Open source KeeFarce tool loots encrypted passwords stored in KeePass

Denis Andzakovic, a hacker and researcher with New Zealand-based security consultancy Security-Assessment.com, has released the source code for KeeFarce, a tool that can export all information stored in the database of a user’s KeePass password manager.

KeeFarce can only work as intended if the user is logged into the software, and leverages DLL injection to execute code within the context of a running KeePass process. It finds the information stored in it – usernames, passwords, notes, URLs – and dumps them into a cleartext CSV file located on the system, which can later be exfiltrated by attackers.

According to Andzakovic, who tested the password-extracting software on KeePass 2.28, 2.29 and 2.30 (the latest available version), running on Windows 8.1, both 32 and 64 bit, KeeFarce should also work on older Windows machines.

He says the software is perfect for penetration testers. “Say a penetration tester has achieved domain admin access to a network but also wants to obtain access to networking hardware, non-domain infrastructure, etc. The tester can compromise a sysadmin’s machine and use the tool to swipe the password details from the KeePass instance the sysadmin has open,” he told Ars Technica.

Unfortunately, nothing can stop bad guys from using it, too.

Lest you believe this is the death-knell for KeePass or other password managers, it’s important to know that as helpful as they are, all password managers are unlikely to withstand a targeted attack made with specialized software like KeeFarce (KeePass developers admitted as much).

But, in order to run this software, attackers must either already have access to the target machine, or trick users into giving them access by running malicious software such as remote access Trojans (RATs) or specialized spyware on their machines.

And if they gain access, your machine is not your machine anymore, and they can do pretty much what they want with it – security protections will not last long. So you can continue (or start) using a password manager, but protect your system with security software and be careful about the software you run on it, especially when it comes from untrusted parties.