💾 Archived View for capsule.0ut3r.space › art › cve-2023-32784.gmi captured on 2024-09-28 at 23:54:01. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
2023-05-22 20:33
tags:
categories:
New interesting vulnerability
was discovered for
app last days. In this article I tested it, provided examples how to use it, and how to brute-force password vault with crafted dictionary attack. To not act as pure evil you will find here also examples how to protect yourself and cleanup after patching this vulnerability. Oh, btw I tested
app to make article more dynamic, and fancy, and more friendly for users who like video tutorials. (Now I feel almost like Indian Youtuber making step by step video, that every script kiddie can follow and do the same steps without any knowledge, and realize at the end that nothing works, and almost on every step different error occurred) :laughing:
First of all, bunch of links and info. If you want to read about vulnerability you can check official thread on
KeePass password dumper can be found on
Affected version is only KeePass 2.X version.
and
are not affected. If you are using other KeePass fork, you should check with developer.
To use vulnerability password need to by typed on a keyboard and not copied from clipboard. Also you need to have access to dump of KeePass process or memory from the machine where KeePass is running, like full RAM, swapfile / hiberfil / pagefile / memory crash. Of course if you have such an access you can also run some keylogger, but that's different story. Dumper is looking for string related to vulnerable field called *SecureTextBoxEx* and then reconstruct password. Apart from the first password character, it is able to recover the password in plaintext.
From the thread on SourceForge we know that vulnerability will be patched in the beginning of June in version 2.54.
Steps to protect yourself:
1. Update KeePass to version 2.54
2. Change Master Password
3. Delete crash dumps
4. Delete hibernation file
5. Delete pagefile/swapfile
6. Overwrite deleted data on the HDD to prevent carving
7. Restart your computer or overwrite HDD and install system from scratch (LOL)
I tested it on virtual machine with Windows 10 system and latest version of KeePass app installed. Follow this instruction to test it like me.
First download
Extract it, install
Next, prepare an empty KeePass database with password, in my example password is `FunnyPassword!123`.
Create KeePass Database [Animated GIF]
Then I save database and reopen app to provide password. Just like standard user would do everyday accessing password vault.
Next step is to dump KeePass process from the memory. I did this simply by using task manager.
KeePass process dump [Animated GIF]
You can also use one of
tools called
.\procdump.exe -w -ma KeePass.exe
You can do this by name or PID. To list PID of KeePass use command
ps | findstr KeePass
Next copy dump file from temp folder to location where you have your Password Dumper located and execute dumper using command in PowerShell:
dotnet run PATH_TO_DUMP
keepass password dumper [Animated GIF]
and voilà . In this example it is easy to guess first character as we have two possibilities f or F. But if this password would be strong and random, we need to test quite a lot of characters.
To solve problem with first letter we can build dictionary based on what we already discovered and just add list of letters, symbols and numbers as a prefix. Here are tools you can use and examples based on test password `FunnyPassword!123` where we do not know the first letter.
Mentalist is a graphical tool for custom wordlist generation. It utilizes common human paradigms for constructing passwords and can output the full wordlist as well as rules compatible with Hashcat and John the Ripper.
Its quite old tool but works. You can download it here:
https://github.com/sc0tfree/mentalist
Here is rule creator screen example:
and here the output of the wordlist generator:
Crunch is a wordlist generator where you can specify a standard character set or a character set you specify. Crunch can generate all possible combinations and permutations.
In our example we create 17 characters long password wordlist using predefined charset list at first place of the word, and save it s output file called *pass.txt*
crunch 17 17 -f /usr/share/crunch/charset.lst mixalpha-numeric-all-space -t @unnyPassword\!123 -o pass.txt
Same results as with Mentalist, but faster and easier and without GUI, so in hacker style.
Crunch can be found here:
https://sourceforge.net/projects/crunch-wordlist/
As we have dumped password from memory and we build a wordlist for missing first character we can now brute-force KeePass database. We need for that
John the Ripper jumbo - advanced offline password cracker, which supports hundreds of hash and cipher types, and runs on many operating systems, CPUs, GPUs, and even some FPGAs
First of all lets extract hash of password from kdbx database. Use for that
(it is already available on Kali):
keepass2john Database.kdbx > hash.txt
Then we can use john and or wordlist to crack password:
john --wordlist=pass.txt hash.txt
KeePass bruteforce [Animated GIF]
and it's done! I hope this example shows you how important is to keep software up to date.
Additionally commands to check and dump process from remote machine.
First check process:
Get-process -ComputerName PC-NAME | findstr KeePass or Get-WmiObject Win32_Process -ComputerName PC-NAME | findstr KeePass or Get-CimInstance Win32_Process -ComputerName PC-NAME | findstr KeePass
And then dump:
PSEXEC \\PC-NAME c:\temp\procdump.exe -e -ma -h <PID>
Happy dumping, cracking and patching.
![Keepass [IMG]](/kennedy.gemi.dev/archive/cached?url=gemini%3a%2f%2fcapsule.0ut3r.space%2fimg%2fkeepass.jpg&t=638631644410000000&raw=False){kind=link}
![Create KeePass Database [Animated GIF]](/kennedy.gemi.dev/archive/cached?url=gemini%3a%2f%2fcapsule.0ut3r.space%2fimg%2fcreate-database.gif&t=638631644410000000&raw=False){kind=link}
![KeePass process dump [Animated GIF]](/kennedy.gemi.dev/archive/cached?url=gemini%3a%2f%2fcapsule.0ut3r.space%2fimg%2fcreate-process-dump.gif&t=638631644410000000&raw=False){kind=link}
![keepass password dumper [Animated GIF]](/kennedy.gemi.dev/archive/cached?url=gemini%3a%2f%2fcapsule.0ut3r.space%2fimg%2fkeepass-password-dumper.gif&t=638631644410000000&raw=False){kind=link}
![Mentalist rule [IMG]](/kennedy.gemi.dev/archive/cached?url=gemini%3a%2f%2fcapsule.0ut3r.space%2fimg%2fmentalist.png&t=638631644410000000&raw=False){kind=link}
![Wordlist [IMG]](/kennedy.gemi.dev/archive/cached?url=gemini%3a%2f%2fcapsule.0ut3r.space%2fimg%2fpasslist.png&t=638631644410000000&raw=False){kind=link}
![KeePass bruteforce [Animated GIF]](/kennedy.gemi.dev/archive/cached?url=gemini%3a%2f%2fcapsule.0ut3r.space%2fimg%2fkeepass-bruteforce.gif&t=638631644410000000&raw=False){kind=link}