> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-11/offline-cracking/archive/password-attack-offline-cracking-keepass.md).

# Keepass

## Convert Keepass Database to Hashcat Format

Use `keepass2john` to extract the crackable hash from a Keepass KDBX database file (`.kdbx` or `.db`). Pipe the output directly to a file for use with offline cracking tools like Hashcat or John the Ripper.

```bash
keepass2john [database_file] > [output_hash_file]
```

This command extracts a hash representation of the database's master key, allowing for offline brute-force or dictionary attacks against the password or key file protecting the Keepass database.

To obtain `keepass2john`, you can install it on Kali, Debian, or Ubuntu systems using apt:

```bash
sudo apt install keepass2john
```

Alternatively, you can build it from source:

```bash
git clone https://github.com/ivanmrsulja/keepass2john.git
cd keepass2john
make
```

If running on Windows, the Python script can be executed directly:

```bash
python keepass2john.py <keepass.kdbx>
```

Once installed, the command to extract the hash from a KDBX file and save it to a file is straightforward. Here are some examples:

```bash
keepass2john database.kdbx > hash.txt
```

```bash
keepass2john <path_to_your_kdbx_file> > keepass_hash.txt
```

```bash
keepass2john ./keepass.kdbx > ./keepass.hash
```

After extracting the hash into a file (e.g., `hash.txt` or `keepass.hash`), you can use password cracking tools.

For cracking with John the Ripper, specify the hash file and a wordlist:

```bash
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
```

```bash
john database.hash --wordlist=/opt/wordlists/rockyou.txt
```

Alternatively, using Hashcat, you need to specify the correct mode for KeePass, which is `13400`. You can then provide the hash file and a wordlist:

```bash
hashcat -m 13400 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
```

```bash
hashcat -m 13400 database.hash /opt/wordlists/rockyou.txt -O
```

```bash
hashcat -m 13400 -a 0 ./keepass.hash /usr/share/wordlists/rockyou.txt
```

The `-a 0` flag specifies a straight dictionary attack.

***

## Crack Keepass Database Hash with Hashcat

To crack a Keepass KDBX database hash offline with Hashcat, use hash mode 13700, which is specific to Keepass KDBX v3/v4. Provide the file containing the extracted hash and a wordlist.

Before cracking, the hash must be extracted from the KDBX file. A common tool for this is `keepass2john.py`. This script takes the KDBX file as input and outputs the hash in a format suitable for John the Ripper or Hashcat.

```bash
python3 keepass2john.py database.kdbx > hash.txt
```

or

```bash
./keepass2john.py database.kdbx > hash.txt
```

This command reads the `database.kdbx` file and redirects the extracted hash into `hash.txt`.

Once the hash is extracted into a file (e.g., `hash.txt`), you can use Hashcat with mode 13700 for a dictionary attack.

```bash
hashcat -m 13700 [hash_file] [wordlist_file]
```

For instance, if your hash is in `keepass_hash.txt` and your wordlist is `4n6.txt`, the command would be:

```bash
hashcat -m 13700 keepass_hash.txt 4n6.txt
```

A straight dictionary attack using mode 13700 can be explicitly specified with the `-a 0` flag, often using common wordlists like `/usr/share/wordlists/rockyou.txt`.

```bash
hashcat -m 13700 -a 0 keepass_hash.txt /usr/share/wordlists/rockyou.txt
```

Hashcat will then attempt to crack the hash using the provided wordlist.
