KeePass looter: Password plunderer rinses pwned sysadmins

'When you're owned, you're boned'

Kiwi hacker Denis Andzakovic has developed an application that steals password vaults from the popular local storage vault KeePass.

The jeu de mots KeyFarce works when a user has logged into their vault, and will dump the contents to a file that attackers can steal.

It is no death knell for KeePass or other password managers, but is an extra bow in the quiver of attackers capable of compromising a target's machine.

The Auckland-based researcher for Security-Assessment published Keefarce to Github and the Full Disclosure mailing list, first noticed by Ars Technica

He told Vulture South it is most useful to penetration testers who need better access to a corporate network.

"One of the main uses of the tool is for penetration testers," Andzakovic says.

"If you imagine a pen tester compromised a domain and wants to compromise say non-domain infrastructure, and he knows the sysadmin runs keep, if he pops the box he can loot Keepass passwords."

KeeFarce works by leveraging DLL injection to export including usernames and passwords from unlocked KeePass databases into a cleartext CSV file.

Andzakovic says KeePass and other password vaults are not at fault; rather, it indicates the risk to broader security of user data in the event of a compromise.

"If you're owned, you're boned."

KeePass says as much in its security statements in which it says the program protects against generic keyloggers and the like.

In 2012 Andzakovic outfitted his Yamaha TRX 850 with cheap open-source Wi-Fi hacking kit, making it a mobile war-bike complete with a heads-up display. ®


An earlier version of this story referred to KeyPass, a similar but unrelated product.

Other stories you might like

Biting the hand that feeds IT © 1998–2021