KeePass is a free open-source password manager which helps to organize passwords in a secure and easy way. KeePass stores all passwords in one database, which is locked with one master key or a key file. So the users have to remember only one single master password or select the key file to unlock the whole database.
KeeFarce - A Tool To Hack KeePass Passwords.
According to KeePass, the databases are encrypted using the best and most secure encryption algorithms currently known ( AES and Twofish ). Sounds good but it doesn’t seem so safe anymore. A tool called KeeFarce , is now available, to hack KeePass. KeeFarce allows for the extraction of KeePass 2.x password database information from memory. The cleartext information, including usernames, passwords, notes and URL’s are dumped into a CSV file in %AppData%
How KeeFarce Works
KeeFarce uses DLL injection to execute code within the context of a running KeePass process. C# code execution is achieved by first injecting an architecture-appropriate bootstrap DLL. This spawns an instance of the dot net runtime within the appropriate app domain, subsequently executing KeeFarceDLL.dll (the main C# payload). The KeeFarceDLL uses CLRMD to find the necessary object in the KeePass processes heap, locates the pointers to some required sub-objects (using offsets), and uses reflection to call an export method.
Building & Executing KeeFarce
All the required files can be obtained from KeeFarce’s GitHub Page.
To build the KeeFarce
- Install Visual Studio (Preferably VS 2015, As development has been done in that).
- Open the KeeFarce.sln with Visual Studio and hit ‘build’.
- The result files can be found at dist/$architecture .
- Copy the KeeFarceDLL.dll files and Microsoft.Diagnostic.Runtime.dll files into the folder before executing, as these are architecture independent.
To execute KeeFarce on the target
- Make sure the following files are in the same folder:
- BootstrapDLL.dll, KeeFarce.exe, KeeFarceDLL.dll, Microsoft.Diagnostic.Runtime.dll
- Copy these files across to the target and execute KeeFarce.exe
According to the author, KeeFarce has been tested on KeePass 2.28, 2.29 and 2.30 - running on Windows 8.1 - both 32 and 64 bit and should be working fine on Windows 7 Machines too.