We see a lot of KeePass usage while on engagements. In the corporate environments we operate in, it appears to be the most common password manager used by system administrators. We love to grab admins’ KeePass databases and run wild, but this is easier said than done in some situations, especially when key files (or Windows user accounts) are used in conjunction with passwords. This post will walk through a hypothetical case study in attacking a KeePass instance that reflects implementations we’ve encountered in the wild.
First Steps
In theory I only needed to memorize keepass master password, and which case I did, not only that but I wrote it in a piece of paper and stored in my document drawer. Since I was using both of them everyday, I could not ever forget keepass ( constantly adding new passwords to the database) and lastpass master passwd (prompted whenever browser/pc. KeePass Crack 2.37 With Hack Free Download Mac + Win KeePass Crack – KeePass Hack is a good and free open source password manager, which helps you to manage your passwords in a fully secure way. The user easily puts all your passwords in one place, which is locked with one master key.
It would not be very difficult to develop a program for the purpose of cracking the KeePass master password, even if you're a not-very-talented C programmer. Such a program could unlock a database protected by a weak master password and a known keyfile, but would be ineffective against a strong master password or an unknown keyfile. KeePass Password Safe is a different animal in the password managers’ universe. Although many tools are free, KeePass is also a completely open-source based password manager. This has several implications that are pretty important in deciding whether this is the right tool for you. Atrex pos inventory software crack load. Aperture free trial mac. KeePass is not a flashy, easy-to-use software.
First things first: you need a way to determine if KeePass is running, and ideally what the version is. The easiest way to gather this information is a simple process listing, through something like Cobalt Strike or PowerShell:
Now it helps to know where the Keepass binary is actually located. By default the binary is located in C:Program Files (x86)KeePass Password Safefor KeePass 1.X and C:Program Files (x86)KeePass Password Safe 2 for version 2.X, but there’s also a portable version that can be launched without an install. Luckily we can use WMI here, querying for win32_processes and extracting out the ExecutablePath:
Get-WmiObjectwin32_process|Where-Object{$_.Name-like‘*kee*’}|Select-Object-ExpandExecutablePath |
If KeePass isn’t running, we can use PowerShell’s Get-ChildItem cmdlet to search for the binary as well as any .kdb[x] databases:
Get-ChildItem-PathC:Users-Include@(“*kee*.exe”,“*.kdb*”)-Recurse-ErrorActionSilentlyContinue|Select-Object-ExpandFullName|fl |
Attacking the KeePass Database
We’ll sometimes grab the KeePass binary itself (to verify its version) as well as any .kdb (version 1.X) or .kdbx (version 2.X) databases. If the version is 2.28, 2.29, or 2.30 and the database is unlocked, you can use denandz‘ KeeFarce project to extract passwords from memory; however, this attack involves dropping multiple files to disk (some of which are now flagged by antivirus). You could also try rolling your own version to get by the AV present on the system or disabling AV entirely (which we don’t really recommend). I’m not aware of a memory-only option at this point.
We generally take a simpler approach- start a keylogger, kill the KeePass process, and wait for the user to input their unlock password. We may also just leave the keylogger going and wait for the user to unlock KeePass at the beginning of the day. While it’s possible for a user to set the ‘Enter master key on secure desktop’ setting which claims to prevent keylogging, according to KeePass this option “is turned off by default for compatibility reasons“. KeePass 2.X can also be configured to use the Windows user account for authentication in combination with a password and/or keyfile (more on this in the DPAPI section).
If you need to crack the password for a KeePass database, HashCat 3.0.0 (released 6/29/16) now includes support for KeePass 1.X and 2.X databases (-m 13400). As @Fist0ursdetails, you can extract a HashCat-compatible hash from a KeePass database using the keepass2john tool from the John The Ripper suite, which was written by Dhiru Kholia and released under the GPL. Here’s what the output looks like for a default KeePass 2.X database with the password of ‘password’:
This worked great, but I generally prefer a more portable solution in Python for these types of hash extractors. I coded up a quick-and-dirty Python port of Dhiru’s code on a Gist here (it still needs more testing and keyfile integration).
Here’s the output for the same default database:
KeePass.config.xml
More savvy admins will use a keyfile as well as a password to unlock their KeePass databases. Some will name this file conspicuously and store in My Documents/Desktop, but other times it’s not as obvious.
Luckily for us, KeePass nicely outlines all the possible configuration file locations for 1.X and 2.xhere. Let’s take a look at what a sample 2.X KeePass.config.xml configuration looks like (located at C:UsersuserAppDataRoamingKeePassKeePass.config.xml or in the same folder as a portable KeePass binary):
The XML config nicely tells us exactly where the keyfile is located. If the admin is using their “Windows User Account” to derive the master password (<UserAccount>true</UserAccount> under <KeySources>) see the DPAPI section below. If they are even more savvy and store the key file on a USB drive not persistently mounted to the system, check out the Nabbing Keyfiles with WMI section.
DPAPI
Setting ‘UserAccount’ set to true in a KeePass.config.xml Carrefour home hlf1005w 11 manual. means that the master password for the database includes the ‘Windows User Account’ option. KeePass will mix an element of the user’s current Windows user account in with any specific password and/or keyfile to create acomposite master key. If this option is set and all you grab is a keylogged password and/or keyfile, it might seem that you’re still out of luck. Or are you?
In order to use a ‘Windows User Account’ for a composite key in a reasonably secure manner, KeePass takes advantage of the Windows Data Protection Application Programming Interface(DPAPI). This interface provides a number of simple cryptographic calls (CryptProtectData()/CryptUnProtectData()) that allow for easy encryption/decryption of sensitive DPAPI data “blobs”. User information (including their password) is used to encrypt a user ‘master key’ (located at %APPDATA%MicrosoftProtect<SID>) that’s then used with optional entropy to encrypt/decrypt application-specific blobs. The code and entropy used by KeePass for these calls is outlined in the KeePass source and the KeePass specific DPAPI blob is kept at%APPDATA%KeePassProtectedUserKey.bin.
Fortunately, recovering a KeePass composite master key with a Windows account mixin is a problem several people have encountered before. The KeePass wiki even has a nice writeup on the recovery process:
- Copy the target user account DPAPI master key folder from C:Users<USER>AppDataRoamingMicrosoftProtect<SID> . The folder name will be a SID (S-1-…) pattern and contain a hidden Preferred file and master key file with a GUID naming scheme.
- Copy C:Users<USER>AppDataRoamingKeePassProtectedUserKey.bin . This is the protected KeePass DPAPI blob used to create the composite master key.
- Take note of the username and userdomain of the user who created the KeePass database as well as their plaintext password.
- Move the <SID> folder to %APPDATA%MicrosoftProtect on an attacker controlled Windows machine (this can be non-domain joined).
- Set a series of registry keys under HKCU:SOFTWAREMicrosoftWindows NTCurrentVersionDPAPIMigratedUsers , including the old user’s SID, username, and domain. The KeePass wiki has a registry template for this here.
- Run C:Windowssystem32dpapimig.exe, the “Protected Content Migration” utility, entering the old user’s password when prompted.
- Open KeePass 2.X, select the stolen database.kdbx, enter the password/keyfile, and check “Windows User Account” to open the database.
The Restore-UserDPAPI.ps1 PowerShell Gist will automate this process, given the copied SID folder with the user’s master key, original username/userdomain, and KeePass ProtectedUserKey.bin :
If you’re interested, more information on DPAPI is available in @dfirfpi‘s 2014 SANS presentationand post on the subject. Jean-Michel Picod and Elie Bursztein presented research on DPAPI and its implementation in their “Reversing DPAPI and Stealing Windows Secrets Offline” 2010 BlackHat talk. The dpapick project (recently updated) allows for decryption of encrypted DPAPI blobs using recovered master key information. Benjamin Delpy has also done a lot ofphenomenal work in this area, but we still need to take the proper deep dive into his code that it deserves. We’re hoping we can use Mimikatz to extract the DPAPI key and other necessary data from a host in one swoop, but we haven’t worked out that process yet. Apple keyboard vs. hhkb lite 2 for mac.
[Edit 7/1/16]Tal Be’ery also alerted me to @ItaiGrady‘s great talk, “Protecting browsers’ secrets in a domain environment” (slides here and video here).
Nabbing Keyfiles with WMI
Matt Graeber gave a great presentation at BlackHat 2015 titled “Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asynchronous, and Fileless Backdoor” (slides hereand whitepaper here). He released the PoC WMI_Backdoor code on GitHub.
One of the WMI events Matt describes is the extrinsic Win32_VolumeChangeEvent which fires every time a USB drive is inserted and mounted. The ‘InfectDrive’ ActiveScriptEventConsumer in Matt’s PoC code shows how to interact with a mounted drive letter with VBScript. We can take this approach to clone off the admin’s keyfile whenever his/her USB is plugged in.
We have two options, one that persists between reboots and one that runs until the powershell.exe process exits. For the non-reboot persistent option, we can use Register-WmiEvent and Win32_VolumeChangeEvent to trigger a file copy action for the known key path:
Register-WmiEvent-Query‘SELECT * FROM Win32_VolumeChangeEvent WHERE EventType = 2’-SourceIdentifier‘DriveInserted’-Action{$DriveLetter=$EventArgs.NewEvent.DriveName;if(Test-Path“$DriveLetterkey.jpg”){Copy-Item“$DriveLetterkey.jpg”“C:Temp”-Force}} |
This trigger will clone the target file into C:Temp whenever the drive is inserted. You can also register to monitor for events on remote computers (assuming you have the appropriate permissions) with -ComputerName and an optional -Credential argument.
Wii wad torrent. For reboot persistence we can easily add a new action to the New-WMIBackdoorAction function in Matt’s WMI_Backdoor code:
2 4 6 8 10 12 14 16 18 20 | $VBScript=@” Set oFSO = CreateObject(“Scripting.FileSystemObject”) sFilePath = TargetEvent.DriveName & “key.jpg” If oFSO.FileExists(sFilePath) Then “@ if($ActionName){ }else{ } |
We can then register the trigger and action for the backdoor with:
Register-WMIBackdoor-Trigger$(New-WMIBackdoorTrigger-DriveInsertion)-Action$(New-WMIBackdoorAction-FileClone) |
Cleanup takes a few more commands:
2 | Get-WmiObject-Namespace“rootsubscription”-Class“__FilterToConsumerBinding”|Where-Object{$_.Filter-like“*DriveInsertionTrigger*”}|Remove-WmiObject Get-WmiObject-Namespace“rootsubscription”-Class“__EventFilter”|Where-Object{$_.Name-eq“DriveInsertionTrigger”}|Remove-WmiObject Get-WmiObject-Namespace“rootsubscription”-Class‘ActiveScriptEventConsumer’|Where-Object{$_.Name-eq“FileClone”}|Remove-WmiObject |
Big thanks to Matt for answering my questions in this area and pointing me in the right direction.
Keyfiles on Network Mounted Drives
Occasionally users will store their keyfiles on network-mounted drives. PowerView’s new Get-RegistryMountedDrive function lets you enumerate network mounted drives for all users on a local or remote machine, making it easier to figure out exactly where a keyfile is located:
Wrapup
Cracking Keepass Password Safe Database Free
Using KeePass (or another password database solution) is significantly better than storing everything in passwords.xls, but once an attacker has administrative rights on a machine it’s nearly impossible to stop them from grabbing the information they want from the target. With a few PowerShell one-liners and some WMI, we can quickly enumerate KeePass configurations and set monitors to grab necessary key files. This is just scratching the surface of what can be done with WMI- it would be easy to add functionality that enumerates/exfiltrates any interesting files present on USB drives as they’re inserted.
KeePass Password Safe2.34 details
- Version: 2.34
- File size: 2970 MB
- File name: download
- Last update:
- Platform:Windows All
- Language: Arabic, Bulgarian, Chinese, ChineseTraditional, ChineseSimplified, Danish, German, English, Estonian, Finnish
- License: GPL
- Company: Dominik Reichl (View more)
KeePass Password Safe Publisher Review:
KeePass is an open source password manager. Passwords can be stored in highly-encrypted databases, which can only be unlocked with one master password and/or a key file.
KeePass is a free, open source, light-weight and easy-to-use password manager for Windows and mobile devices. You can store your passwords in highly-encrypted databases, which can only be unlocked with one master password and/or a key file.
A database consists of only one file that can be transferred from one computer to another easily. The program supports password groups, in which you can sort your passwords into.
You can drag-n-drop passwords into almost any other window. The auto-type feature types your login information into other windows automatically (just press a hot key). Fast copying passwords or user names to the Windows clipboard is possible by just double-clicking on the specific field in the password list.
KeePass can import data from various formats like CSV, CodeWallet TXT and CounterPanes PwSafe. The password list can be exported to various formats (including TXT, HTML, XML and CSV files). The password list can of course also be printed (complete database or only current view).
Searching and sorting the password database is possible.
KeePass ships with a strong random password generator (you can define the possible output characters, length, etc.).
The program can be translated into other languages very easily (over 34 languages are available). It has a plugin framework; many plugins provide additional functionality like backup features, network features, .; they are available from the KeePass website.
Whats new in version 2.34:
New Features:
• The estimated password quality (in bits) is now displayed on the quality progress bar, and right of the quality progress bar the length of the password is displayed.
• Auto-Type: before sending a character using a key combination involving at least two modifiers, KeePass now first tests whether this key combination is a registered system-wide hot key, and, if so, tries to send the character as a Unicode packet instead.
• Auto-Type: added workaround for Cygwin's default Ctrl+Alt behavior (which differs from Windows' behavior).
• Auto-Type: added {APPACTIVATE .} command.
• {HMACOTP} placeholder: added support for specifying the shared secret using the entry strings 'HmacOtp-Secret-Hex' (secret as hex string), 'HmacOtp-Secret-Base32' (secret as Base32 string) and 'HmacOtp-Secret-Base64' (secret as Base64 string).
• {T-CONV:.} placeholder: added 'Uri-Dec' type (for converting the string to its URI-unescaped representation).
• Added placeholders: {URL:USE.
Operating system:
Windows All
Release notes:
Major Update
KeePass is a free, open source, light-weight and easy-to-use password manager for Windows and mobile devices. You can store your passwords in highly-encrypted databases, which can only be unlocked with one master password and/or a key file.
A database consists of only one file that can be transferred from one computer to another easily. The program supports password groups, in which you can sort your passwords into.
You can drag-n-drop passwords into almost any other window. The auto-type feature types your login information into other windows automatically (just press a hot key). Fast copying passwords or user names to the Windows clipboard is possible by just double-clicking on the specific field in the password list.
KeePass can import data from various formats like CSV, CodeWallet TXT and CounterPanes PwSafe. The password list can be exported to various formats (including TXT, HTML, XML and CSV files). The password list can of course also be printed (complete database or only current view).
Searching and sorting the password database is possible.
KeePass ships with a strong random password generator (you can define the possible output characters, length, etc.).
The program can be translated into other languages very easily (over 34 languages are available). It has a plugin framework; many plugins provide additional functionality like backup features, network features, .; they are available from the KeePass website.
Whats new in version 2.34:
New Features:
• The estimated password quality (in bits) is now displayed on the quality progress bar, and right of the quality progress bar the length of the password is displayed.
• Auto-Type: before sending a character using a key combination involving at least two modifiers, KeePass now first tests whether this key combination is a registered system-wide hot key, and, if so, tries to send the character as a Unicode packet instead.
• Auto-Type: added workaround for Cygwin's default Ctrl+Alt behavior (which differs from Windows' behavior).
• Auto-Type: added {APPACTIVATE .} command.
• {HMACOTP} placeholder: added support for specifying the shared secret using the entry strings 'HmacOtp-Secret-Hex' (secret as hex string), 'HmacOtp-Secret-Base32' (secret as Base32 string) and 'HmacOtp-Secret-Base64' (secret as Base64 string).
• {T-CONV:.} placeholder: added 'Uri-Dec' type (for converting the string to its URI-unescaped representation).
• Added placeholders: {URL:USE.
Operating system:
Windows All
Release notes:
Major Update
Other version information:
Software | Version | Release date | File size |
---|---|---|---|
KeePass Password Safe | 1.11 | 2008-11-08 | 1331.2 KB |
KeePass Password Safe | 2.20 / 1.24 | 2012-10-18 | 2426 KB |
KeePass Password Safe | 2.20.1 | 2013-01-20 | 2426 KB |
KeePass Password Safe | 2.23 | 2013-07-22 | 2416 KB |
KeePass Password Safe | 2.25 / 1.27 | 2014-04-07 | 2457 KB |
KeePass Password Safe | 2.27 | 2014-07-07 | 2488 KB |
KeePass Password Safe | 2.28 | 2015-04-03 | 2516582.4 KB |
KeePass Password Safe | 2.29 | 2015-05-27 | 3040870.4 KB |
KeePass Password Safe | 2.30 | 2015-08-14 | 3040870.4 KB |
KeePass Password Safe | 2.31 | 2016-01-11 | 3040870.4 KB |
KeePass Password Safe | 2.33 | 2016-05-16 | 3040870.4 KB |
Related downloads
KeePass Password Safe 2.34
KeePass is an open source password manager. Passwords can be stored in highly-encrypted databases, which can only be unlocked with one master password and/or a key file.Price: $0, Rating: 10, Downloads: 429 Download
Atomic IE Password Recovery 2.00
Atomic IE Password Recovery recovers lost passwords saved by Internet Explorer AutoComplete in a while. The program removes the password of the Content Advisor in a while. AtomicIE also recovers passwords set for FTP catalogs.Price: $30, Rating: 5, Downloads: 125 Download
MSN Messenger Password Remover 5.0.1
MSN messenger Password Recovery Program It recovers stored login information when the 'Remember Password' check box is checked on the msn messenger window. MSN messenger password cracker tool shows email account password created on MSN messengers.Price: $30.00, Rating: 9, Downloads: 122 Download
RAR Password Recovery Magic 6.1.1.390
RAR Password Recovery Magic is a powerful tool designed to recover lost or forgotten passwords for a RAR/WinRAR archives. RAR Password Recovery Magic supports the customizable brute-force and dictionary-based attacksPrice: $29.99, Rating: 5.5, Downloads: 120 Download
ZipPassword 17.0.9422
Zip Password is a password recovery tool (?password cracker?) for Zip (PKZip/WinZip) archives, which implements the newest technologies to make password search lightning-fast. Besides brute-force attack, more sophisticated methods are also supported.Price: $39.00, Rating: 7, Downloads: 114 Download
Keepass Download
User Rating
Awards
Cracking Keepass Password Safe Database Tool
Software Categories
Top Downloads
Home | Add new software | Partners | Archive | Privacy policy
Copyright (c) 2006-2020 Soft32Download.com - All rights reserved. Load in: 0.0437 s
Copyright (c) 2006-2020 Soft32Download.com - All rights reserved. Load in: 0.0437 s