I was looking for a KeePass brute forcer. Google gave me two: KeeCracker and Keepass Self-Bruteforce (Keepass-SB). BackTrack, gave me one more: keepass2john.
First what’s Keepass?
This is from keepass.info
Today you need to remember many passwords. You need a password for the Windows network logon, your e-mail account, your website’s FTP password, online passwords (like website member account), etc. etc. etc. The list is endless. Also, you should use different passwords for each account. Because if you use only one password everywhere and someone gets this password you have a problem… A serious problem. The thief would have access to your e-mail account, website, etc. Unimaginable.
KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).
What I’m looking for?
I’m looking for a tool for UNIX and Windows, which can brute force with John a .kdb or .kdbx files using or not a keyfile. I’m not interesting (yet) about KeePass file using Windows account. All tests are run against a .kdb or .kdbx file with “pass” as password. So, when john will be used, -incremental:alpha option will be choosen.
Source : http://keecracker.mbw.name/
It’s C# tool (for Windows) working in cracking .kdbx files, using a wordlist or john. It doesn’t work if the base uses a keyfile.
KeeCracker.exe –help gives some info:
KeeCracker, Version=0.1.0.0, Culture=neutral, PublicKeyToken=null Usage: KeeCracker [OPTIONS] <database_path> -w, --wordlist=VALUE Path to a wordlist or "-" without the quotes for standard in (stdin). -t, --threads=VALUE Number of threads to use. -h, -?, --help Show this help. Examples: KeeCracker -t4 -w KeePassDb.kdbx john --incremental --stdout | KeeCracker -w - KeePassDb.kdbx
Result with a wordlist: KeeCracker.exe -w wordlist.txt database.kdbx
Password cracked! Password: password
Result with john: john –incremental –stdout | KeeCracker -w – database.kdbx
Be careful, john doesn’t stop when KeeCracker has found the password.
Rate: 451,8 per second Last Candidate: beavar Rate: 538,4 per second Last Candidate: moung Rate: 521,5 per second Last Candidate: ccj Rate: 537,7 per second Last Candidate: matrest Rate: 510,2 per second Last Candidate: cheely Rate: 508,3 per second Last Candidate: sherlina Rate: 510,8 per second Last Candidate: trub Rate: 530,0 per second Last Candidate: bobg Rate: 481,8 per second Last Candidate: marierso Rate: 550,5 per second Last Candidate: mornalla Rate: 559,2 per second Last Candidate: tull Rate: 577,5 per second Last Candidate: magino Rate: 588,3 per second Last Candidate: dli Rate: 579,0 per second Last Candidate: biller Rate: 589,7 per second Last Candidate: braman Rate: 584,5 per second Last Candidate: arcmse Rate: 575,3 per second Last Candidate: ambjdk Rate: 593,7 per second Last Candidate: cleuel Rate: 588,9 per second Last Candidate: brearo Rate: 430,5 per second Last Candidate: rvc Rate: 550,3 per second Last Candidate: suchawk Rate: 573,3 per second Last Candidate: crackin Rate: 577,9 per second Last Candidate: maybe Rate: 563,7 per second Last Candidate: shamike Rate: 558,5 per second Last Candidate: comanth Password cracked! Password: pass
It’s a python script (for 2.6.4 but it works with 2.7.2), using winappdbg-1.3.win32 (http://pypi.python.org/pypi/winappdbg/1.3). It can only be used on a Windows platform. It works with .kdb file using a keyfile or not.
There is no command line interface, so you should edit the code or rename your file in order to use this tool.
#Specify a dictionary here words = open('dic.txt', "r").readlines() print "[+] Words Loaded: ",len(words) #Specify a key file keyfile = "pwsafe.key" if os.path.isfile(keyfile): print "[+] Keyfile Loaded: '" + keyfile + "'" aProcess = debug.execv( ['KeePass.exe', 'Database.kdb', '-keyfile:' + keyfile, '-pw:'.ljust(WORD_SIZE+4)]) else: print "[+] Specified keyfile '" + keyfile + "' does not exist, ignoring argument" aProcess = debug.execv( ['KeePass.exe', 'Database.kdb', '-pw:'.ljust(WORD_SIZE+4)])
Launch the script with: python.exe KeePass-SB.py
[+] Words Loaded: 39 [+] Specified keyfile 'pwsafe.key' does not exist, ignoring argument Counter: 0 - Incorrect: a Counter: 1 - Incorrect: a&a Counter: 2 - Incorrect: a&b Counter: 3 - Incorrect: a&bqvant Counter: 4 - Incorrect: a&c Counter: 5 - Incorrect: a&d Counter: 6 - Incorrect: a&dwsod Counter: 7 - Incorrect: a&e Counter: 8 - Incorrect: a&f Counter: 9 - Incorrect: a&g Counter: 10 - Incorrect: a&i Counter: 11 - Incorrect: a&k Counter: 12 - Incorrect: a&m Counter: 13 - Incorrect: a&nv Counter: 14 - Incorrect: a&nxm Counter: 15 - Incorrect: a&o Counter: 16 - Incorrect: A&P Counter: 17 - Incorrect: a&r Counter: 18 - Incorrect: a&t Counter: 19 - Incorrect: a&w Counter: 20 - Incorrect: a&wxn Counter: 21 - Incorrect: a&x Counter: 22 - Incorrect: a' Counter: 23 - Incorrect: a'-level Counter: 24 - Incorrect: a'a Counter: 25 - Incorrect: a'aliyah Counter: 26 - Incorrect: a'b Counter: 27 - Incorrect: a'c Counter: 28 - Incorrect: a'clock Counter: 29 - Incorrect: a'comin Counter: 30 - Incorrect: a'd Counter: 31 - Incorrect: a'daire Counter: 32 - Incorrect: a'dam Counter: 33 - Incorrect: a'dayami Counter: 34 - Incorrect: a'dees Counter: 35 - Incorrect: a'delle Counter: 36 - Incorrect: a'derin Counter: 37 - Incorrect: 123 Counter: 38 - Correct: pass Finished in 2.062078280898829 seconds!
As you can see it shows all password retries, so if the good one is in the middle of thousands bad, it could be nice to use this command: python.exe KeePass-SB.py | find “Correct:”
It’s a C program so it could work on Windows, I do not find any .exe for windows (and I haven’t try to compile it) in John the Ripper 1.7.9 (Windows – binaries, ZIP, 2029 KB) or John the Ripper 1.7.9-jumbo-5 (Windows – binaries, ZIP, 3845 KB) from here.
It works with .kdb or .kdbx files, with john but cannot use keyfile. If we look at the source code, we discover that it’s based on KeeCracker for .kdbx file.
/* keepass2john utility (modified KeeCracker) written in March of 2012 * by Dhiru Kholia. keepass2john processes input KeePass 1.x and 2.x * database files into a format suitable for use with JtR. This software * is Copyright (c) 2012, Dhiru Kholia and it * is hereby released under GPL license. * * KeePass 2.x support is based on KeeCracker - The KeePass 2 Database * Cracker, http://keecracker.mbw.name/ * * KeePass 1.x support is based on kppy - A Python-module to provide * an API to KeePass 1.x files. http://gitorious.org/kppy/kppy * Copyright (C) 2012 Karsten-Kai König <firstname.lastname@example.org>
Commands on BT5R3:
cd /pentest/password/john ./keepass2john /root/Desktop/NewDatabase.kdb > file ./john -incremental:alpha -format=keepass file Loaded 1 password hash (KeePass SHA-256 AES [32/32]) guesses: 0 time: 0:00:00:08 0.00% c/s: 406 trying: sendit pass (/root/Desktop/NewDatabase.kdb) guesses: 1 time: 0:00:01:43 DONE (Fri Jan 11 08:46:07 2013) c/s: 411 trying: pass Use the "--show" option to display all of the cracked passwords reliably
|Name||Support .kdb||Support .kdbx||Support keyfile||Can be use with john||Works on Windows||Works on Linux|
|keepass2john||yes||yes||no||yes||binary not found||yes|
So, if you need to crack KeePass without keyfile keepass2john is good. If you are trying to crack with keyfile a .kdb use KeePass-SB. If you want to crack a .kdbx file with a keyfile, code something!