Orange-Cyberdefense/KeePwn Orange-Cyberdefense/KeePwn

  • Stars
    star
    444
  • Rank 98,300 (Top 2 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created almost 2 years ago
  • Updated 7 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
Orange-Cyberdefense/KeePwn
github

Orange-Cyberdefense

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A python tool to automate KeePass discovery and secret extraction.

A python script to help red teamers discover KeePass instances and extract secrets.

Features & Roadmap

KeePwn is still in early development and not fully tested yet : please use it with caution and always try it in a lab before (legally) attacking real-life targets!

  • KeePass Discovery
    • Accept multiple target sources (IP, range, hostname, file)
    • Automatically look for KeePass global installation files via SMB C$ share.
    • Automatically look for KeePass portable + Windows store installation files via SMB C$ share.
    • Automatically check for running KeePass process through Impacket-based command execution.
    • Multi-thread implementation to avoid bottleneck hosts.
    • Automatically check for KeePass binary's metadata (version, last access time).
  • KeePass Plugin Abuse
    • Automatically upload a plugin (DLL or PFX format) to extract passwords, see KeeFarce Reborn.
    • Automatically poll for cleartext exports on the remote host.
  • KeePass Trigger Abuse
    • Add and remove triggers from KeePass configuration file via SMB C$ share.
    • Automatically poll for cleartext exports on the remote host.
    • Customize triggers with command line arguments.
  • KeePass Dump Parsing (CVE-2023-32784)
    • Parse memory dumps to find master password candidates.
    • Bruteforce missing characters with the most common unicode characters.
  • KeePass Cracking
    • Convert KDBX to John and Hashcat compatible formats (including KDBX 4).
  • Authentication
    • Support LM/NT hash authentication.
    • Support Kerberos Authentication.
  • Miscellaneous
    • Write unit tests.
    • Make the project available on PyPI .

Installation

git clone https://github.com/Orange-Cyberdefense/KeePwn
cd KeePwn
sudo python3 setup.py install
KeePwn --help

Or if you don't want to install but just run :

git clone https://github.com/Orange-Cyberdefense/KeePwn
cd KeePwn
python3 -m pip install -r requirements.txt
python3 KeePwn.py --help

Usage

Discovery

KeePwn's search module is used to identify hosts that run KeePass on your target environment.

It makes use of the built-in C$ share to look for KeePass-related files in default locations, hence requiring administrator privileges on the targets.

Note that for the moment, it only searches for the global KeePass.exe binary (in Program Files) and the local KeePass.config.xml (in %APPDATA%). Future release should include KeePass local installation paths (for example: on a user's Dekstop) as well as Windows Store installation.

Plugin Abuse

KeePass features a plugin framework which can be abused to load malicious DLLs into KeePass process, allowing attackers with administrator rights to easily export the database (see: KeeFarceRebornPlugin).

KeePwn's plugin module allows to :

  • List currently installed plugins

  • Add and remove your malicious plugins

  • Poll %APPDATA% for exports and automatically moves it from remote host to local filesystem

These actions are made through SMB C$ share access, limiting AV/EDR detection as no command execution is performed.

Trigger Abuse

As described in @harmj0y's blog post (and later CVE-2023-24055), KeePass trigger system can be abused in order to export the database in cleartext.

KeePwn's trigger module allows to :

  • Check if a malicious trigger named "export" is currently written in KeePass configuration

  • Add and remove a malicious trigger named "export" which performs a cleartext export of the database in %APPDATA% on next KeePass launch

  • Poll %APPDATA% for exports and automatically moves it from remote host to local filesystem

If the configuration file path is not the default location, you can specify one with --config-path argument.

Memory Dumps Parsing

As described by @vdohney, it is possible to retrieve the database's master password in memory (CVE-2023-32784, affecting versions prior to KeePass 2.54).

KeePwn parse_dump module will search for potential master password candidates in dumps. Because the resulting strings will (by design) be incomplete, the module can also be used to bruteforce the missing first character against a specified KDBX file.

The memory dump parsing makes use of @CMEPW's Python PoC. Thanks for letting me re-use the code :)

Contribute

Pull requests are welcome (see: Roadpmap + TODO in code).

Feel free to open an issue or DM me on Twitter to suggest improvement.

More Repositories

1

GOAD

game of active directory
PowerShell
4,933
star
2

arsenal

Arsenal is just a quick inventory and launcher for hacking programs
Python
3,155
star
3

ocd-mindmaps

Orange Cyberdefense mindmaps
1,001
star
4

awesome-industrial-protocols

Security-oriented list of resources about industrial network protocols.
Python
448
star
5

fenrir-ocd

Python
226
star
6

grepmarx

A source code static analysis platform for AppSec enthusiasts.
Python
194
star
7

russia-ukraine_IOCs

Russia / Ukraine 2022 conflict related IOCs from CERT Orange Cyberdefense Threat Intelligence Datalake
173
star
8

graphcat

Generate graphs and charts based on password cracking result
Python
152
star
9

versionshaker

Find the remote website version based on a git repository
Python
122
star
10

haiti

πŸ”‘ A CLI tool to identify the hash type of a given hash.
Ruby
107
star
11

CVE-repository

πŸͺ² Repository of CVE found by OCD people
Python
68
star
12

disposable-mailbox-docker

A self hosted yopmail like server running in a docker
PHP
55
star
13

cme-wmi

A standalone WMI protocol for CrackMapExec
Python
48
star
14

wmi-shell

WMI Shell project : proof-of-concept of remote access to a Windows machine using only the WMI service.
C
43
star
15

bof

BOF (Boiboite Opener Framework) is a testing framework for industrial protocols implementations and devices.
Python
42
star
16

ctf-party

🎏 A library to enhance and speed up script/exploit writing for CTF players
Ruby
39
star
17

rabid

πŸͺ A CLI tool and library allowing to simply decode all kind of BigIP cookies.
Ruby
37
star
18

ctf-write-ups

πŸ“ Collection of our CTF write-ups
Python
27
star
19

sikara

Ease and assist the compromise of an Active Directory environment.
Python
26
star
20

reverse-proxy-auth

A Nginx reverse proxy that authenticates users using their personal certificates. Includes everything to create and revoke those certificates, create the CA and even TLS certificates for websites.
Shell
23
star
21

mass-nessus-docker

Deploy multiple instances of Nessus in docker containers easily
Shell
19
star
22

log4shell_iocs

Log4Shell IOCs from CERT Orange Cyberdefense Threat Intelligence Datalake
17
star
23

leHACK-2022

C
16
star
24

sqltrees

Developper-proof prevention of SQL injection (java library)
Java
10
star
25

sweetlemonade

SWEETLEMONADE is a bootkit for UEFI firmware
C
5
star
26

CyberSOC-detect-Nanocore-RAT

DΓ©tection de malwares par Artefacts : le cas du RAT Nanocore
Python
3
star