Posts Tagged ‘database’

tv crime2KeeFarce allows for the extraction of KeePass 2.x password database information from memory. The cleartext information, including usernames, passwords, notes and url’s are dumped into a CSV file in %AppData%.

General Design

KeeFarce uses DLL injection to execute code within the context of a running KeePass process. C# code execution is achieved by first injecting an architecture-appropriate bootstrap DLL. This spawns an instance of the dot net runtime within the appropriate app domain, subsequently executing KeeFarceDLL.dll (the main C# payload).

The KeeFarceDLL uses CLRMD to find the necessary object in the KeePass processes heap, locates the pointers to some required sub-objects (using offsets), and uses reflection to call an export method.

Prebuilt Packages

An appropriate build of KeeFarce needs to be used depending on the KeePass target’s architecture (32 bit or 64 bit). Archives and their shasums can be found under the ‘prebuilt’ directory.


In order to execute on the target host, the following files need to be in the same folder:

  • BootstrapDLL.dll
  • KeeFarce.exe
  • KeeFarceDLL.dll
  • Microsoft.Diagnostic.Runtime.dll

Copy these files across to the target and execute KeeFarce.exe


Open up the KeeFarce.sln with Visual Studio (note: dev was done on Visual Studio 2015) and hit ‘build’. The results will be spat out into dist/$architecture. You’ll have to copy the KeeFarceDLL.dll files and Microsoft.Diagnostic.Runtime.dll files into the folder before executing, as these are architecture independent.


KeeFarce has been tested on:
KeePass 2.28, 2.29 and 2.30 – running on Windows 8.1 – both 32 and 64 bit.
This should also work on older Windows machines (win 7 with a recent service pack). If you’re targeting something other than the above, then testing in a lab environment before hand is recommended.


Oracle suffered with serious vulnerability in the authentication protocol used by some Oracle databases. This Flaw enables a remote attacker to brute-force a token provided by the server prior to authentication and determine a user’s password.

Martinez Fayo and his team first reported the bugs to Oracle in May 2010. Oracle fixed it in mid-2011 via the patch set, issuing a new version of the protocol. “But they never fixed the current version, so the current 11.1 and 11.2 versions are still vulnerable,” Martinez Fayo says, and Oracle has no plans to fix the flaws for version 11.1.

The first step in the authentication process when a client contacts the database server is for the server to send a session key back to the client, along with a salt. The vulnerability enables an attacker to link a specific session key with a specific password hash.

There are no overt signs when an outsider has targeted the weakness, and attackers aren’t required to have “man-in-the-middle” control of a network to exploit it. “Once the attacker has a Session Key and a Salt (which is also sent by the server along with the session key), the attacker can perform a brute force attack on the session key by trying millions of passwords per second until the correct one is found. This is very similar to a SHA-1 password hash cracking. Rainbow tables can’ t be used because there is a Salt used for password hash generation, but advanced hardware can be used, like GPUs combined with advanced techniques like Dictionary hybrid attacks, which can make the cracking process much more efficient.”

I developed a proof-of-concept tool that shows that it is possible to crack an 8 characters long lower case alphabetic password in approximately 5 hours using standard CPUs.”

Because the vulnerability is in a widely deployed product and is easy to exploit, Fayo said he considers it to be quite dangerous.