Credential Dumpimg: Clipboard

at 7:13 AM Monday, April 20, 2020

In this article, we learn about online password mangers and dumping the credentials from such managers via clipboard. Passwords are not easy to remember especially when passwords are made up of alphanumeric and special characters. And these days, there are passwords for everything. And keeping the same password for every account is insecure. Therefore, we have many password managers such as KeePass, bitswarden and many others that helps us save all of our passwords.

Table of content:
·         PowerShell Empire
·         Metasploit Framework
·         Kodiac
In our practical, we have used bitswarden password manager to keep our password secure. It’s feasible to use and even if we forget our password, we can just copy it from there and paste it where we require it. As you can see in the image below, we have saved our password in bitswarden. And we copy it from there.



PowerShell Empire
If these credentials are copied by someone then we can retrieve them by using various methods. PowerShell Empire has such a module; after having a session through the empire, use the following commands to execute the module:
usemodule collection/clipboard_monitor
execute




Once the module is executed, whenever the copied password is pasted as shown in the image below:



Then those credentials will be displayed in the console as shown in the image below:



Meterpreter Framework
In Metasploit, when you have a meterpreter session, it provides you with a different set of commands. One of those commands is load extapi, this command opens a door to various features of meterpreter session. All of these features can be viewed using a question mark (?). One feature of extapi is clipboard management commands. We will use a clipboard management command through extapi to dump the credentials which can be copied to clipboard. For this, type:
load extapi
clipboard_monitor_start



And as you can see in the image above, we have username and password through clipboard management command.
Kodiac
Just like PowerShell empire, Kodiac has an inbuilt module for dumping the clipboard data. Once you have a session in kodiac, type the following commands to get the clipboard data:
use clipboard
execute



And this way, again, we have the credentials.
Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)