photo lineviral_1.png
» » » » » Anti-Hacking Tool Got Hacked, Keefarce Tin Pause Your Keepass Password Safe
, , ,

Anti-Hacking Tool Got Hacked, Keefarce Tin Pause Your Keepass Password Safe

If y'all are a KeePass user similar me, as well as therefore beware. denandz simply posted a tool inwards github that tin intermission your KeePass password safe. Yeah, equally they say, for the lulz, Anti-hacking tools (or teams similar Hacking Team) are at i time getting hacked.


Rightly so, this tool is named KeeFarce. It allows extraction of KeePass 2.x password database information from memory. The cleartext information, including usernames, passwords, notes as well as url’s are dumped into a CSV file inwards %AppData% denandz simply posted a tool inwards github that tin intermission your KeePass password prophylactic Anti-hacking tool got hacked, KeeFarce tin intermission your KeePass password safe


URL: https://github.com/denandz/KeeFarce


KeePass provides process retentiveness protection that encrypts master copy password keys as well as other sensitive information when stored inwards calculator memory. That organization goes a long mode to preventing malicious apps from scraping random access retentiveness as well as retrieving the credentials. KeeFarce obtains passwords using a dissimilar technique, known equally DLL injection. The injected dynamic link library code calls an existing KeePass export method to re-create the contents of a currently opened upward database to a CSV file. The resulting file contains user names, passwords, notes, as well as URLs all inwards cleartext.


General Design


KeeFarce uses DLL injection to execute code inside the context of a running KeePass process. C# code execution is achieved past times showtime injecting an architecture-appropriate bootstrap DLL. This spawns an illustration of the dot cyberspace runtime inside the appropriate app domain, afterwards executing KeeFarceDLL.dll (the primary C# payload).


The KeeFarceDLL uses CLRMD to abide by the necessary object inwards the KeePass processes heap, locates the pointers to to a greater extent than or less required sub-objects (using offsets), as well as uses reflection to telephone call back an export method.


In social club to run this software, attackers must either already convey access to the target machine, or play a joke on users into giving them access past times running malicious software such equally remote access Trojans (RATs) or specialized spyware on their machines.


And if they gain access, your machine is non your machine anymore, as well as they tin produce pretty much what they desire alongside it – safety protections volition non final long. So y'all tin boot the bucket along (or start) using a password manager, but protect your organization alongside safety software as well as endure careful near the software y'all run on it, specially when it comes from untrusted parties.


Prebuilt Packages


An appropriate create of KeeFarce needs to endure used depending on the KeePass target’s architecture (32 fleck or 64 bit). Archives as well as their shasums tin endure constitute nether the ‘prebuilt’ directory.

Executing


In social club to execute on the target host, the next files postulate to endure inwards the same folder:



  1. BootstrapDLL.dll

  2. KeeFarce.exe

  3. KeeFarceDLL.dll

  4. Microsoft.Diagnostic.Runtime.dll


Copy these files across to the target as well as execute KeeFarce.exe


Building


Open upward the KeeFarce.sln alongside Visual Studio (note: dev was done on Visual Studio 2015) as well as hitting ‘build’. The results volition endure spat out into dist/$architecture. You’ll convey to re-create the KeeFarceDLL.dll files as well as Microsoft.Diagnostic.Runtime.dll files into the folder earlier executing, equally these are architecture independent.


Compatibility


KeeFarce has been tested on:



  • KeePass 2.28, 2.29 as well as 2.30 – running on Windows 8.1 – both 32 as well as 64 bit.


This should also run on older Windows machines (win seven alongside a recent service pack). If you’re targeting something other than the above, as well as therefore testing inwards a lab environs earlier mitt is recommended.


Tools similar KeeFarce reminds us that password managers could represent a unmarried call for of failure that could endure exploited alongside severe repercussion past times hackers.


Acknowledgements



  • Sharp Needle past times Republic of Chad Zawistowski was used for the DLL injection tesh.

  • Code past times Alois Kraus was used to instruct the pointer to object C# voodoo working.


Sources



  1. https://github.com/denandz/KeeFarce

  2. http://seclists.org/fulldisclosure/2015/Oct/106

  3. http://arstechnica.com/security/2015/11/hacking-tool-swipes-encrypted-credentials-from-password-manager/

  4. http://securityaffairs.co/wordpress/41665/hacking/keefarce-hacking-tool.html


Buat lebih berguna, kongsi:
close