Credential Dumping: Clipboard
In this article, we learn about online password mangers and dumping the credentials from such managers via clipboard. Passwords are not easy to remember especially when passwords are made up of alphanumeric and special characters. And these days, there are passwords for everything. And keeping the same password for every account is insecure. Therefore, we have many password managers such as KeePass, bitswarden and many others that help us save all of our passwords.
Table of Content:
- PowerShell Empire
- Metasploit Framework
- Koadic
In our practical, we have used bitswarden password manager to keep our password secure. It’s feasible to use and even if we forget our password, we can just copy it from there and paste it where we require it. As you can see in the image below, we have saved our password in bitswarden. And we copy it from there.
PowerShell Empire
If these credentials are copied by someone then we can retrieve them by using various methods. PowerShell Empire has such a module; after having a session through the empire, use the following commands to execute the module:
usemodule collection/clipboard_monitor execute
Once the module is executed, whenever the copied password is pasted as shown in the image below:
Then those credentials will be displayed in the console as shown in the image below:
Meterpreter Framework
In Metasploit, when you have a meterpreter session, it provides you with a different set of commands. One of those commands is load extapi, this command opens a door to various features of meterpreter session. All of these features can be viewed using a question mark (?). One feature of extapi is clipboard management commands. We will use a clipboard management command through extapi to dump the credentials which can be copied to clipboard. For this, type:
load extapi clipboard_monitor_start
And as you can see in the image above, we have username and password through clipboard management command.
Koadic
Just like PowerShell empire, Koadic has an inbuilt module for dumping the clipboard data. Once you have a session in koadic, type the following commands to get the clipboard data:
use clipboard execute
And this way, again, we have the credentials.
Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here