Home / Bugs (Software and Hardware) / Anti-hacking tool got hacked, KeeFarce can break your KeePass password safe

Anti-hacking tool got hacked, KeeFarce can break your KeePass password safe

If you are a KeePass user like me, then beware. denandz just posted a tool in github that can break your KeePass password safe. Yeah, as they say, for the lulz, Anti-hacking tools (or teams like Hacking Team) are now getting hacked.

Rightly so, this tool is named KeeFarce. It allows extraction of KeePass 2.x password database information from memory. The cleartext information, including usernames, passwords, notes and url’s are dumped into a CSV file in %AppData% Hacking a hacking protection tool - blackMORE Ops

URL: https://github.com/denandz/KeeFarce

KeePass provides process memory protection that encrypts master password keys and other sensitive data when stored in computer memory. That system goes a long way to preventing malicious apps from scraping random access memory and retrieving the credentials. KeeFarce obtains passwords using a different technique, known as DLL injection. The injected dynamic link library code calls an existing KeePass export method to copy the contents of a currently open database to a CSV file. The resulting file contains user names, passwords, notes, and URLs all in cleartext.

General Design

KeeFarce uses DLL injection to execute code within the context of a running KeePass process. C# code execution is achieved by first injecting an architecture-appropriate bootstrap DLL. This spawns an instance of the dot net runtime within the appropriate app domain, subsequently executing KeeFarceDLL.dll (the main C# payload).

The KeeFarceDLL uses CLRMD to find the necessary object in the KeePass processes heap, locates the pointers to some required sub-objects (using offsets), and uses reflection to call an export method.

In order to run this software, attackers must either already have access to the target machine, or trick users into giving them access by running malicious software such as remote access Trojans (RATs) or specialized spyware on their machines.

And if they gain access, your machine is not your machine anymore, and they can do pretty much what they want with it – security protections will not last long. So you can continue (or start) using a password manager, but protect your system with security software and be careful about the software you run on it, especially when it comes from untrusted parties.

Prebuilt Packages

An appropriate build of KeeFarce needs to be used depending on the KeePass target’s architecture (32 bit or 64 bit). Archives and their shasums can be found under the ‘prebuilt’ directory.
Executing

In order to execute on the target host, the following files need to be in the same folder:

  1. BootstrapDLL.dll
  2. KeeFarce.exe
  3. KeeFarceDLL.dll
  4. Microsoft.Diagnostic.Runtime.dll

Copy these files across to the target and execute KeeFarce.exe

Building

Open up the KeeFarce.sln with Visual Studio (note: dev was done on Visual Studio 2015) and hit ‘build’. The results will be spat out into dist/$architecture. You’ll have to copy the KeeFarceDLL.dll files and Microsoft.Diagnostic.Runtime.dll files into the folder before executing, as these are architecture independent.

Compatibility

KeeFarce has been tested on:

  • KeePass 2.28, 2.29 and 2.30 – running on Windows 8.1 – both 32 and 64 bit.

This should also work on older Windows machines (win 7 with a recent service pack). If you’re targeting something other than the above, then testing in a lab environment before hand is recommended.

Tools like KeeFarce reminds us that password managers could represent a single point of failure that could be exploited with severe repercussion by hackers.

Acknowledgements

  • Sharp Needle by Chad Zawistowski was used for the DLL injection tesh.
  • Code by Alois Kraus was used to get the pointer to object C# voodoo working.

Sources

  1. https://github.com/denandz/KeeFarce
  2. http://seclists.org/fulldisclosure/2015/Oct/106
  3. http://arstechnica.com/security/2015/11/hacking-tool-swipes-encrypted-credentials-from-password-manager/
  4. http://securityaffairs.co/wordpress/41665/hacking/keefarce-hacking-tool.html

Check Also

Steganography in Kali Linux - Hiding data in image - blackMORE Ops

Steganography in Kali Linux – Hiding data in image

Steganography is the practice of concealing a file, message, image, or video within another file, …

How to search exploits in metasploit - blackMORE Ops - 2

How to search exploits in metasploit?

Metasploit was created by H. D. Moore in 2003 as a portable network tool using …

3 comments

  1. So this won’t affect KeepassX (at least on Linux) since it doesn’t use .Net?

  2. This has been debated on and off among the KeePass community for quite some time (years). Use the version that doesn’t require .net or become an idiot and use a on-line password management service.

  3. I take it that an older version of KeePassX 1.x is not affected?

Leave a Reply

Your email address will not be published. Required fields are marked *