A python script to help red teamers discover KeePass instances and extract secrets.

Features & Roadmap

KeePwn is still in early development and not fully tested yet : please use it with caution and always try it in a lab before (legally) attacking real-life targets!

• KeePass Discovery
  • Accept multiple target sources (IP, range, hostname, file)
  • Automatically look for KeePass global installation files via SMB C$ share.
  • Automatically look for KeePass portable via SMB C$ share.
  • Automatically check for running KeePass process through Impacket-based command execution.
  • Multi-thread implementation to avoid bottleneck hosts.
  • Automatically check for KeePass binary's metadata (version, last access time).
• KeePass Plugin Abuse
  • Automatically upload a plugin (DLL or PFX format) to extract passwords, see KeeFarce Reborn.
  • Automatically poll for cleartext exports on the remote host.
• KeePass Trigger Abuse
  • Add and remove triggers from KeePass configuration file via SMB C$ share.
  • Automatically poll for cleartext exports on the remote host.
  • Customize triggers with command line arguments.
• KeePass Dump Parsing (CVE-2023-32784)
  • Parse memory dumps to find master password candidates.
  • Bruteforce missing characters with the most common unicode characters.
• KeePass Database Cracking
  • Convert KDBX to John and Hashcat compatible formats.
  • Add support for KDBX 4.x format.
• Authentication
  • Support LM/NT hash authentication.
  • Support Kerberos Authentication.
• Miscellaneous
  • Write unit tests.
  • Make the project available on PyPI .

Installation

git clone https://github.com/Orange-Cyberdefense/KeePwn
cd KeePwn
sudo python3 setup.py install
KeePwn --help

Or if you don't want to install but just run :

git clone https://github.com/Orange-Cyberdefense/KeePwn
cd KeePwn
python3 -m pip install -r requirements.txt
python3 KeePwn.py --help

Usage

Discovery

KeePwn's search module is used to identify hosts that run KeePass on your target environment.

It makes use of the built-in C$ share to look for KeePass-related files in default locations, hence requiring administrator privileges on the targets.

Note that for the moment, it only searches for the global KeePass.exe binary (in Program Files) and the local KeePass.config.xml (in %APPDATA%). Future release should include KeePass local installation paths (for example: on a user's Dekstop) as well as Windows Store installation.

Plugin Abuse

KeePass features a plugin framework which can be abused to load malicious DLLs into KeePass process, allowing attackers with administrator rights to easily export the database (see: KeeFarceRebornPlugin).

KeePwn's plugin module allows to :

• List currently installed plugins

  

• Add and remove your malicious plugins

  

• Poll %APPDATA% for exports and automatically moves it from remote host to local filesystem

  

These actions are made through SMB C$ share access, limiting AV/EDR detection as no command execution is performed.

Trigger Abuse

As described in @harmj0y's blog post (and later CVE-2023-24055), KeePass trigger system can be abused in order to export the database in cleartext.

KeePwn's trigger module allows to :

• Check if a malicious trigger named "export" is currently written in KeePass configuration

  

• Add and remove a malicious trigger named "export" which performs a cleartext export of the database in %APPDATA% on next KeePass launch

  

• Poll %APPDATA% for exports and automatically moves it from remote host to local filesystem

  

If the configuration file path is not the default location, you can specify one with --config-path argument.

Memory Dumps Parsing

As described by @vdohney, it is possible to retrieve the database's master password in memory (CVE-2023-32784, affecting versions prior to KeePass 2.54).

KeePwn parse_dump module will search for potential master password candidates in dumps. Because the resulting strings will (by design) be incomplete, the module can also be used to bruteforce the missing first character against a specified KDBX file.

The memory dump parsing makes use of @CMEPW's Python PoC. Thanks for letting me re-use the code :)

Cracking KDBX Databases

keepass2john.py script by @harmjoy was ported to KeePwn with the help of @0xSp3ctra.

KeePwn convert will extract a crackable hash (john or hashcat format) from a KeePass Database.

It can be used with more arguments to specify the expected hash type as well as an output file path:

KDBX 4.x is not yet supported, you may use https://github.com/r3nt0n/keepass4brute. If you are in the mood for a PR https://palant.info/2023/03/29/documenting-keepass-kdbx4-file-format should be a good read :)

Contribute

Pull requests are welcome (see: Roadpmap + TODO in code).

Feel free to open an issue or DM me on Twitter to suggest improvement.