Hacking macOS: How to Dump 1Password, KeePassX & LastPass Passwords in Plaintext

KeePassX, 1Password, and LastPass are effective against keyloggers, phishing, and database breaches, but passwords managers rely on the operating system’s clipboard to securely move credentials from the password vault to the web browser. It’s within these few seconds that an attacker can dump the clipboard contents and exfiltrate passwords.

Two scenarios come to mind with a clipboard-dumping attack geared toward password managers, and both utilize the pbpaste command found in all versions of macOS. Pbpaste will take any data found in the clipboard (including passwords) and write it to the standard output. Any macOS user can try this by first copying a password to the clipboard then immediately typing pbpaste into a terminal.

It doesn’t require special privileges to execute pbpaste, and the clipboard can be written to any file, as shown below.

Option 1: Dump the Clipboard Locally

Scenario: The attacker has established a persistent backdoor and wants to gather passwords stored in KeePassX, 1Password, or LastPass over a prolonged period. MacOS has become better about protecting against keyloggers, and anyone livestreaming the desktop couldn’t unhide or reveal credentials stored in the password managers.

The attacker can dump the clipboard into a local file and occasionally check it for new passwords. An infinite while loop with a five second delay should do the trick.

The while loop will execute pbpaste and pause (sleep) for five seconds. The command within the loop will repeat over and over again, repeatedly dumping anything found in the clipboard. An echo has been introduced to create a newline (\n) with every entry to prevent data from concatenating on the same line.

From an additional Netcat shell, use cat or to view the clipboard.txt file contents.

Tail will follow (-f) changes appended to the file and immediately print new content discovered in the clipboard.

Prevent the clipboard.txt file from flooding with duplicate lines by evaluating the clipboard contents and comparing it to the last entry in the file.

Only if the current clipboard content is not equal (!=) to the last entry ( tail -n1) in clipboard.txt will pbpaste update the file.

However, this solution is somewhat flawed. The if statement only compares the last line of the clipboard.txt file, so if there are multiple lines in the clipboard it’ll fail to recognize it as a duplicate entry. But it serves its purpose for this article and most scenarios. You can spend a little time devising a robust, proper solution with this as the basic foundation.

Option 2: Exfiltrate Passwords to a Remote Server

Scenario: The attacker doesn’t care to remotely access the MacBook. The payload is instead designed to exfiltrate the clipboard to the attacker’s server at intervals.

In this scenario, the attacker only cares about exfiltrating the clipboard and hasn’t backdoored the MacBook. Instead, they have found a way to remotely execute code on the target macOS device. Setting up this attack involves a PHP server controlled by the attacker used to intercept exfiltrated data. A Debian virtual private server is used in my example.

Step 1: Install PHP

To get started, install php with the following command, which will work in Debian and Kali Linux.

Make a directory called “phpServer/” using the below mkdir command.

Change into the phpServer/ directory using the cd command.

Create a file called “index.php” with nano.

Paste the below PHP code into the nano terminal. Once that’s done, to save and exit the nano terminal, press Ctrl+ x, then y, then Enter.

This simple PHP server is capable of intercepting data and doesn’t need to be modified in any way to function. When the MacBook sends the clipboard contents, the server will capture and append the data to a file called “clipboard.txt.”

Finally, start the PHP server with the php -S command.

Step 2: Create the Payload

The below script will compare the current clipboard contents to the most recent sent to the attacker’s server. For clarity, it’s in standard shell script format to allow space for comments.

Visit Null-Byte.WonderHowTo.com for the copy/paste code.

Compress the script into one line to have it fit conveniently into various types of stagers.

Step 3: Examine the Exfiltrated Data

As the PHP server receives clipboard data, it will indicate the origin of the data (IP address) as well as the date and time. Press Ctrl+ c to stop the PHP server.

View the clipboard.txt contents with cat to find the encoded passwords. KeePassX and 1Password automatically clear the clipboard after ten and thirty seconds, respectively. LastPass states it clears the clipboard “after a default amount of time.” Empty deliveries from the MacBook appear as “Cg==” encoded.

The following command will automatically decode all of the base64 strings in the clipboard.txt file. All of the below strings are passwords captured while using KeePassX, 1Password, and LastPass.

Live Off the Land (Conclusion)

Penetration testers are encouraged to utilize as many resources already present in the compromised operating system (i.e., “ living off the land”). Like cURL, Netcat, Bash, and LibreSSL, pbpaste is yet another built-in tool easily abused by a hacker during post-exploitation engagements.

Attackers will explore every avenue to discover a target’s login passwords. Pbpaste makes dumping credentials stored in password managers almost too easy.

How to Protect Yourself from Clipboard Dumping

To prevent an attacker from having an opportunity to dump the clipboard, install the official 1Password browser extension or LastPass browser extension. They are available for all modern web browsers. For KeePassX users, similar browser extensions exist, but none have been officially audited or tested.

For 1Password, once the extension is installed, enable the “ 1Password Extension Helper” when prompted. Then, the helper would allow 1Password to autofill credentials while logging into websites. Autofill does not use the clipboard at all, therefore preventing a clipboard attack. The process is similar for the LastPass extension.

Keep in mind that neither work 100% of the time. Sometimes, it’s necessary to copy passwords to the clipboard when autofill on a website does not work.

If you must copy a password, you can adjust the clipboard settings for the password manager. For instance, you can go open 1Password’s preferences, select “Security,” then enter a time in seconds by “Clear clipboard contents after.” Make it as short as can be. In the hacks above, we used five-second intervals, so three or four seconds may be useful, but that doesn’t mean a hacker won’t be able to grab a password if it checks the clipboard at the right moment or if the time interval is decreased.

Overall, there is no built-in way to clear the clipboard on macOS after a set amount of time or as soon as an item is pasted, nor would it be advisable since the clipboard is used for more than just passwords.

You could build a Service for “Clear Clipboard” and assign it a keyboard shortcut like Command + Down Arrow. Then, you can manually clear the clipboard after pasting a password, so it’s not sitting in there longer than necessary. Just build the Service with Automator, but use the following as the “Run Shell Script.” However, you’d run into the same problem as described above about the clipboard being exfiltrated at the right moment or with a smaller interval before checks.

If you enjoyed this article, follow me on Twitter @tokyoneon_. For questions and concerns, leave a comment or message me on Twitter.

Don’t Miss: Create a Fake PDF Trojan with AppleScript

Cover photo and screenshots by tokyoneon/Null Byte

Originally published at https://null-byte.wonderhowto.com on June 10, 2019.

The aspiring white-hat hacker/security awareness playground

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store