Bruteforce a KeePass file

February 12th, 2013 | Posted by Cervoise in English

I was looking for a KeePass brute forcer. Google gave me two: KeeCracker and Keepass Self-Bruteforce (Keepass-SB). BackTrack, gave me one more: keepass2john.

First what’s Keepass?

This is from keepass.info

Today you need to remember many passwords. You need a password for the Windows network logon, your e-mail account, your website’s FTP password, online passwords (like website member account), etc. etc. etc. The list is endless. Also, you should use different passwords for each account. Because if you use only one password everywhere and someone gets this password you have a problem… A serious problem. The thief would have access to your e-mail account, website, etc. Unimaginable.

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).

What I’m looking for?

I’m looking for a tool for UNIX and Windows, which can brute force with John a .kdb or .kdbx files using or not a keyfile. I’m not interesting (yet) about KeePass file using Windows account. All tests are run against a .kdb or .kdbx file with “pass” as password. So, when john will be used, -incremental:alpha option will be choosen.

Keecracker

Source : http://keecracker.mbw.name/

It’s C# tool (for Windows) working in cracking .kdbx files, using a wordlist or john. It doesn’t work if the base uses a keyfile.

KeeCracker.exe –help gives some info:

KeeCracker, Version=0.1.0.0, Culture=neutral, PublicKeyToken=null
Usage: KeeCracker [OPTIONS] <database_path>
  -w, --wordlist=VALUE       Path to a wordlist or "-" without the quotes for
                               standard in (stdin).
  -t, --threads=VALUE        Number of threads to use.
  -h, -?, --help             Show this help.
Examples:
  KeeCracker -t4 -w KeePassDb.kdbx
  john --incremental --stdout | KeeCracker -w - KeePassDb.kdbx

Result with a wordlist: KeeCracker.exe -w wordlist.txt database.kdbx

Password cracked!
Password: password

Result with john: john –incremental –stdout | KeeCracker -w – database.kdbx
Be careful, john doesn’t stop when KeeCracker has found the password.

Rate: 451,8 per second	Last Candidate: beavar
Rate: 538,4 per second	Last Candidate: moung
Rate: 521,5 per second	Last Candidate: ccj
Rate: 537,7 per second	Last Candidate: matrest
Rate: 510,2 per second	Last Candidate: cheely
Rate: 508,3 per second	Last Candidate: sherlina
Rate: 510,8 per second	Last Candidate: trub
Rate: 530,0 per second	Last Candidate: bobg
Rate: 481,8 per second	Last Candidate: marierso
Rate: 550,5 per second	Last Candidate: mornalla
Rate: 559,2 per second	Last Candidate: tull
Rate: 577,5 per second	Last Candidate: magino
Rate: 588,3 per second	Last Candidate: dli
Rate: 579,0 per second	Last Candidate: biller
Rate: 589,7 per second	Last Candidate: braman
Rate: 584,5 per second	Last Candidate: arcmse
Rate: 575,3 per second	Last Candidate: ambjdk
Rate: 593,7 per second	Last Candidate: cleuel
Rate: 588,9 per second	Last Candidate: brearo
Rate: 430,5 per second	Last Candidate: rvc
Rate: 550,3 per second	Last Candidate: suchawk
Rate: 573,3 per second	Last Candidate: crackin
Rate: 577,9 per second	Last Candidate: maybe
Rate: 563,7 per second	Last Candidate: shamike
Rate: 558,5 per second	Last Candidate: comanth
Password cracked!
Password: pass

Keepass Self-Bruteforcer

Source: http://blog.q-protex.com/2010/03/14/keepass-self-bruteforce/

It’s a python script (for 2.6.4 but it works with 2.7.2), using winappdbg-1.3.win32 (http://pypi.python.org/pypi/winappdbg/1.3). It can only be used on a Windows platform. It works with .kdb file using a keyfile or not.

There is no command line interface, so you should edit the code or rename your file in order to use this tool.

#Specify a dictionary here
words = open('dic.txt', "r").readlines()
print "[+] Words Loaded: ",len(words)

#Specify a key file
keyfile = "pwsafe.key"

    if os.path.isfile(keyfile):
        print "[+] Keyfile Loaded: '" + keyfile + "'"
        aProcess = debug.execv( ['KeePass.exe', 'Database.kdb', '-keyfile:' + keyfile, '-pw:'.ljust(WORD_SIZE+4)])
    else:
        print "[+] Specified keyfile '" + keyfile + "' does not exist, ignoring argument"
        aProcess = debug.execv( ['KeePass.exe', 'Database.kdb', '-pw:'.ljust(WORD_SIZE+4)])

Launch the script with: python.exe KeePass-SB.py

[+] Words Loaded:  39
[+] Specified keyfile 'pwsafe.key' does not exist, ignoring argument
Counter: 0 - Incorrect: a
Counter: 1 - Incorrect: a&a
Counter: 2 - Incorrect: a&b
Counter: 3 - Incorrect: a&bqvant
Counter: 4 - Incorrect: a&c
Counter: 5 - Incorrect: a&d
Counter: 6 - Incorrect: a&dwsod
Counter: 7 - Incorrect: a&e
Counter: 8 - Incorrect: a&f
Counter: 9 - Incorrect: a&g
Counter: 10 - Incorrect: a&i
Counter: 11 - Incorrect: a&k
Counter: 12 - Incorrect: a&m
Counter: 13 - Incorrect: a&nv
Counter: 14 - Incorrect: a&nxm
Counter: 15 - Incorrect: a&o
Counter: 16 - Incorrect: A&P
Counter: 17 - Incorrect: a&r
Counter: 18 - Incorrect: a&t
Counter: 19 - Incorrect: a&w
Counter: 20 - Incorrect: a&wxn
Counter: 21 - Incorrect: a&x
Counter: 22 - Incorrect: a'
Counter: 23 - Incorrect: a'-level
Counter: 24 - Incorrect: a'a
Counter: 25 - Incorrect: a'aliyah
Counter: 26 - Incorrect: a'b
Counter: 27 - Incorrect: a'c
Counter: 28 - Incorrect: a'clock
Counter: 29 - Incorrect: a'comin
Counter: 30 - Incorrect: a'd
Counter: 31 - Incorrect: a'daire
Counter: 32 - Incorrect: a'dam
Counter: 33 - Incorrect: a'dayami
Counter: 34 - Incorrect: a'dees
Counter: 35 - Incorrect: a'delle
Counter: 36 - Incorrect: a'derin
Counter: 37 - Incorrect: 123
Counter: 38 - Correct: pass
Finished in 2.062078280898829 seconds!

As you can see it shows all password retries, so if the good one is in the middle of thousands bad, it could be nice to use this command: python.exe KeePass-SB.py | find “Correct:”

keepass2john

I didn’t find any official website but i found the info here and the code here

It’s a C program so it could work on Windows, I do not find any .exe for windows (and I haven’t try to compile it) in John the Ripper 1.7.9 (Windows – binaries, ZIP, 2029 KB) or John the Ripper 1.7.9-jumbo-5 (Windows – binaries, ZIP, 3845 KB) from here.

It works with .kdb or .kdbx files, with john but cannot use keyfile. If we look at the source code, we discover that it’s based on KeeCracker for .kdbx file.

/* keepass2john utility (modified KeeCracker) written in March of 2012
* by Dhiru Kholia. keepass2john processes input KeePass 1.x and 2.x
* database files into a format suitable for use with JtR. This software
* is Copyright (c) 2012, Dhiru Kholia  and it
* is hereby released under GPL license.
*
* KeePass 2.x support is based on KeeCracker - The KeePass 2 Database
* Cracker, http://keecracker.mbw.name/
*
* KeePass 1.x support is based on kppy - A Python-module to provide
* an API to KeePass 1.x files. http://gitorious.org/kppy/kppy
* Copyright (C) 2012 Karsten-Kai König <kkoenig@posteo.de>

Commands on BT5R3:

cd /pentest/password/john
./keepass2john /root/Desktop/NewDatabase.kdb > file
./john -incremental:alpha -format=keepass file

Loaded 1 password hash (KeePass SHA-256 AES [32/32])
guesses: 0  time: 0:00:00:08 0.00%  c/s: 406  trying: sendit
pass             (/root/Desktop/NewDatabase.kdb)
guesses: 1  time: 0:00:01:43 DONE (Fri Jan 11 08:46:07 2013)  c/s: 411  trying: pass
Use the "--show" option to display all of the cracked passwords reliably

Conclusion

Name Support .kdb Support .kdbx Support keyfile Can be use with john Works on Windows Works on Linux
KeeCracker no yes no yes yes no
Keepass Self-Bruteforcer yes no yes no yes no
keepass2john yes yes no yes binary not found yes

So, if you need to crack KeePass without keyfile keepass2john is good. If you are trying to crack with keyfile a .kdb use KeePass-SB. If you want to crack a .kdbx file with a keyfile, code something!

You can follow any responses to this entry through the RSS 2.0 You can leave a response, or trackback.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>