
http://pentestcorner.com/cracking-micros...h-hashcat/

Follow through the steps mentioned but kept getting the "Failed to parse hashes using the 'native hashcat' format." error.

Command I use:

hashcat64.exe -a 0 -m 9700 --username -o found.txt hash.txt pass.txt

I have no clue regarding the password or the version of the Excel file is.

Please help. Heres the entire message that I got:

---------------------------------------
hashcat (v4.1.0) starting...

* Device #1: This hardware has outdated CUDA compute capability (2.1).
             For modern OpenCL performance, upgrade to hardware that supports
             CUDA compute capability version 5.0 (Maxwell) or higher.
* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
nvmlDeviceGetTemperatureThreshold(): Not Supported

nvmlDeviceGetTemperatureThreshold(): Not Supported

OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: Quadro 2000, 256/1024 MB allocatable, 4MCU

./OpenCL/m09720_a0-optimized.cl: Pure OpenCL kernel not found, falling back to optimized OpenCL kernel
Failed to parse hashes using the 'native hashcat' format.
No hashes loaded.

Hi Atom, Hi to all,

Ivan here from ancient sl3net.com. I'm sure you remember SHA2 BF SL3 Algo you did hate so much and me from that time.
This is a real cool thing, SL3 BF was not, agreed.

Pls check, might be interesting... Fair GPU mining, No ASIC, No NiceHash... ATM only Nvidia GPU can properly mine this type of coin...

https://ravencoin.org/wp-content/uploads...aper-3.pdf


Regards
Ivan

Hi

I have a Lotus User ID password in which I need to crack open.

Have no idea of the version nor password length since it was used a long time ago in the office.

The problem is my hashing results with "lotus2john.py" is nowhere close to the examples given in the page:

lotus2john.py user.id

user.id:6247FE2575XXXXXXXXEB73CF63EECEB719XXXXXXXXF2A202FE23A29BXXXXXX9BA06DBC792191XXXXXX86697B14D36F394C67XXXXXXXX668F

Hopefully someone can help.

Hi,

On the page https://haveibeenpwned.com/Passwords one can download the Pwned Passwords list, which is a list of 500 millions SHA-1 hashed passwords.
Hashcat tell me "Insuficient memory" when I load this hashlist. I guess 500M is quite a lot.

The only solution is to split this list into chunks?

Thanks.

Weird scenario and at the mercies of intellectual and technological beings surpassing myself in this arena:

I am a first year medical student. I decided to buck the system and make a 12” iPad Pro my main note taking device for school instead of a laptop (love me some Apple Pencil). I collected documents, lectures, and all my notes on the device most of which are irreplaceable and represent 1000+ of hours of work.

When I pre-ordered this 500gb model from Apple I felt like my destiny wasn’t to include the particular type of despair I am encountering. I got the device and immediately noticed alot of input problems with it. Still, and once the semester had begun, the thought of sending my only means of studying aside from paper and pencil off for several weeks for Apple to check it out, didn’t seem feasible. So I waited until the first year was over to pursue getting the device repaired or replaced under warranty. I obviously was advised to back the device up in iTunes and factory reset it prior to shipping, which I did. I did not choose to encrypt it by assigning a password on it. I performed the steps and sent it in. I received a total device replacement within the same week, to my surprise, and approached the backup to restore my new device and my data.

This is where my recently onset depression began. I click to restore it, and iTunes asks for the password for the backup. I scratch my head, and once I realized this situation was for real, I start punching in every password I can recall using for anything in my digital life. Not a single one works. Not my Mac login password, my Apple ID, my unlock code for the first defective iPad.. etc. So I call Apple, and to my dismay, the rep tells me there is literally nothing they can do. They were kind enough to suggest a few software titles that she felt might help my new quest, but concluded in telling me good luck. From what I gathered, and which was part of my initial argument as to why Apple should consider helping me, is the fact that password/encryption interfacing with iTunes, is actually not in iTunes but in the device to be backed up’s kernel. Where this device was so defunct the warrant a new replacement, it doesn’t surprise me that it glitched an encryption password in making the back up, but scares the hell out of me as it could be a string of all character’s/digits/caps; similar to the “safari suggested password” format for all I know (potentially replete with dashes and all other curious wonders that make this adventure so great to be facing). As I have spent a week learning the world of hacking (which I knew nothing about prior) I have seen the dire circumstances of being in a realm of “hashcatting” with no confidences or information to select a decent mask that could shave off the millions of years I have garnered from my most recent purchase, passware, which reported such upon buying a second GTX 970, seeing ~131,500 p/s and feeling boss clicking “GO” on a straight 1-18 brute force of UC/LC/SC/ + space. Jaw drops when I see millions of years ETA. I do have a hash generated using the hash script for IOS >=10 found hereabouts on the site, and do report my iPad had IOS version 11.3.1 at the time f backup. My backup is 270gb. Other random hardware notes = MSI x99-A Raider mobo, 5820K 6 core processor, 16gb ddr4, 2 GTX 970 GPUS. (I know it’s weak; I just thought maybe buying a second might render my solution a handful of weeks away, now millions of years). I know my current hardware is unfeasible, but if there was a hypothetical hardware configuration that could be purchased for even 10 grand, I would love to have the context on what would be needed. I am trying to deduce if there be a solution SOMEWHERE; whether it be an OP entity who might show pity on me, a 3rd party service that wouldn’t make me sell them my soul, or if building a system of 4 TITANp GPUs might make this possible. I have no clue here pros.

I am seeing that my important and irreplaceable information may be stolen and destroyed forever, but seek the hashcat community to chime in with anything you all might suggest; in terms of what you might do in my situation, what hardware configuration might be able to handle such a horrible request, or services by anyone with methods and technologies that could help me for a price I could somehow afford.

Please help my dear gentlemen of the mask. Alms; alms for the poor.

Hi guys, 
I'm new to Hashcat, but I've had some success with WPA2 cracking, so I'm looking to audit the security of our web app, but I'm struggling with the format of the hashes

Our logins are salted and hashed using https://github.com/Thashiznets/PWDTK.NET/, which I believe from reading the source code hashes to  PBKDF2-HMAC-SHA512


We're using 1000 iterations and the default salt length of 64. Once we've created the hashes, we're storing them along with the salts in a Sql server database in a varbinary field. This results in some pretty long values, and they are stored as hex prefixed with 0x. 

I'm popping these into a hashfile (still in hex, removing the 0x, although I've also tried with it still in place) in the format;

sha512:1000:<salt>:<hash> and then using the command;

hashcat -m 12100 hashfile dictionary

But I'm hitting line signature mismatches. I've looked at the example hashes for 12100, (which is where I got the hashfile format from), and the values in that sample look (to me!) to be base64 encoded. I've encoded each of the salts and hashes and re-ran, but then I'm getting line length exceptions. I've also noticed that the encoded values are MUCH longer than the sample hash. I can't seem to find any info on telling HC that the hashes are in hex format or had any success with seeing where I'm going wrong

Can anyone offer any advice or places to look for further info?

I erased about half of the private key to my ethereum wallet. I still have the entire public address that it needs to match. It was generated with myetherwallet and i no longer have the keystore.json file unfortunately. I have an AWS account and am wondering if GPU cracking from an instance there would be enough to find the missing 32 characters. If so, how would one go about using hashcat to find the missing characters? I see a lot of posts about recovering the password to the json file, but nothing about private key/wallet address use cases. Any help would be appreciated

Hello Fellow Crackers

I am planning on building a new hashcat rig with a budget of 3000 euros. 

I made the following graph based on the actual prices:

                ntlm MH/s    Price     price/ntlm         amount        total ntlm      Total gpu cost
1080ti       52715.6       800       0.015175773    2                  105431.2      1600
1080         41354.8       580       0.014024974    4                  165419.2      2320
1070ti       39107.7       495       0.012657354    4                  156430.8      1980
1070         29890.8       470       0.015723902    4                  119563.2      1880

I currently have the following rig:

• i7 3770
  
• 32gb 1333mhz ram
  
• P8Z77-M PRO (mATX)
  
• 2x gtx 760 fe
  
• 1600 watt psu
  

So I am thinking of buying new cpu, mobo and ram:
i5 8400                                          183,-
Corsair vengeance 32GB 1600mhz    311,-
Asus ROG Maximus X Apex              311,-
4x 1070ti                                       1980,-

for a total of 2781,-

I still have a couple of questions:

1. Does the CPU matter for hashcat?
   
2. Does the amount of ram matter for hashcat?
   
3. Does the speed of the ram matter for hashcat?
   

I would like to hear your guys opinion and feedback.

For example,
Lets say I have a hccapx file with 5 handshakes from the same network (ssid/salt) and I have a wordlist that contains the correct WPA passcode....

Would hashcat crack the password faster if I removed 4/5 handshakes from the hccapx file? And if so, what's an easy method to remove the excess handshakes?

I haven't changed anything on system, but Hashcat she is acting weird lately. I have recently started receiving these errors after running Hashcat for a few minutes.

Mostly these two errors.
clWaitForEvents(): CL_UNKNOWN_ERROR
clGetEventProfilingInfo(): CL_UNKNOWN_ERROR

Sometimes these errors.
clGetEventPrCL_INVALID_COMMAND_QUEUE RESOURCES
clFinish(): nts(): CL_UNKNOWN_ERROR

Hashcat won't give any errors and run fine when running with lower clock rate/power limit than what I have always been running. That's what I find odd and doubt it's just a driver issue.
I even did a fresh install of OS, drivers and Hashcat on spare drive and still receive errors with clock rate/power limit of what I always run. Makes me think it's hardware related now, could be?

hi,all
i got a half md5 hash value,and i am sure the password contain some number parts,how to use mask;

hash value E3DC86917650198B
password contain 4 parts: 200002        2018053019184400        100       426
maybe contain the 5th part ,but i dont know what it is 
and the order of that 4 parts is unknow,password length is also unknow.

eg.
halfMd5(200002 + 5th part + 2018053019184400+100+426)  = E3DC86917650198B
halfMd5(200002 + 2018053019184400 + 5th part +100+426)  = E3DC86917650198B


According to this situation,how to set mask ? thank u guys

What does this tip mean when you break it?
"INFO: All hashes found in potfile! Use --show to display them."

Hey guys!
my company currently has a rid with X10DRG-Q motherboard and 4x1080 inside.

however, looking at the specs i see "4 PCI-E 3.0 x16, 2 PCI-E 3.0 x8 (1 in x16), 1 PCI-E 2.0 x4 (in x8)",
so that is a total of 7(?) PCI-e.

i was told that when it was purchased the company that sold it said only 4 fit, so i assume that if there are 8 PCI-e slot they meant physically.

is there ANY way to fit more? (6 or even 8 total) cards in that sort of Motherboard? maybe an extension for the PCI slots so they don't block other slots?

thank you!

Hi everybody ,

Anytime I want to run a brute force attack with masks or a rule based attack I have really really long estimated time now I just tried another time a brute force attacks with masks and the estimated time is 40.000 years !!!
I use a Macbook Air for the moment but i'll buy a PC laptop with linux soon .

Here is the command I used : 

./hashcat -m 2500 -a 3 -1 ?l -2 ?l?u?d?s -3 ?d hash file ?2?2?2?2?2?2?2


Can you please tell me how to fix this ?


Thanks a lot

Why need to recover MS excel lost password, obviously if any reason made excel sheet locked and unable to reopen then it can be possible via a best technology or any such idea which can retrieve lost excel sheet password and allows to unlock MS excel file again as earlier.

This kind of issues can smoothly solve via online third party tools, it would be helpful to review Microsoft excel file which easily either remove or recover unaware password and permits user to recall last putted password.

Free Download tool tells user to know how to recover lost excel password, which can at least tells user to take a trial at no cost.

So what are you waiting for, if any body of you is struggling with the same issue then can go online and make a search to recover Excel File Sheet to unlock xls/xlsx file password.

There are several online tools available online, choose one best Microsoft Excel File Password Recovery Tool like telling about one........may be you can get right information from there......
https://gallery.technet.microsoft.com/MS...y-cd007604

Is it possible for me to pay 0.5-1 BTC for either Hashcat official or a 3rd party developer to add support for legacy PkZip? The Github issue is here https://github.com/hashcat/hashcat/issues/69 but I'm willing to pay BTC to move it along because there is no progress since 2013.

So I found this I wanted to work with https://blog.cynosureprime.com/2016/07/m...eyond.html

Original- 99999999:0x30DA9C34BCA61201E7EA326F70BD4BE04120D7

So what I was trying to run was this- 30DA9C34BCA61201E7EA326F70BD4BE04120D7

But everytime I tried to run the hash I kept getting invalid length errors or it would say there is no hash and or corrupted.

I went thru the example hashes here https://hashcat.net/wiki/doku.php?id=example_hashes

but I couldnt get anything to work. Could someone please lead me in the right direction of how to do this?

Some days ago I was privately (via PMs) contacted by a hashcat user and they asked if I knew if hashcat could deal with database files from RoboForm (a seemingly well-known and often recommended password manager).

Of course, since I do not remember seeing it in the --help output or within the example hashes page, I said that it is probably not working with hashcat. It is not supported. I also didn't find much information about the format with simple web searches (besides the faq/marketing pages of the vendor itself). Therefore, at least the first web searches suggested that the format is proprietary and not well-known/analyzed yet (I didn't really perform extensive searches from that point on, maybe some analysis was already done and I just didn't find it).

I decided to try to see if I can find out myself what RoboForm is doing with the provided sensitive data (when it comes to the encrypted password storage).
Therefore, I've downloaded and installed the RoboForm portable software which was also used by the user asking for help with these .rpf files (they had a "Contact Info.rpf" file, the default file used by this password manager... from which you can determine the master password). By the way, it seems that RoboForm is trying to priorize/push the webextension alternative instead, which is just a browser extension for the most common browsers and this alternative/new version is meant to sync with their server all the time (I think there are some "offline" options, but its main idea is probably more like a "sync with all devices everywhere and we keep your passwords securely stored on our servers" password manager). I think that the main reason that RoboForm doesn't really maintain/prioritize the offline version (like the RoboForm portable version) anymore is also that modern browsers made it a little bit more complicated to integrate a native software with the modern webextension standard (for instance older browser extensions for firefox had more permissions/possibilities and they are more limited now)... but I could also be wrong here.

Anyway, I decided to analyze this .rpf file format (offline RoboForm Passcode file), even if it seems that it won't be the most used format by the RoboForm users in the future (the webextension version seems to use .json files for temporary "encrypted" master password storage), because the majority probably will use the browser extension directly and sync with the RoboForm servers.

This is an example of such a file I generated with the windows software:



As you can see immediately, it is kind of a weird format. It seems that there are 3 different parts/sections (URL3:ver3:, +PROTECTED-2+ and the final section after the 2 new lines).
This is also what I've immediately noticed: it's not a "binary" format and the number of distinct characters after the +PROTECTED-2+ is exactly 64. My first idea was that these are base64-encoded strings, but with non-standard alphabet.

It's also important to note that you can use the software to protect and "unprotect" the file and therefore you can somehow observe what is going on (e.g. to see what the main/raw data stored by these files is). For instance you can immediately see that if the file is protected it is suddenly much, much longer (which is kind of weird, because why should the encrypted data use thaaaaat much more bytes?).
                                                                                                                                     
I've also immediately noticed that there is kind of a line-length limit within the file of around 50 characters per line (starting with the PROTECTED line). It's also funny that whenever there is a combination of shorter lines the lines together are again 50 characters long (it seems that if there are additional new line characters within the string/line the output format doesn't really consider it, it will still add additional newline characters after exactly 50 characters). Therefore, it first seems to be weird that some lines are not of the same length, but if you think about this strict newline-after-50-character rule and that some lines already could contain newline characters before the string was written to disk, it kind of makes sense.                                             
                                                                                                                                     
Back to the base64 encoding: if you create some .rpf files (this is what I did but it turns out that it would be enough to have just one of them to discover this) and look at all the different characters used below the PROTECTED line, it turns out that the characters used are exactly 64 characters from 0x20 to 0x5f (ascii " " to "_"). This seems to be a convenient choice for the alphabet because you could just add +32 (0x20) to each raw byte to encode the data (if the characters are used in sequence). Therefore, there would be no need for a base64-character-lookup table etc. This was basically just an educated guess I made, I wasn't too sure about it yet. Therefore I tried to base64-decode the parts with this base64 encoding/decoding scheme.

It also turned out that only the final/third part of the file changes whenever you change the master password of the RoboForm file. The other parts "stay" the same.

Of course, by base64-decoding the parts I wasn't really able to see much (let alone the plaintext passwords)... after all the data/passwords had to be encrypted too of course!

I reviewed again what the options by the RoboForm software are and what the RoboForm web page says about the encryption and key derivation.

The default option by the native software (and description on their web sites too) seems to indicate that they are using AES encryption and the key derivation should be using pbkdf2-hmac according to the web page. Again, I just did go all-in with this little information and tested if I can come up with a working AES decryption key or something like this (remember I already had the - maybe-wrongly - base64 decoded encrypted data).

Long story short (I didn't plan to write a novel here after all!), I pretty quickly discovered (I admit I was pretty lucky after all! It normally doesn't work that easily) that there are some bytes (2 bytes!) within the first bytes of the base64 decoded data (the decoded version of the final part after the two new lines) that always match with parts of the pbkdf2-hmac-sha1 hash of the password using 1000 iterations and the first 8 bytes of the 3rd part of the file as the data part of the hmac. Why did I even consider using the first few bytes as input? Well, we all know that most AES modes of operation need some IV and my thought was that there is either a footer or a header where some "metadata" is stored for the encryption. Back to the pbkdf2-hmac-sha1: whenever I've tried to change the master password with the software, the now changed 2 bytes also matched the pbkdf2 output of the new password! That's kind of weird. I immediately started wondering why this was the case, why are there parts of what I thought to be the "encryption key" within the base64-decoded (and until then I thought this could also be the "encrypted") data ? That doesn't really make much sense.
BTW: at that time I already manually generated at least hundreds of different .rpf files (using different passwords and all saved to disk to "compare" them)! Therefore, it still took me a little bit, but the pattern with the 2 bytes that I've found was quite easy to discover given all these collected examples, because I knew from the RoboForm FAQ that pbkdf2-hmac was used and I also knew the passwords and base64-decoded data of all of these files (and of course hmac always needs 2 inputs, password and some data, but what could the data be ? Some data from the start was my guess and I was right!).

My conclusions (after some further investigation):
- the first 8 bytes of the base64 decoded 3rd part of the file seem to be random (something like an initialization vector was my idea)
- the next 2 bytes can be found within the pbkdf2-hmac-sha1 output of the password (the 33th and 34th bytes of pbkdf2-hmac-sha1)
- the next 10 bytes seem to be some kind of a file checksum (this took me a little bit, because it also seemed to be random data)
- the main data starts after the 8+2+10 (the bytes mentioned above)
- the main data is always/exactly 1024 bytes long (if the raw data is short, below this limit) ! (hmm, my thought: maybe the data is filled with random bytes, before or after the main data?)
- we have a total base64 decoded length (again this is the investigation of the 3rd part of the file) of 8+2+10+1024=1044 bytes

Fast forward again: with some further educated guesses and observations I've found out that the first 16 bytes of the pbkdf2-hmac-sha1 output are used for the AES encryption and the next 16 bytes are used as a "key" for the file checksum (now this all started to makes sense, because we now have 16 bytes for encryption/decryption, 16 bytes for calculating the checksum and 2 bytes that we already found within the "header" of the encrypted data). Now all bytes up to the 34th byte of the pbkdf2 output are used somewhere. Bingo!

I tested some modes of operation of AES and I was lucky to pretty quickly find out that the CTR mode is used (well, there aren't that many AES modes widely used after all and if you finally have found some non-random looking plaintext and your "note" that you have saved with the software is within the decrypted output, you can be sure that you used the correct key and AES block cipher mode of operation). This (AES-128-CTR) is actually an interesting choice... it means that the 16-byte ciphertext blocks themself do not depend strictly on each other, they are kind of independent. This probably also makes data forensic/data recovery much, much easier. Each 16-byte block is kind of independent (well, you still have the increasing counter, but that's it!), it's not like the CBC mode where one ciphertext block depends on the previous one and each change within the input bytes significantly changes all later blocks.
If you think about it, a hardware/encryption problem (bit flips with misbehaving RAM etc) could make the checksum invalid, but you could still recover some 16 byte blocks (and if you are lucky enough you could recover exactly the bytes/blocks that contain the password data).
By the way, the key used for AES is 16 bytes long (AES-128-CTR, 32 * 8 = 128) and therefore the IV should also be 16 bytes long... but we only have 8 bytes within our 8+2+10 header. It turns out that the IV used is just using zero bytes for the remaining 8 bytes (you could just append 8 NUL-bytes to the 8 bytes from the beginning of the decoded 3rd part of the file because the counter is using little endian anyway).

My assumption about the always-to-the-1024-byte-limit-filled data turned out to be true: the decrypted data had leading seemingly random data before the main data. It's also interesting that the random data does never contain NUL-bytes, except that its last byte is *always* a NUL-byte (which seems to separate the random data from the important data, the notes/passwords etc).
Therefore, the decrypted data (decrypted with the first 16 bytes of the pbkdf2-hmac-sha1 1000 iteration key of the password, with AES-CTR. The counter itself is using little-endian + RFC3686 incrementing, i.e. it starts with the IV + 1 as a counter for the first block and each 16 byte block after that uses an always by +1 incremented counter) has some kind of preceding garbage data (not containing, but ending with a NUL-byte).
My feelings were kind of two-fold when I discovered all of these details: it's kind of understandable that the random data was used to make it more difficult to misuse the checksum (explained below) to guess the sensitive password data etc... but all in all I already had the impression that all these concepts used here are mostly just obscuring the data, not really protecting/securing the data (security by obscurity?). I mean, why do you use such a weird proprietary file format? Why do you use a non-default base64 encoding, why do you really need to have some bytes of the key within the viewable (base64 decoded) output (well, I know that you can determine that the password is correct even without decrypting the data... but it's also kind of dangerous because also crackers can use this as an early reject check, even though with only 16 bits there could be "some" collisions)? Why do you not publicly mention the details about the format (such that for instance other password managers could easily import these files etc)?... all in all very strange format and many things do not really make sense from a security point of view (I instead got the impression that they want to hide/protect something... but as you can see, it's way to easy to find out what is going on just by looking at the bytes changed within the output and making educated guesses about the key derivation and encryption/decryption scheme).

What does this all mean for users that want to recover data from these files or recover the master password? Hashcat could probably easily add a new hash mode that does the pbkdf2-hmac-sha1 and check the 2 bytes (the 9th and 10th byte within the decoded form of the 3rd part of the file must match the 33th and 34th byte of the pbkdf2-hmac-sha1 output), if they match it could try to decrypt the last 16 byte block and see if some expected bytes (like a sequence of carriage return and line feeds) match or alternatively if the entropy is low enough such that we can assume the bytes were correctly decrypted with AES-128-CTR (default encryption setting of the software, there are others too, but I do not think they are widely used).

What happened with the original request of the user asking for help? Well, it seems that by the time I figured all out, they were already done (automatically!) testing several candidate passwords with something like autohotkey (only a few password candidates led to the discovery of the correct password). Therefore, it seems that the meaningfulness (and my motivation, hehe) for adding this scheme is pretty low currently. I also have no clue how many users use this password manager and use the offline version which uses these .rpf files. Well, if you want that hashcat support this, you should probably request it on github.

By the way, I've also found out later on how the 2nd part of the file is encrypted. It always uses DES (Data Encryption Standard) and a fixed hex key: 1206101300000000 (this file/data part does not depend on the password, therefore it doesn't change when the master password is changed, the key seems to be hard coded and can be easily found multiple times by binary grepping the executable file/DLL, I think you need to search for 1200060010001300 because of unicode). It seems weird to me that such an useless form of protection/encryption (that uses a static, hard coded and easily greppable key) is used at all. At least this part of the file doesn't seem to normally contain very sensitive data. Again, you need to first base64 decode the data after +PROTECTED-2+ up to the 2 newlines (all other newlines within the file that do not separate the 3 "parts" can/should just be removed/skipped/ignored).

The 10 byte checksum (after the 8 byte IV and 2 bytes of the 34 byte key derived by pbkdf2-hmac-sha1) within the (decoded) 3rd part of the file are just a truncated version (the first 10 bytes) of hmac sha1 of the following 1024 bytes (in most situations the stored data by the user doesn't exceed this threshold, I guess, otherwise it probably would be using all the remaining bytes) of raw data (not the encrypted bytes). The key/password for this "hash"/checksum is basically just the 16 bytes substring of the pbkdf2-hmac-sha1 of the password with offset 16 (remember: first 16 bytes of the 34 bytes are used for the AES encryption, the next 16 bytes are used by the checksum algorithm and the next 2 bytes also found within the 8+2+10 header for the "quick" password check).

The first part of the file (after URL3:ver3 is also kind of base64 encoded (not exactly! See example below. It is also never encrypted), but it seems that it inverts all input bits (bitwise NOT?) and uses 0x40 as the ASCII-alphabet offset o.O (there are rumors that some people like obscurity a lot!). The original/decoded string of the first part is using unicode character encoding (i.e. according to hashcat it just uses a NUL-byte every 2nd byte, lol. Remember doing unicode correctly on GPU is hard/inefficient ), that's why also the encoded form of it has a very noticeable pattern. A full encoding example for 2 bytes (unicode) goes like this (for instance if the raw data starts with an "h" - ASCII: 0x6800 - like in "https://"):


btw: this encoding also is very easy to understand by just changing a single input byte with the RoboForm software (this first part of the file contains the URLs, so by changing one character of the URL you can see which and how the output bytes change). You will immediately notice that there is this kind of mapping between the input byte code and the output byte code (a 1:1 mapping).
It's not exactly the same as a base64 encoding because here we always make 3 bytes out of every 2 bytes (the ratio for base64 is 4:3), but it is similar enough with the 6 bits (64 possibilities) to easily recognize this strange encoding.

Anyway, to recover the protected data or the master password, only the third part of the file is needed.

Of course I have some sample data of each step if somebody is interested, but I think with the details I've discovered and I've mentioned above it should be pretty easy to decrypt your own test .rpf files. Feel free to PM me if you need more details/examples.

Both password recovery and data recovery (in case of corrupted file systems etc) should be pretty easy. The most important thing you need to have if it comes to file corruption is the initialization vector (if this part is missing, you would have a hard time brute-forcing the random 8 bytes ), otherwise the bytes should be easy to recover if you know the password (you could even attack the password part and the CTR counter, i.e. the number of the 16-byte block we are currently trying to decrypt... normally this number is also known!, ... used by the AES decryption algorithm if the data is heavily corrupted, but the 8 byte IV should be known, otherwise you won't easily recover the data).

What can we learn from all this? Probably not too much. Maybe just how easy it is to find out these "secrets"/formats/schemes and that it's most of the time counter-intuitive to roll your own schemes/formats/crypto etc (do not try to hide something and do not try to be more clever, it doesn't make sense because it is too easy to figure out what is going on. I'm assuming that the main reason for this weird format was to make it difficult for the users and alternative password managers to figure out what is going on, but I could be wrong). I'm also not too convinced that part of the key (2 bytes) should be stored within the file and that the iterations should be limited to 1000 and that they are not configurable (I didn't check if the browser extension or if other products of RoboForm use a different key derivation function with more secure/configurable parameters).

Just to be very clear: this is not really a vulnerability and this also doesn't imply that there is some major security risk, because the thousands of iterations of pbkdf2-hmac-sha1 still make a file decryption without knowing the password hard (if your master password is not easily guessable/crackable).