Password Managers are brilliant!
They allow users to create and use complex passwords because they give us a nice secure place to store them. Using Password managers also can also prevent users from writing them down or reusing passwords, which is a huge deterrent against hackers looking to compromise your accounts. It’s a win, win….or is it?
There is a slight weakness to some of them, which could allow attacks to extract your passwords without having to break into the manager itself.
The answer: Get-Clipboard
Get-Clipboard is a PowerShell command which allows you to view or extract what is stored in the clipboard. This got me thinking….Could this be used against me? I know that certain advance persistent threats (APT) use PowerShell for malicious purposes, so could this be one of them.
I then started to think what an average user would copy and paste. It would mainly be things like website URLs, email addresses or info that you need to extract from a website. What we also copy and paste……passwords.
Most password managers allow you to store your credentials but often require you to extract them using copy and paste. Most password manager will then start a count down before removing from clipboard but until this happens, it leaves a window of opportunity.
I wanted to hash this out so started to write a script. The script would execute, hide in the background and then wait for the clipboard to be populated. The script would essentially create a loop that will compare what is and was in the clipboard. If the clipboard contains something new, it would pipe the new value into an array for later use. I wasn’t going to focus on just passwords however because the clipboard can always contain something juicy.
Introducing PSClippy…
To show the concept, I did tweak a few things, such as extraction to a txt file. Because it would normally happen in the background, I needed a way to visibility show you that it’s working.
If it wasn’t hidden, it would look like the following. Notice the pause due to the clipboard not having a new value.
If an attacker is using this technique, there would most likely be no trace. All copies would remain in the array and you would only detect the script if you are looking at current processes or auditing Powershell:
Going one step further and thinking like an attacker, I may not have remote or physical access to the machine itself, so how can I get at the passwords?
Simple, using services such as PasteBin. PasteBin has an API which allows you to upload data to it’s site creating a paste. It’s quite known that quite a few malicious parties use this site to present breaches or leaked credentials so it’s a perfect fit.
Again, for the example, I had changed line 43 so that it uploads after 3 pastes. If an attacker was to use similar extraction methods, I imagine the threshold would be higher to remain unnoticed. As you can see on the right, once I hit 3, PSClippy uploaded my clipboard history shown on the GIF above, to PasteBin. This is public so can be searched by anyway from anywhere.
All of this was just a proof of concept but hopefully you can see that PowerShell is a really useful tool but can be used against you. Running all this did not flag any AntiVirus and if I embedded the script inside an installer, you would most likely be unaware it’s running. You would only be aware of the script if you changed Task Manager for Background processes (PowerShell.exe) or if the Firewall blocks and highlights the attempt. Remember, you don’t need to run this as admin for it to work so any user can execute it.
The aim of this is not to push you away from Password managers however, highlighting an attack scenario that could be played out. If you wanted to read more about PowerShell and auditing, here is a past post I wrote: https://securethelogs.com/hacking-with-powershell-blue-team/
If you did wish to play with the script, you can find it on my GitHub here: https://github.com/securethelogs/PClippy/
Remember that this concept is just for passwords. If an attacker spams something like this out to multiple machines, they are bound to find something of interest.
amoran.io 
Leave a Reply