Compromising Open Source Password Safes

2 minute read


I have been checking around a lot about the open source password safe and password managers. Out of many, 2 were the ones which always stood out and checking around in the community these are being used in the corporate environments as well.

The question that arises is when you are able to successfuly compromise your client machine during the approved assessment have you ever tried checking out which password manager they are using. Either licensed version or open source version.

Having these details in hand, have you ever tried cracking these password managers and used these for exfiltrating the data?

Well, both of the cases are valid and both can be achieved fairly very easy. As we all know well, that end users always use very basic passwords and well known passwords which are ofently part of well known password lists. Having one of the best list in hand or creating based on the client you are targeting, there are high chances you will be able to crack one of these password managers eventually leading you to the crown jewels.

We can not forget that even when the password managers are being used end users intend to have passwords saved in the normal files as well. So, dont forget to check about them.

In this article, we will go through two password managers named.

  1. KeePass
  2. PWSafe

Both of the password managers are open source and can be downloaded and installed in few steps.

While the location of the password vault file for both of the tools can be saved anywhere, normally you will find them under the Documents folder if installed with default settings.

Targeting PWSafe

Once you have PWSafe installed, simply create the file with known credentials Obvsiouly for the testing purposes. Move the file over to you system of choice and ensure JohnTheRipper is installed.

Using the file command we can confirm that the file is indeed a PWsafe Vault as it always ends with psafe3. Note there are other version of it as well, we are targeting the latest one.

Now, we simply need to use pwsafe2john and save the hashes into the file of our choice.

Finally, run the JohnTheRipper on the file and voilah we have cracked the hash of the vault, using the same password we can open the Vault File in the PWSafe in the desktop environment.

We can see that the password for the vault was set to admin.

Targeting KeePass

Similar to PWSafe we simply need to use keepass2john and then crack the hashes using JohnTheRipper or HashCat or any other tool of you choice.

In this case we can see that the password was set to princess1 for the KeePass vault.

Even though both of the software gives user an alert when insecure passwords are being set but it does not prevents them, so the users can still set the insecure passwords.

Thank you reading the article out!