Some weeks ago, I tweeted about grabbing clipboard content from KeePass with some PowerShell. From some reactions to this tweet, and after reading it a couple of times again, I realize it was sending the wrong message, and I would like to take a bit more than 280 chars to clarify what I meant when I posted that tweet…
TLDR: Password managers are a must, not using one exposes you to far more risks than using one. Do it.
… so the tweet went as follows: “Keystrokes are a pain to grab… Please use Keepass…“, and there was a screenshot with a bit of PowerShell code and a P@ssw0rd ‘stolen’ from Keepass.
Now to put it back in context, it was a Thursday evening, I was in the ICE somewhere in Germany and had no network on my hotspot; so I started playing with PowerShell, and since I have KeePass on my laptop, I decided to see if I could steal the password from the clipboard.
Nothing too fancy, just a little coding exercise to kill some travel time…
Note: At this point of the story, German readers might object that I could have use WifiOnICE to have internet access, and this is true; but this post is not about the great comfort of German railways (and I don’t like public networks), so let’s stay on tracks please…
Once 4G was back, I google the last bits I needed for the job, and once done, I tweeted it without really thinking twice.
The pointless point I was trying to make is that it takes less lines of code to get a password out of the clipboard, than it takes to write a key-logger.
The message could have been more explicit I admit, but I surely wasn’t aiming anything at KeePass itself.
I am a KeePass user and it is a life saver, not only for goldfish people like me, but for anybody using passwords (= all of us). If my own mother was to ask me “Should I use a password manager?“, my answer would be: “YES” without a doubt. This was however not clear at all in my tweet, and this is why I am writing this post.
If you need some more info to be convinced, I would recommend this excellent article by NCSC UK that I was reading a couple of days ago and motivated me for this blogpost. I think they nail it point after point, so I will not repeat it in this post (but again, if you have any doubts on using a password manager, do read it).
Instead, and only if you use a password manager yourself, I will share with you that quick & dirty PowerShell code, and we will have a look at how it works. Nothing new, you can find all this online, just a good opportunity to share some PowerShell tricks…
So this is what it looked like:
L2-9: First we use Add-Type and a bit of C# to import the user32.dll into our session
This will later be used to spot when the Keepass window is in the foreground.
L11-12: With New-Object we create an form in the background that will be used to get clipboard content.
L14: we start an infinite loop with a while(1){…}
L16: A lot happening in that one line of posh… so let’s break it down:
First we get the foreground window by using the GetForegroundWindow() method we imported earlier. This returns a process handle.
Then we look for the ProcessName of a process with a matching handle by calling Get-Process, piping it to a Where-Object and looking at the MainWindowHandle property.
We then compare the name of that process to the value ‘keepass’, and finally as long as it doesn’t match, we sleep 1 sec. Quite cool…
L18: we repeat this ninja move, this time to wait for KeePass not to be in the foreground – meaning the user might have set clipboard content.
L20-21: we use our Textbox to get the content of the clipboard, display it, and clear the Textbox content for next loop.
As you can see it doesn’t take much to achieve the basic goal, and we could easily now turn it into a cmdlet and/or an Empire Module, but at that point I had reached my destination and did not push the exercise further (but please feel free to do so… )
Anyways, reading this post on pasting passwords earlier today gave me the opportunity to clarify what I think about Password Managers. There is enough contradictory information going around when it comes to ‘how to deal with passwords’ and I would not want to add to this confusion.
Even if there is no silver bullet, password managers are the way to go, and I think we should clearly promote the use of these tools.
If some code like the above is running on your machine, you have other problems to worry about, and keePass wasn’t meant to protect you against these…
(And from now on I will try to think twice before tweeting…)
Thanks for reading, and see you next time…
PS: If you are looking for more on targeting KeePass, check out this blogpost by @harmj0y.