KeePass

KeePwn (Python) can be used to remotely identify hosts that run KeePass on a target environment.

# Search by files
python3 KeePwn.py search -u <ADMIN_ACCOUNT> -p <PASSWORD> -d <DOMAIN> -tf ./targets.txt

# Search by processes + csv output
python3 KeePwn.py search -u <ADMIN_ACCOUNT> -p <PASSWORD> -d <DOMAIN> -tf ./targets.txt --threads 4 --get-process --found-only --output keepwn_out.csv

NetExec (Python) can also be used to remotly check if keepass is installed on the target environment.

nxc smb <TARGETS> -u <ADMIN_ACCOUNT> -p <PASSWORD> -M keepass_discover

KeePwn (Python) can be used to abuse this KeePass Plugin feature, exporting the database in cleartext.

By compiling the KeeFarceRebornPlugin project, and copying the DLL into the plugins directory (located at at KeePass root, namely "C:\Program Files\KeePass Password Safe 2\Plugins" for a global install), we can abuse KeePass Plugin.

Export the database using malicious plugin:

Export the database by hijacking a legit plugin DLL (requires an existent plugin in use):

NetExec (Python) can be used to remotly check if keepass is installed on the target computer and then steal the master password trough KeePass Trigger and decrypt the database.

KeePwn (Python) can also be used to remotely abuse KeePass trigger in order to export the database in cleartext.

Cracking Master Password - Manually

If we gained access to the keepass database, we may be able to extract it and crack the master database password.

Keepass database is stored as a .kdbx file, we can search for such files using following commands:

One we exfiltrate the database to our attacking computer, we can start by using keepass2john and save the output hase a crackable hash.

Then, we may crack the master password using hashcat. See this page for more details about cracking passwords.

Now, we can open the database using kpcli and dump passwords

Fisrt, perform a process dump of the running KeePass

Retrieve the process dump as well as the .KDBX containing the encrypted database (e.g. through SMB).

KeePwn (Python) can then be used to search for potential master password candidates in dumps. Because the resulting strings will (by design) be incomplete, the module can also be used to bruteforce the missing first character against a specified KDBX file.

KeePassXC is also subject to such exploits.

Fisrt, perform a process dump of the running KeePassXC

Retrieve the process dump as well as the .KDBX containing the encrypted database (e.g. through SMB).

KeePass-the-Hash can then be used to search for composite key-like strings from a KeePassXC process dump.

KeeFarceReborn is a standalone DLL that exports databases in cleartext once injected in the KeePass process.

After compiling the DLL, we may use Donut to convert it to a shellcode and use it with any injection technique.

Post-injection steps

Once the injection is performed, you will see debug messages being printed in MessageBox (which should obviously be removed when used in a real penetration testing scenario) then find the exported database in the current user's %APPDATA% (choosed by default, as KeePass will be sure to have write access). The exported XML file can later be imported in any KeePass database without asking for a password