GithubHelp home page GithubHelp logo

lap1nou / keepwn Goto Github PK

View Code? Open in Web Editor NEW

This project forked from orange-cyberdefense/keepwn

0.0 0.0 0.0 732 KB

A python tool to automate KeePass discovery and secret extraction.

License: GNU General Public License v3.0

Python 100.00%

keepwn's Introduction

A python script to help red teamers discover KeePass instances and extract secrets.

Features & Roadmap

KeePwn is still in early development and not fully tested yet : please use it with caution and always try it in a lab before (legally) attacking real-life targets!

  • KeePass Discovery
    • Accept multiple target sources (IP, range, hostname, file)
    • Automatically look for KeePass global installation files via SMB C$ share.
    • Automatically look for KeePass portable + Windows store installation files via SMB C$ share.
    • Automatically check for running KeePass process through Impacket-based command execution.
    • Multi-thread implementation to avoid bottleneck hosts.
    • Automatically check for KeePass binary's metadata (version, last access time).
  • KeePass Plugin Abuse
    • Automatically upload a plugin (DLL or PFX format) to extract passwords, see KeeFarce Reborn.
    • Automatically poll for cleartext exports on the remote host.
  • KeePass Trigger Abuse
    • Add and remove triggers from KeePass configuration file via SMB C$ share.
    • Automatically poll for cleartext exports on the remote host.
    • Customize triggers with command line arguments.
  • KeePass Dump Parsing (CVE-2023-32784)
    • Parse memory dumps to find master password candidates.
    • Bruteforce missing characters with the most common unicode characters.
  • KeePass Cracking
    • Convert KDBX to John and Hashcat compatible formats (including KDBX 4).
  • Authentication
    • Support LM/NT hash authentication.
    • Support Kerberos Authentication.
  • Miscellaneous
    • Write unit tests.
    • Make the project available on PyPI .

Installation

git clone https://github.com/Orange-Cyberdefense/KeePwn
cd KeePwn
sudo python3 setup.py install
KeePwn --help

Or if you don't want to install but just run :

git clone https://github.com/Orange-Cyberdefense/KeePwn
cd KeePwn
python3 -m pip install -r requirements.txt
python3 KeePwn.py --help

Usage

Discovery

KeePwn's search module is used to identify hosts that run KeePass on your target environment.

It makes use of the built-in C$ share to look for KeePass-related files in default locations, hence requiring administrator privileges on the targets.

Note that for the moment, it only searches for the global KeePass.exe binary (in Program Files) and the local KeePass.config.xml (in %APPDATA%). Future release should include KeePass local installation paths (for example: on a user's Dekstop) as well as Windows Store installation.

Plugin Abuse

KeePass features a plugin framework which can be abused to load malicious DLLs into KeePass process, allowing attackers with administrator rights to easily export the database (see: KeeFarceRebornPlugin).

KeePwn's plugin module allows to :

  • List currently installed plugins

  • Add and remove your malicious plugins

  • Poll %APPDATA% for exports and automatically moves it from remote host to local filesystem

These actions are made through SMB C$ share access, limiting AV/EDR detection as no command execution is performed.

Trigger Abuse

As described in @harmj0y's blog post (and later CVE-2023-24055), KeePass trigger system can be abused in order to export the database in cleartext.

KeePwn's trigger module allows to :

  • Check if a malicious trigger named "export" is currently written in KeePass configuration

  • Add and remove a malicious trigger named "export" which performs a cleartext export of the database in %APPDATA% on next KeePass launch

  • Poll %APPDATA% for exports and automatically moves it from remote host to local filesystem

If the configuration file path is not the default location, you can specify one with --config-path argument.

Memory Dumps Parsing

As described by @vdohney, it is possible to retrieve the database's master password in memory (CVE-2023-32784, affecting versions prior to KeePass 2.54).

KeePwn parse_dump module will search for potential master password candidates in dumps. Because the resulting strings will (by design) be incomplete, the module can also be used to bruteforce the missing first character against a specified KDBX file.

The memory dump parsing makes use of @CMEPW's Python PoC. Thanks for letting me re-use the code :)

Contribute

Pull requests are welcome (see: Roadpmap + TODO in code).

Feel free to open an issue or DM me on Twitter to suggest improvement.

keepwn's People

Contributors

0x0cd avatar d3lb3 avatar fabaff avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.