Stealing Passwords from Password Managers (well, sort of…)

All major browsers give users the option to store credentials for websites, however most of the browsers do not keep this information secure by default. The LaZagne Project, for example, can extract and decrypt credentials from IE, Firefox, Chrome, and Opera. As such, most security professionals recommend to not store credentials in your browser, but instead use a password manager. I have not seen any tool that can extract/decrypt credentials stored in a password manager vault.

That sounds great! So, if hackers or malware gain access to my machine, then the passwords to all of the websites I visit won’t be compromised, right?

Maybe.

At some point, the password has to be decrypted to be entered into the browser, so I wrote a proof of concept PowerShell tool that extracts the credentials at that point. The code is here, and the rest of this post will explain what the code is doing at a high level.

Okay, so what just happened?

By default, LastPass (and probably other password managers as well) autofill credentials into the saved website. Additionally, LastPass doesn’t require a master password to be entered very frequently (it seems to log you into your vault upon logon to the system and opening a browser).

This script Get-AutoFillCredentials does three things:

  1. Uses PowerShell to instantiate an invisible Internet Explorer COM object that browses to a specific site
  2. Once the page loads, searches the DOM for fields that may contain a username and captures the value
  3. Searches the DOM for fields that may contain a password and captures the value

Here are the details and some code snippets:

PowerShell Internet Explorer

Creating an Internet Explorer browser with PowerShell is simple:

$ie = New-Object -ComObject InternetExplorer.Application.1
$ie.Visible = $True  # For invisible browser, set this to $False
$ie.Silent = $True
$ie.Navigate(“https://laconicwolf.com”)

If you copy/paste this code into PowerShell and press enter, you should have an Internet Explorer browser open to this site:

You also may notice the red box with the three white dots in the top-left corner of my browser. That is the LastPass browser plugin. So yes, even when you initialize IE with PowerShell, it still loads any browser plugins. Get-AutoFillCredentials uses this same logic in the code snippet, and then parses the HTML looking for form fields that may contain usernames and passwords.

Searching the DOM

Get-AutoFillCredentials repeatedly makes use of the code Document.getElementById(some_id), where some_id is the common name for a username or password. For example, here is a screenshot of the Parse-Username function in the script:

If you are using Windows 10, you may get errors like this when you run the script or type or use document.getElementById:

From what I was able to Google, Windows 10 does not support these calls from an IE COM object, so as of now this code gives inconsistent results on Windows 10. There may be a way to make it work better on Windows 10, but I haven’t figured it out yet.

Tying it all together

The Get-AutoFillCredentials function simply accepts a file of URLs to browse to, and then ties the following together:

  • Instantiates an IE object and browses to the URL
  • Parses the DOM looking for usernames and passwords
  • Closes the invisible browser

Usage

Usage is pretty simple:

Get-AutoFillCredentials -URLFile urls.txt

Browses to all URLs in the file and attempts to extract usernames and passwords

Get-AutoFillCredentials -URLFile urls.txt -DisplayStatus

The DisplayStatus switch shows the progress in the terminal, and is implemented in the code like this:

And if you really want to see what the browser is doing, you can use the -Visible switch:

Get-AutoFillCredentials -URLFile urls.txt -Visible

This just makes the browser visible, and can be useful for troubleshooting. It is implemented in the code like this:

if ($Visible) { $Browser = Browse-Url -Url $url -Visibility True }
else { $Browser = Browse-Url -Url $url }

One last thing

You may be saying, this is all great, but how do I know which URLs the user goes to? I can’t possibly check every site on the Internet. Well I’m glad you asked! The user’s browser history and favorites can be great places to start gathering a list of URLs. I wrote a post about how to do this in Firefox, and have since released tools that also do this in Chrome and IE.

Oh, and I fully support the use of password managers in general, but I just thought this was an interesting workaround to gather credentials.

Feedback is welcome!

Leave a Reply

Your email address will not be published. Required fields are marked *