KeePwn: automate KeePass discovery and secret extraction

KeePwn

A python script to help red teamers discover KeePass instances and extract secrets.

Features & Roadmap

•  KeePass Discovery
  •  Look for KeePass installation files through SMB C$ share.
  •  Accept multiple target sources (IP, CIDR, hostname, file).
  •  Check for KeePass metadata (version, last access time).
  •  Check for running KeePass process through Impacket-based RPC.
  •  Multi-threaded implementation to avoid bottleneck hosts.
  •  Export search results to CSV.
  •  Find KDBX databases.
•  KeePass Plugin Abuse
  •  Add and remove KeePass plugins (see KeeFarce Reborn) through SMB C$ share.
  •  Retrieve cleartext exports on the remote host.
•  KeePass Trigger Abuse
  •  Add and remove triggers (see: KeeThief from KeePass configuration file through SMB C$ share.
  •  Retrieve cleartext exports on the remote host.
  •  Customize triggers with command line arguments.
•  KeePass Dump Parsing
  •  Parse memory dumps to find master password candidates (CVE-2023-32784).
  •  Parse memory dumps to find encryption key.
•  KeePass Database Cracking
  •  Convert KDBX to John and Hashcat compatible formats.
  •  Add support for KDBX 4.x format.
•  Authentication
  •  Support LM/NT hash authentication.
  •  Support Kerberos Authentication.
•  Miscellaneous
  •  Write unit tests.
  •  Make the project available on PyPI .

Installation

git clone https://github.com/Orange-Cyberdefense/KeePwn
cd KeePwn
sudo python3 setup.py install

Or if you don’t want to install but just run:

git clone https://github.com/Orange-Cyberdefense/KeePwn
cd KeePwn
python3 -m pip install -r requirements.txt

Use

Search Mode

The search module is used to identify hosts that run KeePass on your target environment. It makes use of the built-in C$ share to look for default KeePass-related file locations. For the moment, it only searches for global KeePass.exe binary (in Program Files) and local KeePass.config.xml (in %APPDATA%).

While enumerating KeePass through SMB shares is quieter against antiviruses protections, it sometimes lacks some information like “is KeePass currently being run ?” (useful if you want to extract secrets through DLL injection with KeeFarceReborn). I will soon implement the –search-process flag that will check for live KeePass process execution through Impacket-based remote command execution.

Trigger Mode

As described in @harmj0y’s blog post (Exfiltration Without Malware part), the KeePass trigger system can be abused in order to export the database in cleartext. KeePwn trigger modules allow to :

• Check if a malicious trigger named “export” is currently present in the KeePass configuration.

• Add and remove a malicious trigger named “export” which performs a cleartext export of the database in %APPDATA% on the next KeePass launch.

• Poll %APPDATA% for exports and automatically moves it from remote host to local.

Once again, these actions are made through SMB C$ share access, limiting antiviral detection as no command execution is performed.

If no configuration file path is specified, note that KeePwn will try to find it manually by looking in default locations. As KeePass trigger manipulation should always be added with caution, the mode is limited to 1 host and 1 configuration file at a time.

Copyright (C) 2023 Orange-Cyberdefense

Source: https://github.com/Orange-Cyberdefense/

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy