KeeFarce | A Tool To Hack KeePass 2.x Password Manager

KeePass is a free open-source password manager which helps to organize passwords in a secure and easy way. KeePass stores all passwords in one database, which is locked with one master key or a key file. So the users have to remember only one single master password or select the key file to unlock the whole database.

KeeFarce - A Tool To Hack KeePass Passwords.

According to KeePass, the databases are encrypted using the best and most secure encryption algorithms currently known ( AES and Twofish ). Sounds good but it doesn’t seem so safe anymore. A tool called KeeFarce , is now available, to hack KeePass. KeeFarce allows for the extraction of KeePass 2.x password database information from memory. The cleartext information, including usernames, passwords, notes and URL’s are dumped into a CSV file in %AppData%

How KeeFarce Works

KeeFarce uses DLL injection to execute code within the context of a running KeePass process. C# code execution is achieved by first injecting an architecture-appropriate bootstrap DLL. This spawns an instance of the dot net runtime within the appropriate app domain, subsequently executing KeeFarceDLL.dll (the main C# payload). The KeeFarceDLL uses CLRMD to find the necessary object in the KeePass processes heap, locates the pointers to some required sub-objects (using offsets), and uses reflection to call an export method.

Building & Executing KeeFarce

All the required files can be obtained from KeeFarce’s GitHub Page.

To build the KeeFarce

  • Install Visual Studio (Preferably VS 2015, As development has been done in that).
  • Open the KeeFarce.sln with Visual Studio and hit ‘build’.
  • The result files can be found at dist/$architecture .
  • Copy the KeeFarceDLL.dll files and Microsoft.Diagnostic.Runtime.dll files into the folder before executing, as these are architecture independent.

To execute KeeFarce on the target

  • Make sure the following files are in the same folder:
  • BootstrapDLL.dll, KeeFarce.exe, KeeFarceDLL.dll, Microsoft.Diagnostic.Runtime.dll
  • Copy these files across to the target and execute KeeFarce.exe

KeeFarce Compatibility

According to the author, KeeFarce has been tested on KeePass 2.28, 2.29 and 2.30 - running on Windows 8.1 - both 32 and 64 bit and should be working fine on Windows 7 Machines too.