Reading Time: 2 Minutes

Offensive Security Tool: KeeThief

GitHub Link

KeeThief

KeeThief by snovvcrash, is a tool that brings you methods for attacking KeePass 2.X databases, including extracting of encryption key material from memory. It allows for the extraction of KeePass 2.X key material from memory, as well as the backdooring and enumeration of the KeePass trigger system.

When performing post exploitation, whether its for Pentesting or Bug Bounty hunting, this means shell is just the beginning, you got already access but what can you actually do after that? When it comes to harvesting credentials, KeePass is a Cloud based Password Manager – that keeps your credentials safe, up until this tool for a specific version – can allow decrypting and extracting all these credentials, as part of a sophisticated coding done in the background.

See Also: Recon Tool: ReconFTW

KeeTheft

Some Technical Info:

The main KeeThief code, “where the magic happens”.

KeeThief’s GetKeePassMasterKeys() will attach to the target KeePass process using CLR MD and enumerate all CLR heap objects, searching for a KeePassLib.PwDatabase object. If one is found, the path is extracted from the m_strUrl field, and all referenced objects are enumerated, searching for a KeePassLib.Keys.CompositeKey.

If a composite master key is found, information for each key type (KcpPassword, KcpKeyFile, KcpUserAccount) is extracted, including the RtlEncryptMemory() encrypted data blobs of key data. For any encrypted blobs found, shellcode is injected into the KeePass process that calls MyRtlDecryptMemory() to decrypt the memory blobs, returning the plaintext/unprotected key data.

This is a different approach than denandz’ excellent KeeFarce project, which injects code to load a bootstrap DLL into the KeePass process, which then loads an C# assembly along with CLR MD, and executes the ‘Export’ method on a KeePass.DataExchange.Formats.KeePassCsv1x object in order to export all existing passwords to disk. KeeTheft walks the heap for composite key information and injects shellcode to decrypt each encryption material component as appropriate.

Included in the project is a .NET 2.0 backport of the CLR MD project (necessary for PowerShell v2 compatibility). The CLR MD project is licensed by Microsoft under the MIT license.

On building the project, a merged .\KeeTheft\bin\ReleaseKeeTheft.exe binary containing KeeTheft and the CLR MD will be produced.

See Also: Recon Tool: Smap

PowerShell

The KeeThief.ps1 PowerShell file contains Get-KeePassDatabaseKey, which loads/executes the KeeTheft assembly in memory to extract KeePass material from an KeePass.exe process with an open database.

The KeePassConfig.ps1 file contains method to enumerate KeePass config files on a system (Find-KeePassconfig), retrieve the set triggers for a KeePass.config.xml file (Get-KeePassConfigTrigger), add malicious KeePass triggers (Add-KeePassConfigTrigger), and remove KeePass triggers (Remove-KeePassConfigTrigger).

See Also: Complete Offensive Security and Ethical Hacking Course