KeeFarce - Tool For Extracting Passwords From a KeePass 2.x Database, Directly From Memory

KeeFarce - Tool For Extracting Passwords From a KeePass 2.x Database, Directly From Memory

KeeFarce allows for the extraction of KeePass 2.x password database information from memory. The cleartext information, including usernames, passwords, notes and URL's are dumped into a CSV file in %AppData%.

This tool uses DLL injection to execute code within the context of a running KeePass process. C# code execution is achieved by first injecting an architecture-appropriate bootstrap DLL. This spawns an instance of the dot net runtime within the appropriate app domain, subsequently executing KeeFarceDLL.dll (the main C# payload).

It uses CLRMD to find the necessary object in the KeePass processes heap, locates the pointers to some required sub-objects (using offsets), and uses reflection to call an export method.

In order to execute on the target host, the following files need to be in the same folder:
  • BootstrapDLL.dll
  • KeeFarce.exe
  • KeeFarceDLL.dll
  • Microsoft.Diagnostic.Runtime.dll

Copy these files across to the target and execute KeeFarce.exe

KeeFarce has been tested on:
  • KeePass 2.28, 2.29 and 2.30 - running on Windows 8.1 - both 32 and 64 bit.
This should also work on older Windows machines (win 7 with a recent service pack). If you're targeting something other than the above, then testing in a lab environment beforehand is recommended.




Source: www.effecthacking.com
KeeFarce - Tool For Extracting Passwords From a KeePass 2.x Database, Directly From Memory KeeFarce - Tool For Extracting Passwords From a KeePass 2.x Database, Directly From Memory Reviewed by Unknown on 9:30 PM Rating: 5