Skip to content

forensicmike/lastpass-vault-parser

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

LastPass Vault Parser

WARNING:
Only use this script on a trusted / secure computer!
This script does NOT follow secure coding practices, and is NOT meant to withstand ANY kind of attacks.
Do NOT use this script if you're paranoid.


This script exports your LastPass vault's content into several CSV files. It exports far more information than LastPass's built-in export function.

Depending on the availability of relevant data in your vault, the following CSV files will be exported:

  • Sites_and_SecureNotes.csv
  • SitesFormFields.csv - The complete version. Abridged form fields are already included in Sites_and_SecureNotes.csv.
  • FormFills.csv
  • Applications.csv - Only exist if you've ever used LastPass for Applications.
  • ApplicationsFields.csv - Only exist if you've ever used LastPass for Applications.
  • Attachments.csv - Meta data only. Actual attachments are not available in the vault file.
  • EquivalentDomains.csv
  • UrlRules.csv

Dependencies

To use the Python script directly:

  • Python 3.6+
  • package cryptography
    run pip install cryptography to install

To use the Windows binary (download on the releases page)

  • on Windows 7/8/8.1: Windows update KB2999226 (should have already be installed on an up-to-date system)
  • on Windows 10: None.

How-to

Download lpparser (.py or .exe), and run it directly. It will prompt you to enter the path of your vault file, path of the output directory, LastPass account e-mail, (potentially) password iterations, and master password. lpparser works 100% locally and makes absolutely no use of Internet connections.

Ideally, the output directory should be a new or empty directory residing on an encrypted drive or a RAM disk. Sensitive data should never be saved on disk unencrypted.

You may opt to not enter your master password. Then any encrypted data would be exported in the format of
!<initialization-vector-b64encoded>|<AES-CBC-encrypted-blob-b64encoded>, or
<AES-ECB-encrypted-blob-b64encoded>

It should look something like
!ztYeRZRUvd/nRq9IuNn8ug==|G7ikJAmh/maa+PR3sQg+NL8ixNR0LKr73/xfKU6wV6Q=, or
F3TQMseR/by+2fMJmgIJjjF+2QLmWXsHLeO4Z3Fd5OY=

LastPass does not encrypt everything in your vault. By not entering your master password, you can see what is unencrypted, and make sure no private data is unintentionally leaked.

What is "vault file" and how do I find/get it?

Option 1: Chrome extension database (Recommended)

Use the LastPass extension for Chrome, and the extension database file is your vault file. See this LastPass FAQ on locating your Chrome extension database.

Option 2: Browser network log

  1. Open LastPass login page in your browser
  2. Press F12 to open Developer Tools
  3. Select the "Network" tab in Developer Tools
  4. Start recording network log (if not already started)
  5. Log into LastPass through the login page as you normally do
  6. Once logged into LastPass, search for "getaccts.php" in the network log, and open this logged event
  7. Select the "Response" tab of the logged event, you should see a very long string of random-looking characters.
  8. Copy and save this string in a file, which is your vault file.

Option 3: LastPass's built-in encrypted export (NOT recommended)

Use any binary installation of LastPass (extension with binary component, LastPass Pocket, etc.) to export an encrypted copy of your vault, which is your vault file.

LastPass's built-in encrypted export contains more information than the plaintext CSV export, but still significantly less information than the first two options. The exported vault format is also slightly different, hence there may be minor parsing errors.

What is my password iterations?

Typically, you're only asked to manually enter your password iterations when your vault file is obtained via Option 2. In this case, you can check your password iterations by searching for "iterations.php" in the same network log.

Alternatively, you can check it via the normal LastPass web interface:
Account Settings -> General -> Show Advanced Settings -> Security -> Password Iterations

Occasionally, if your vault file is obtained via Option 1, the password iterations included with the vault file may be incorrect. You can override this incorrect value manually by using the command line option --iterations #.

LastPass Vault Format

An (incomplete) unofficial description of the LastPass vault format is included in the repository so people can more easily parse their own vault without third party tools. It can be found here or in the Wiki.

About

Parse your LastPass vault and export to CSV files

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Python 100.0%