So a while ago i read that wizard spider / conti had a option for keepass in their cracking station. So they must be able to extract the hash of the masterpassword from the desktop version so bruteforce it.
I imagine something similar is doable for all other password managers aswell? Is the only way to get around this, to only use the browser plugin /website ?
Or are other password managers, such as bitwarden, MORE resistant towards this attack?
Not really, unless you take precautions. Bitwarden stores the Master Key Hash and the Protected Symmetric Key in the encrypted vault, a local copy of which is saved in persistent local storage (e.g., on your computer harddrive) for as long as you are logged in to your vault. All it takes is to open the vault file (typically called
data.json) that can be found in your local storage directory, and search for the string
And, yes, HashCat has a tool that automates the process of finding and extracting the Master Key Hash, and formatting this information for automated brute-force cracking.
Your only defenses are to log out of your vault, which deletes the locally stored copy of the vault (unless you are using the Chrome browser extension, which still has a bug that prevents purging of local storage!), and to ensure that you have a strong master password that cannot be cracked using available computing hardware.