Find KeePass databases and loot master keys from memory on compromised Windows systems using the KeeThief project from HarmJ0y.
Find running KeePass process.
tasklist | findstr /I keepass
When KeePass is running and the database is unlocked, KeeThief is able to recover the following information from memory:
- Database Location
- KeePass Version and Location
- Master Password
- Key File (base64)
- Windows User Account (base64)
This injection only requires permission to modify the KeePass process space (which the current user running
KeePass.exe has); it doesn’t require administrative rights.
Import-Module KeeThief.ps1 Get-KeePassDatabaseKey -Verbose
The KeeThief project also provides a Visual Project solution file allowing to build the following PE and DLL:
Copy both files in the same directory on the target workstation and run the binary to loot.
In the case of a database unlocking with a key file, windows user account, or both, KeeThief will compute the base64-encoded representations of the “plaintext” binary key materials recovered. Thus, you will need a modified version of KeePass to unlock the database locally using this format.
The KeeThief project also provides a Visual Project solution file allowing to build a patched version of KeePass accepting this format.