Kypass 3 entry lined out1/26/2024 ![]() Searching the KeyPromptForm.cs file, we can see a function called OnBtnOK. We’ll want to see if we can identify what happens when this gets submitted. I don’t know if this is right, but that’s what I’m going to call it. We can see in our prior screenshots, we’re looking at what I’m going to call the m_cbPassword struct. Right clicking it and selecting “View Code” will show us the source. It looks like KeyPromptForm.cs is what we’re after. Clicking the file in Visual Studio shows the compiled design, neat. Out of 1468 files we have 2 occurrences of “Master password:” in KeePass\Forms\ and KeePass\Forms\Ke圜 files. We’re going to use one of my favorite hot keys “Ctrl+Shift+F” to search all our files to find the string “Master Password”. RegEx support is awesome, super fast, it does everything I need it to and more. My favorite text editor in the whole world is… not VS Code but Sublime. This should help us easily find the UI form that should reference the name of some variable or struct we could use to siphon data. What we do know is the dialogue that KeePass prompts us for when we input our password: We’re going to use my favorite tactic called “Using some information we know to correlate things to information we don’t know!”. Reverse Engineering software is hard, I’ll be the first to say it, but oh boy is it a lot easier when the software you’re REing is FOSS! Fortunately for us it is. Take a guess at which ours is! Analyzing KeePass Notice the one on the left does not have a Digital Signatures tab and the one on the right does. If it doesn’t - Read the errors and make sure sgen is in the expected location.Īt this point, we should now have a working copy of KeePass that is not signed! Compilation should complete without Errors. Now you should be able to right click each project and select “Rebuild”. "$(FrameworkSDKDir)bin\sgen.exe" /assembly:"$(TargetPath)" /force /nologo /compiler I found it works with just these as arguments: This will also have some fun signature related stuff that may prevent us from compiling. This references a application called “sgen”. You should see “Post-build event command line”. In the KeePass project, select the “Build Events” tab. Repeat the process for each of the projects. A new window will open related to code signing: On the right side, you’ll see a tab called “Signing”. Right click a project and select “Properties”, a new window should appear: In the Solution Explorer window, you should have 3 projects. So, how can we remove the digital signature? This process is relatively simple, we just have to open the sln up in Visual Studio. I still think it would be fun to go through with this. digital signatures are very important and can be the difference in software running or software being quarantined by AV/EDR or even executing. Who even checks these things anyways! disclaimer, that is a joke. We’ll keep on pushing forward! Sure, it’s not really as cool as hijacking a DLL, hooking some APIs to spit out the password, but I’m not going to let a silly little signature stop me. That’s a problem… Will this derail our plan? Eh… I’m not going to let it. You can find the corresponding public keys in the Official KeePass distributions are signed with private keys. In order to unlock the private keys of the dummy PFX files, The ones with which the KeePass distributions are signed, these sln project, how nice! Included there’s also a ReadMe_PFX.txt file… How interesting… It reads:Īll projects contain dummy PFX files. This in theory should be relatively easy! KeePass is FOSS and even OSI certified so this should be a piece of cake! So, naturally the first step would be to acquire the source code which can be found at the bottom of KeePass’ downloads page. ![]() My original idea was to create a backdoored version of KeePass that would send a GET/POST request to an attacker controlled web server. Let’s dive into it :D Improvise, Adapt, Overcome ![]() In order to get the most out of this post, you should have some prior experience with C#, some basic knowledge of how Password Managers work and an adversarial mindset. This post will be broken down into 4 different sections: I’m sure there is, so that’s what I’ll be exploring in todays blog post. I’m sure there’d be a more stealthy way”. Then I thought “how classic, dumping memory. So - the other day I had my KeePass vault open and thought “Wow, if someone really wanted to, they could yoink my key right out of memory and have most of my passwords”. No idea how long this is going to take, but we’re going to run with it.įor those of you who don’t know, I’m now in an internal red team role, this let’s me get extra creative as I know our environment really well, for reference, I’ve worked at the company for 3~ years now and I’m still finding fun and creative ways to bonk people. August is swiftly coming to a close and I really wanted to try to get one more post out before the month closes.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |