LabEx
Log InJoin Free

Crack a KeePass KDBX Database Password

Kali LinuxBeginner
Practice Now

Introduction

KeePass is a popular open-source password manager that helps you to manage your passwords in a secure way. It stores passwords in an encrypted database file, typically with a .kdbx extension. While highly secure, the strength of the database's protection relies heavily on the master password chosen by the user.

In this lab, you will step into the role of a security analyst to test the strength of a KeePass database password. You will learn the fundamental process of password cracking for ethical and educational purposes. We will use keepass2john, a tool from the John the Ripper suite, to extract the password hash from a sample .kdbx file, and then use hashcat, a powerful password recovery tool, to crack it using a dictionary attack.

This hands-on experience will demonstrate how attackers can exploit weak passwords and will underscore the importance of using strong, complex master passwords.

Create a Sample KeePass Database with a Simple Password

In this step, we will create a target KeePass database. To perform a password cracking test, we first need a .kdbx file to work with. We will use the KeePass application to create a new database and protect it with a simple, easy-to-guess password for demonstration purposes.

First, launch the KeePass application by typing its name in the terminal.

keepass2

This will open the KeePass graphical user interface. Now, follow these steps to create the database:

  1. In the KeePass window, go to the menu and click File -> New....
  2. A "Create New Password Database" window will appear. Click OK to proceed.
  3. You will be prompted to save the new database file. Navigate to the /home/labex/project directory, name the file MySecrets.kdbx, and click Save.
  4. Next, the "Create Master Key" window will appear. This is where you set the master password for the database. For this lab, enter password123 in the "Master password" field and repeat it in the "Repeat password" field. Click OK.
  5. The "New Password Database - Step 2" window will appear. You can keep the default settings. Click OK.
  6. Your new, empty database is now created and open. You can optionally add a sample entry, but it's not required for this lab.
  7. Finally, close the KeePass application by clicking File -> Exit.

You should now have a file named MySecrets.kdbx in your ~/project directory. You can verify its existence with the ls command.

ls -l ~/project

You should see MySecrets.kdbx listed in the output.

Use keepass2john to Extract the Hash

In this step, we will extract the password hash from the MySecrets.kdbx file. Password cracking tools like hashcat do not work directly on the database file itself. Instead, they operate on a "hash," which is a cryptographic representation of the master password.

We will use keepass2john, a utility included with the John the Ripper password cracker suite, to convert the KeePass database's key information into a format that hashcat can understand.

Open your terminal and run the following command. This command reads the MySecrets.kdbx file and outputs the corresponding hash, which we redirect and save into a new file named keepass.hash.

keepass2john ~/project/MySecrets.kdbx > ~/project/keepass.hash

This command will not produce any visible output in the terminal because the output has been redirected to the keepass.hash file. To see the contents of the newly created hash file, use the cat command:

cat ~/project/keepass.hash

The output will be a single long line of text that looks something like this:

MySecrets:$keepass$*2*6000*0*b1b5b8a8a5b8a8a5b8a8a5b8a8a5b8a8*...*...

This string is the hash. It contains all the necessary information for hashcat to attempt to crack the password, including the encryption algorithm, salt, and the encrypted master key.

Identify the Correct Hashcat Mode for KeePass

In this step, we will determine the correct mode for hashcat to use when cracking our KeePass hash. hashcat is an extremely versatile tool that supports hundreds of different types of hashes, from operating system passwords to application-specific formats.

To work correctly, we must explicitly tell hashcat what kind of hash we are providing. This is done by specifying a numeric mode using the -m flag. To find the mode number for KeePass, we can search through hashcat's help documentation.

Run the following command in your terminal. It pipes the full help output of hashcat into grep, which then filters for lines containing the word "keepass".

hashcat --help | grep -i keepass

The -i flag in grep makes the search case-insensitive. The output will show you the relevant modes:

13400 | KeePass 1 (AES/Twofish) / KeePass 2 (AES)             | Password Managers

From this output, we can see that the mode for KeePass 1 and 2 databases is 13400. This is the number we will need in the final step to launch our attack.

Prepare a Wordlist for the Attack

In this step, we will prepare a wordlist for our dictionary attack. A dictionary attack (or wordlist attack) is a method where the cracking tool tries every word from a pre-compiled list as a potential password. The success of this attack depends entirely on whether the correct password is included in the list.

In real-world scenarios, attackers use massive wordlists containing millions or even billions of common passwords. For this lab, we will create a very small, custom wordlist to ensure the cracking process is fast and successful. Most importantly, we will include the correct password, password123, in our list.

Use the nano text editor to create a new file named wordlist.txt.

nano ~/project/wordlist.txt

Once nano opens, type the following passwords into the editor, each on a new line:

password
123456
password123
qwerty
labex

After typing the words, save the file and exit nano by pressing Ctrl+X, then Y to confirm, and finally Enter.

We now have our wordlist ready for hashcat to use.

Launch the Attack and Recover the Master Password

In this final step, we will bring everything together and launch the password cracking attack with hashcat. We have the hash file (keepass.hash), the correct hash mode (13400), and our custom wordlist (wordlist.txt).

Now, execute the following command in your terminal to start the attack:

hashcat -m 13400 -a 0 ~/project/keepass.hash ~/project/wordlist.txt

Let's break down this command:

  • hashcat: The program we are running.
  • -m 13400: Specifies the hash mode for KeePass 2, which we identified in a previous step.
  • -a 0: Specifies the attack mode. Mode 0 is a "Straight" or dictionary attack.
  • ~/project/keepass.hash: The path to our file containing the target hash.
  • ~/project/wordlist.txt: The path to our wordlist.

hashcat will initialize and start testing the passwords from your wordlist. Since our list is very short and contains the correct password, the process will be very quick. You will see status updates, and soon the process will finish.

Once the attack is complete, hashcat stores the found passwords in a file called a "potfile". To view the cracked password, you can run the same command again with the --show flag.

hashcat -m 13400 -a 0 ~/project/keepass.hash ~/project/wordlist.txt --show

This command will instantly display the cracked hash and its corresponding password:

MySecrets:$keepass$*2*6000*0*...:password123

The output clearly shows the original hash followed by a colon and the recovered password: password123. Congratulations, you have successfully cracked the KeePass database password!

Summary

In this lab, you successfully performed a dictionary attack to recover the master password of a KeePass KDBX database.

You learned a complete, practical workflow for password auditing, which included:

  1. Creating a sample KeePass database with a weak password.
  2. Using keepass2john to extract the password hash into a format suitable for cracking.
  3. Identifying the correct hash mode (13400) in hashcat for KeePass databases.
  4. Preparing a custom wordlist containing potential passwords.
  5. Launching the attack with hashcat and successfully recovering the password.

This exercise highlights a critical security principle: the security of an entire password database is only as strong as its master password. Using simple, common, or guessable passwords makes them vulnerable to dictionary attacks, even when protected by strong encryption. Always use long, complex, and unique master passwords for your password managers.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux