KeePass

Find KeePass databases and loot master keys from memory on compromised Windows systems using the KeeThief project from HarmJ0y.

Enum

Find running KeePass process.

CMD
tasklist | findstr /I keepass
PowerShell
Get-Process keepass

Loot

When KeePass is running and the database is unlocked, KeeThief is able to recover the following information from memory:

This injection only requires permission to modify the KeePass process space (which the current user running KeePass.exe has); it doesn’t require administrative rights.

PowerShell
Import-Module KeeThief.ps1
Get-KeePassDatabaseKey -Verbose

Source: github.com/HarmJ0y/KeeThief/PowerShell/KeeThief.ps1

Compiled Binary

The KeeThief project also provides a Visual Project solution file allowing to build the following PE and DLL:

Copy both files in the same directory on the target workstation and run the binary to loot.

Binaries: KeeTheft.exe, Microsoft.Diagnostics.Runtime.dll

Unlock

In the case of a database unlocking with a key file, windows user account, or both, KeeThief will compute the base64-encoded representations of the “plaintext” binary key materials recovered. Thus, you will need a modified version of KeePass to unlock the database locally using this format.

The KeeThief project also provides a Visual Project solution file allowing to build a patched version of KeePass accepting this format.

keepass-build.png

Binary: KeePatched.exe

References