F 211: Memory Forensics of LastPass and Keeper (25 extra)

What You Need for This Project

A Windows 10 or 11 virtual machine without any of your private data on it

Purpose

To see how the LastPass password manager handles your private data in memory.

This project just follows this excellent write-up from MDSec: Analysing LastPass, Part 1.

Installing Chrome

On your Windows machine, if you don't already have it, get Chrome here:

https://www.google.com/chrome/

Installing Process Explorer

On your Windows machine, if you don't already have it, get Process Explorer here:

https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer

Installing HxD

On your Windows machine, if you don't already have it, get HxD here:

https://mh-nexus.de/en/hxd/

Target 1: LastPass

Installing LastPass

On your Windows machine, in Chrome, go to:

https://www.lastpass.com/

Click the "Get LastPass Free" button.

Fill in the form, as shown below.

Use a disposable email address, such as YOURNAME@mailinator.com.

Click the "Sign Up-It's Free" button.

Click the "Install LastPass" button, as shown below.

Click the "Add to Chrome" button. Click "Add extension".

Add a fake password with these values, as shown below:

URL: https://www.facebook.com/login.php
Username: testuser
Site password: testpassword1234

Click the Save button.

Finding the Process with the LastPass Extension

Launch Process Explorer. Scroll to the lower section to see user processes.

There are several Chrome processes, as shown below.

Hover the mouse over a Chrome process to see its command line.

Find the process with this switch, outlined in red in the image below:

-- extension-process

Right-click that process and click Properties.

In the Properties sheet, click the Job tab.

Find the PID (Process ID). When I did it, the PID was 2684, as shown below.

Exploring the Memory of the Process

Launch HxD.

From the menu bar, click Tools, "Open main memory...".

Find the Process ID of the process containing the LastPass extension, as shown below, and double-click it.

In HxD, click Search, Find.

In the "Search for" field, enter testpassword1234, as shown below.

Click the "Search all" button.

F 211.1: Password Label (15 pts)
The flag is the word before your unencrypted password, covered by a green rectangle in the image below.

Target 2: Keeper

Installing Firefox

If you don't already have it, install Firefox from

https://getfirefox.com

Installing Keeper

In Firefox, go to:

https://www.keepersecurity.com

At the top right, click "Try it Free".

Click "Personal and Family".

Enter a disposable email address ending in mailinator.com and click "Try it Free Now".

Create an account, log in, and add a password to your Vault containing the string CCSF#.

Install the Browser Extension.

Leave Firefox open.

F 211.2: Finding the Process Containing Private Data (10 pts)
It's difficult to find the correct Firefox process. You don't always see the same indicator. Look for one of these clues:

A DLL with a name containing "keepersecurity" or "formautofill"
A handle to File \Device\KsecDD
In HxD, search that Firefox process for the string "CCSF#" in Unicode, as shown below.
The flag is covered by a green rectangle in the image below.

References

Analysing LastPass, Part 1

Posted 10-23-2021
Keeper added 11-3-22
Lastpass link fixed 11-29-22
Flag 2 changed 12-3-22
Flag 1 changed and video added 4-24-23
Flag 2 changed 5-4-23