KeePass
MITRE ATT&CK™ Credentials from Password Stores: Password Managers - Technique T1555.005
Last updated
Was this helpful?
MITRE ATT&CK™ Credentials from Password Stores: Password Managers - Technique T1555.005
Last updated
Was this helpful?
Password managers generate and securely store passwords of various services, safeguarding them under a single master password. This master password serves as the key to access all the stored passwords within the password manager.
Examples of Password Manager applications:
Third-party: KeePass, 1Password, LastPass
However, misconfiguration and security flaws are found in these applications that let us access stored data. Various tools could be used during the enumeration stage to get sensitive data in password manager applications used by Internet browsers and desktop applications.
(Python) can be used to remotely identify hosts that run KeePass on a target environment.
(Python) can also be used to remotly check if keepass is installed on the target environment.
We can modify the KeePass.config.xml file to create malicious triggers that automatically exported database entries to accessible locations.
Fisrt, perform a process dump of the running KeePass
Retrieve the process dump as well as the .KDBX containing the encrypted database (e.g. through SMB).
Once the injection is performed, you will see debug messages being printed in MessageBox (which should obviously be removed when used in a real penetration testing scenario) then find the exported database in the current user's %APPDATA% (choosed by default, as KeePass will be sure to have write access). The exported XML file can later be imported in any KeePass database without asking for a password
KeePass features a which can be abused to load malicious DLLs into KeePass process, allowing attackers with administrator rights to easily export the database (see: ).
(Python) can be used to abuse this KeePass Plugin feature, exporting the database in cleartext.
By compiling the project, and copying the DLL into the plugins directory (located at at KeePass root, namely "C:\Program Files\KeePass Password Safe 2\Plugins" for a global install), we can abuse KeePass Plugin.
This KeePass Trigger Abuse, identified as only affects KeePass versions 2.53 and earlier.
(Python) can be used to remotly check if keepass is installed on the target computer and then steal the master password trough KeePass Trigger and decrypt the database.
(Python) can also be used to remotely abuse KeePass trigger in order to export the database in cleartext.
One we exfiltrate the database to our attacking computer, we can start by using and save the output hase a crackable hash.
Then, we may crack the master password using hashcat. See for more details about cracking passwords.
Now, we can open the database using and dump passwords
As described by , it is possible to retrieve the database's master password in memory
This KeePass Abuse, identified as only affects KeePass versions priot to 2.54.
(Python) can then be used to search for potential master password candidates in dumps. Because the resulting strings will (by design) be incomplete, the module can also be used to bruteforce the missing first character against a specified KDBX file.
can then be used to search for composite key-like strings from a KeePassXC process dump.
is a standalone DLL that exports databases in cleartext once injected in the KeePass process.
After compiling the DLL, we may use to convert it to a shellcode and use it with any injection technique.
