Home

Awesome

mod0keecrack

Introduction

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. (Source: http://keepass.info/)

mod0keecrack is a simple tool to crack/bruteforce passwords of KeePass 2 databases. It implements a KeePass 2 Database file parser for .kdbx files, as well as decryption routines to verify if a supplied password is correct. mod0keecrack only handles the encrypted file format and is not able to parse the resulting plaintext database. The only purpose of mod0keecrack is the brute-forcing of a KeePass 2 database password.

mod0keecrack handles KeePass 2 databases that are encrypted with password-only, or with password and key-file.

Currently, there is no incremental or template-based bruteforce algorithm for passphrase generation implemented yet. To use mod0keecrack, you need to generate own wordlists or supply a wordlist via pipe/stdin. For example, you could use the john password cracker to generate wordlists and feed them directly into mod0keecrack via stdin. You can also use text-files with a wordlist on the command-line.

Using wordlists is recommended, as dumb incremental brute-force may take a too long time due to the crypto-algorithms that are used by KeePass databases (SHA256 and many AES key-transformation rounds).

mod0keecrack is plain C and has no 3rd party library dependencies on Windows, as it's using the Microsoft Cryptographic (CNG) Framework. A platform independent implementation could be done by simply porting crypto-ms.c to e.g. crypto-openssl.c.

Usage

To encrypt password databases, KeePass supports passwords, keyfiles or a password-keyfile combo. To crack a password-only database, use mod0keecrack like this:

mod0keecrack <keepassx-file.kdbx> [wordlist.txt]

To crack a database that also uses a key-file, use the command line as shown above, and copy the keyfile to the same directory as the database and rename it to <databasename>.key. For example, if your KeePass database filename is lala.kdbx you must copy the keyfile to lala.key within the same directory. If there is a corresponding .key file within the same directory, mod0keecrack always consider it as key-file input.

wordlist.txt is optional. If no wordlist is provided via command line argument, mod0keecrack reads a wordlist from stdin. If you want to generate a wordlist on the fly, you can use genwords.py as an example and use it like this:

genwords.py Secrets%04d! | mod0keecrack lala.kdbx

Example output of the last command line (lala.kdbx uses password AND keyfile lala.key):

<pre> mod0keecrack>genwords.py Secrets%04d! | mod0keecrack.exe lala.kdbx [*] using db: lala.kdbx [*] using key: lala.key [*] kdbx header: [-] file magic: 9aa2d903 [-] file identifier: b54bfb67 [-] file minor version: 0001 [-] file major version: 0003 [*] kdbx headerentries: [-] END: 0D0A0D0A [-] COMMENT: [-] CIPHERID: 31C1F2E6BF714350BE5805216AFC5AFF [-] COMPRESSIONFLAGS: 00000001 [-] MASTERSEED: BD5A62AC01FD27B040D98894A7FA306D0F9AED7A23E870DC1E36ECE31DA2526B [-] TRANSFORMSEED: FFA6509325D87EDD8FAFA2A44C814F8846109FC1F7BCF2775F278C1C0CDF52A7 [-] TRANSFORMROUNDS: 00000000000186a0 [-] ENCRYPTIONIV: 40F71E30D138591E5F8AF4EDF1DB9EE0 [-] PROTECTEDSTREAMKEY: 27CA955DF72F13301E1A038404ADCA4D59E8DC26B30F8776E393F0F22568E13E [-] STREAMSTARTBYTES: 76B99E10BE00334DDE830361A07FBA86845F39DD0DCBCEEE5102D6F41204B746 [-] INNERRANDOMSTREAMID: 00000002 [*] kdbx payload: [-] payload offset: de [-] payload len: 470 [*] Using keyfile lala.key [+] key hash: A884B77F5E1ED180BDF95B988BD032247CE6A87893BB4CC5C0532407BC86FE3B [*] kdbx crack: [*] decryption successful with password Secrets2015! </pre>

mod0keecrack does not process decrypted kdbx-database payload. It simply tells you, if a database-passphrase was right or wrong.

Platforms

mod0keecrack is implemented in plain C and should be able to compile and run on any platform, if the crypto-framework is ported to the target platform. Currently, the only platform dependend code is implemented in three functions in crypto-ms.c. The first version is using the Microsoft CNG (bcrypt) framework for SHA256 and AES. It should be no issue to implement a platform independent openssl-based version of crypto-ms.c.

Building

To build mod0keecrack on Windows, open your Dev-command prompt and enter:

cl.exe /Femod0keecrack.exe helper.c mod0keecrack.c crypto-ms.c bcrypt.lib

Author and Legal Stuff

mod0keecrack was written by Thorsten (THS) Schroeder of modzero. You can get in touch with me e.g. via twitter: @__ths__

<pre> * Copyright (c) 2016, mod0keecrack * Thorsten Schroeder <ths at modzero dot ch> * * All rights reserved. * * This file is part of mod0keecrack. * * "THE BEER-WARE LICENSE" (Revision 42): * Thorsten Schroeder <ths at modzero dot ch> wrote this file. As long as you * retain this notice you can do whatever you want with this stuff. If we meet * some day, and you think this stuff is worth it, you can buy me a beer in * return. Thorsten Schroeder. * * NON-MILITARY-USAGE CLAUSE * Redistribution and use in source and binary form for military use and * military research is not permitted. Infringement of these clauses may * result in publishing the source code of the utilizing applications and * libraries to the public. As this software is developed, tested and * reviewed by *international* volunteers, this clause shall not be refused * due to the matter of *national* security concerns. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE DDK PROJECT BE LIABLE FOR ANY DIRECT, * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. </pre>