keepass2john

Description

keepass2john is a utility that extracts the password hash from KeePass database files (.kdbx). The extracted hash can then be cracked using hashcat or John the Ripper to recover the master password. This is useful when you find KeePass database files on compromised systems during post-exploitation.

Usage 1: Extract Hash from KeePass Database

Extract the password hash from a .kdbx KeePass database file and save it to a text file.

Command:

keepass2john database.kdbx > keepasshash.txt

Usage 2: Crack the Hash with Hashcat

After extracting the hash, use hashcat with a wordlist and rules to crack the KeePass master password. The hash mode for KeePass is 13400.

Command:

hashcat keypassHash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule -m 13400

Usage 3: Find KeePass Database Files on Windows

Before using keepass2john, locate .kdbx files on the compromised system.

Command:

Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue