Exploiting CVE-2023-32784
Overview
This document explains how CVE-2023-32784 was reproduced in a controlled lab environment in order to recover a KeePass master password.
The goal of this exercise was not to break the database directly at first, but to exploit a memory leak issue in KeePass that reveals most of the master password characters after the password has been typed into the application.
The remaining unknown characters were then recovered using Hashcat with a targeted mask attack.
This workflow demonstrates how dangerous memory disclosure vulnerabilities can be, especially when they expose enough password structure to make a final offline cracking step practical.
This documentation is intended for educational purposes and authorized security testing only.
Objectives
The main goals of this exercise were:
- install a vulnerable KeePass 2.x version
- create a test database with a known master password
- generate a process memory dump from KeePass
- extract password artifacts from the dump using a public proof-of-concept
- convert the KeePass database into a crackable hash format
- use Hashcat to recover the missing password characters
- document the full attack chain clearly and reproducibly
Tools Used
| Tool | Purpose |
|---|---|
| KeePass 2.53 | Vulnerable target application |
| .NET 7.0 Runtime | Required to run the dump analysis tool |
| Windows VM (Parallels) | Lab environment for KeePass and memory dump creation |
| Task Manager | Used to create the KeePass process dump |
| keepass-password-dumper | Extracts master password artifacts from a memory dump |
| Kali Linux | Used for keepass2john |
John the Ripper (keepass2john) | Converts .kdbx into KeePass hash format |
| Hashcat | Final mask attack to recover missing password characters |
Lab Environment
| Component | Value |
|---|---|
| Host System | macOS |
| Virtualization | Parallels |
| Target OS | Windows |
| KeePass Database Name | passwords.kdbx |
| Potfile Name | keepass-master.potfile |
Why This Attack Works
The vulnerable KeePass version leaves recoverable traces of the master password in memory after the password has been typed manually into the unlock dialog.
This means an attacker with access to a memory dump can often reconstruct:
- most characters of the password
- the order of those characters
- the approximate password structure
Even if the full password is not recovered immediately, the leaked structure can drastically reduce the cracking effort.
In this case, the dump analysis revealed almost the entire password, leaving only the first two characters unknown.
That made the final step with Hashcat very fast and practical.
Step 1 - Install KeePass
First, KeePass was downloaded from SourceForge and installed on the Windows VM.
A vulnerable KeePass 2.x version was used for the lab so that the memory disclosure issue could be reproduced.
After the installation, KeePass was started normally.
Step 2 - Install .NET Runtime
The dump analysis tool also required the .NET 7.0 Runtime.
Therefore, .NET 7.0 was downloaded, executed, and installed on the Windows system before running the proof-of-concept tool.
Without this runtime, the dump analyzer could not be executed successfully.
Step 3 - Create a Test KeePass Database
Inside KeePass, a new database was created:
- Open KeePass
- Click New
- Save the file as:
Passwords.kdbx
- Set a master password
For this lab, the chosen master password was:
NajjacaSifraNaSvetu!2026
After saving the database, the .kdbx file was located in the KeePass working folder.
Step 4 - Unlock the Database Manually
This step was important.
The database file was opened again and the master password was entered manually by typing it, not by copy-paste.
This matters because the vulnerability depends on how the password is processed in memory during typing.
After typing the password and unlocking the database, KeePass was left running.
Step 5 - Create a KeePass Memory Dump
Next, a process memory dump was created from the running KeePass process.
The process was:
- Open Task Manager
- Find the KeePass process
- Right-click the process
- Choose the option to create / save a memory dump
- Save the
.DMPfile
The dump file was then copied into the same folder that already contained:
- KeePass
passwords.kdbx
This kept the lab files organized in one place.
Step 6 - Download the Proof-of-Concept Tool
The public proof-of-concept tool used for this step was downloaded from GitHub:
https://github.com/vdohney/keepass-password-dumper
The repository ZIP was downloaded and extracted into the same working folder as the other lab files.
At this point, the folder contained:
- KeePass executable / installation files
passwords.kdbx- the KeePass dump file
- the extracted
keepass-password-dumperproject
Step 7 - Analyze the Memory Dump
A Windows command prompt was opened and changed into the extracted GitHub project folder.
From there, the dump analyzer was executed against the KeePass dump file using:
dotnet run ..\KeePass.DMP
The ..\ path was used because the .DMP file was located one directory above the current folder.
The result at the end of the output showed almost the complete password structure.
The recovered output indicated that only the first two characters were still missing.
The combined result looked like this:
○{a, 3, Ï, ≠, §, e, \, {, ö}jjacaSifraNaSvetu!2026
This revealed enough information to continue with a targeted cracking step.
Step 8 - Move the KeePass Database to Kali Linux
The .kdbx database file was transferred to Kali Linux using a shared folder.
This was done because the next step required keepass2john, which was available in the Kali environment.
Step 9 - Extract the KeePass Hash
Inside Kali Linux, the following command was executed:
keepass2john passwords.kdbx > hash.txt
This converted the KeePass database into a crackable KeePass hash representation.
After that, hash.txt was transferred back to Windows via the shared folder.
Step 10 - Clean the Hash Format
The output generated by keepass2john started with the filename prefix, for example:
passwords:
That prefix was removed manually so that the file started directly with the KeePass hash signature:
$keepass$...
This step was necessary because Hashcat expects the hash file to begin with the KeePass hash data directly.
Step 11 - Identify the Correct Hashcat Mode
Before running Hashcat, the correct KeePass mode was checked on the Hashcat reference page.
For KeePass 2.x, the correct mode was:
13400
This was then used in the final cracking command.
Step 12 - Run a Targeted Mask Attack with Hashcat
Since the dump analysis had already revealed almost the entire password, only the first two characters were still unknown.
The remainder of the password was already known:
jjacaSifraNaSvetu!2026
So the Hashcat mask attack only needed to brute-force the two missing leading characters.
The exact command used was:
hashcat -m 13400 hash.txt -a 3 '?a?ajjacaSifraNaSvetu!2026' --potfile-path=keepass-master.potfile
Command Explanation
| Part | Meaning |
|---|---|
-m 13400 | KeePass 2.x hash mode |
hash.txt | File containing the cleaned KeePass hash |
-a 3 | Mask attack |
'?a?ajjacaSifraNaSvetu!2026' | Two unknown leading characters plus known remainder |
--potfile-path=keepass-master.potfile | Stores the cracked result in a dedicated potfile |
This attack was very efficient because almost the entire password had already been recovered from memory artifacts.
Step 13 - Verify the Result
After Hashcat finished, the potfile contained the cracked KeePass password.
The result looked like this:
$keepass$*2*60000*0*00969a81b3ff3068d1892b2cb88f81ff91b10fe573c981868c135995f7e2274a*63ea8d30a413ad7a5e35d3d6b0ced1788ed920a710c22e8f276d509fb9e0ef85*02f8a7e0fc9ebf9f9b30b66ab8daa09a*a7363c2fb08e34a1a28240c57ea5efe41ec34ce0e623f482bba8ced778d0941d*c34edb4c7806f178bcf91631872495c5b83d7c90e2a556caf2328947fb8206a8:NajjacaSifraNaSvetu!2026
The plaintext password appeared after the colon at the end.
Recovered password:
NajjacaSifraNaSvetu!2026
Attack Chain Summary
The full attack workflow was:
- install KeePass 2.53
- install .NET 7.0 runtime
- create a new KeePass database
- set a master password
- unlock the database by typing the password manually
- create a process memory dump from KeePass
- analyze the dump with
keepass-password-dumper - extract the database hash using
keepass2john - clean the hash file for Hashcat
- run a targeted mask attack with Hashcat
- recover the full master password
This demonstrates how a memory disclosure vulnerability can transform a strong password into a highly crackable target.
Security Analysis
This lab demonstrates several important security lessons.
Memory Leaks Can Be Extremely Dangerous
Even if the database itself is encrypted properly, leaking password fragments from memory can make the master password recoverable.
Partial Password Disclosure Changes the Threat Model
A password that would normally be hard to brute-force becomes much easier to crack once most characters are known.
Manual Typing Matters
The issue becomes relevant because the password was typed into KeePass.
This means even good password practices can be undermined by software implementation flaws.
Offline Cracking Becomes Practical
Once the KeePass database hash and password structure are both available, tools such as Hashcat can finish the attack quickly.
Lessons Learned
This exercise helped reinforce the following points:
- software vulnerabilities can weaken otherwise strong authentication
- memory artifacts can be extremely valuable to an attacker
- KeePass database hashes can be extracted and attacked offline
- Hashcat becomes much more powerful when combined with leaked password structure
- post-exploitation artifacts often matter as much as encryption itself
Conclusion
This lab successfully demonstrated how CVE-2023-32784 can be exploited in a realistic workflow.
A vulnerable KeePass installation was used to create a database and unlock it manually.
A memory dump was then analyzed with a public proof-of-concept, revealing nearly the entire master password.
The missing characters were finally recovered with a targeted Hashcat mask attack.
The exercise showed that strong passwords alone are not enough when application memory handling is flawed.
Legal Disclaimer
This documentation is provided for educational purposes only.
KeePass analysis, memory dumping, password recovery, and offline cracking must only be performed on systems, files, and databases that you own or are explicitly authorized to test.