SlideShare une entreprise Scribd logo
1  sur  70
Télécharger pour lire hors ligne
Breaking Vaults
Stealing LastPass protected
secrets
Martin Vigo
@martin_vigo
martinvigo.com
Who am I
• Product Security Engineer
• Spaniard / Galician
• Diver
• Gin tonic consumer
• @martin_vigo / martinvigo.com
Most beautiful beach in the world
Amazing seafood
Charlie Sheen’s grandfather was Galician
Wikipedia
“LastPass is a password management service
which seeks to resolve the password fatigue
problem by centralizing user password
management in the cloud”
Password Managers
Why targeting Password
Managers?
• All you want to hack is in one
place
• Social Networks
• Banks
• Email accounts
• Corporate credentials
Why LastPass?
• Enterprise edition
• Large companies use it
• “More than 10,000 corporate customers
ranging in size all the way up to the
Fortune 500”
• Not only credentials
• Credit Cards, Personal documentation,
Private notes, etc.
• Arguably the most popular password
manager
State of the art
• Vulnerabilities
• DNS poisoning
• XSS form injection
All focus on leaking specific secrets
Target: Master Password
All your secrets are belong to us
Architecture
Focus
Browser Plugin
• Javascript
• Sandboxed (SOP)
• Injects code into DOM
• Access to filesystem
Security claims
• LastPass has no access to your data
• Local encryption
• Secure storage
Reversing
Meaning making sense of 3MB of obfuscated JS
siesta.py
• Beautifies every JS file
• Injects a payload to every function
• console.log([file] [function] [params])
• Credits to Alberto Garcia (@algillera)
• Identified all accessed files
• Minimized JS
• Storage on Sqlite DBs
• Browser specific implementation
• Business logic
• File location
• Storage
• AES own implementation
• RSA is based on jsbn library
Logic and storage
Local encryption
• 256-bit AES
• CBC and ECB
• Their own implementation
• PBKDF2
• 500 / 5000 rounds (default)
• Unauthenticated query
Encryption key
PBKDF2(SHA-256, Username, Master Password, Iterations, 32)
Salt Password key length
LastPass has no access to
your data
PBKDF2(SHA-256, Master Password, k, 1, 32)
E/D(k, vault)
Encrypted Vault
Encrypted Vault
PBKDF2(SHA-256, Per user salt, k’, 100000, 32)
What does LastPass see?
The encrypted vault
A 1-round PBKDF2-SHA256 of
the encryption key
Stealing the Master Password
Remember password
• Stores the password locally
• Sqlite DB or prefs.js
• ECB or CBC
• u7W1PsEYsWrtAS1Ca7lOOH==
• !waXcJg8b7wI8XYZnV2l45A==|4d0Hiq+spx50pso2tEMtkQ==
Storage
Chrome Firefox Safari Opera
Windows
#{user_profile['LocalApp
Data']}/Google/Chrome/
User Data/Default/
databases/chrome-
extension_hdokiejnpimak
edhajhdlcegeplioahd_0
#{user_profile[
'AppData']}/
Mozilla/
Firefox/Profiles
#{user_profile['LocalAppData
']}/Apple Computer/Safari/
Databases/safari-
extension_com.lastpass.lpsaf
ariextension-n24rep3bmn_0
#{user_profile['AppData']}/
Opera Software/Opera
Stable/databases/chrome-
extension_hnjalnkldgigidg
gphhmacmimbdlafdo_0
Mac
#{user_profile['LocalApp
Data']}/Google/Chrome/
Default/databases/
chrome-
extension_hdokiejnpimak
edhajhdlcegeplioahd_0
#{user_profile['
LocalAppData']
}/Firefox/
Profiles
#{user_profile['AppData']}/
Safari/Databases/safari-
extension_com.lastpass.lpsaf
ariextension-n24rep3bmn_0
#{user_profile['LocalAppData']
}/com.operasoftware.Opera/
databases/chrome-
extension_hnjalnkldgigidggph
hmacmimbdlafdo_0
Unix
#{user_profile['LocalApp
Data']}/.config/google-
chrome/Default/
databases/chrome-
extension_hdokiejnpimak
edhajhdlcegeplioahd_0
#{user_profile['
LocalAppData']
}/.mozilla/firefox
#{user_profile[‘LocalApp
Data’]}/.opera/widgets/
wuid-*/pstorage
SQLite DB
• LastPassSavedLogins2 contains the encrypted
credentials
• No root needed
prefs.js (Firefox)
• extensions.lastpass.loginusers contains the usernames
• extensions.lastpass.loginpws contains encrypted passwords
• No root needed
Master password encryption
• AES-256
• IV: Random
• KEY: SHA256(username)
• Data: !L5b/dOyu4EMdmWCYkASQaw==|cHTFJDy1DQi8dPY0AJL/1B=
IV
24 chars (ignoring !)
Separator
26th char
Data
Starting 27th char
MP encryption key Vault encryption key
Profit!
• We located the files
• We know the encryption system
• We have the IV
• We have the key
• We have the data
What about 2 factor auth?
Bypassing 2-factor Auth
2-factor auth
• Supports multiple platforms
• Google Auth, Yubikey, Toopher, etc.
UUID is the “trust token”
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
What’s going on?
• How is the request forged?
• How is the token generated?
• How is it stored?
• Where is it stored?
How is the request forged?
The token is injected into the DOM
How is the token generated?
• At plugin installation 32 chars
length
• 0-9 A-Z a-z !@#$%^&*()_
length lowercase?
uppercase? digits?
special
chars?
min digits
ambiguous
chars?
make
pronounceable?
How/Where is it stored?
• In plaintext
• Firefox
• In the file “lp.suid”
• Chrome/Safari/Opera
• Local-storage SQLite DB
Design Problems?
• Browsers don’t encrypt local storage
• LocalStorage DB and lp.suid are
accessible and unencrypted
• The token is stored in plaintext
• Token is injected in DOM
• XSS means game over
More problems
• Same token for all browser users
• Fixed token till plugin is reinstalled
• Untrusting the browser has no real effect
• Same token when changing QR Code
• Token fixation
• Attacker can set a token on the client
• Proactive token stealing
• Steal token today, use it tomorrow
Profit!
• We have the file
• We know the encryption
• We have the data
• We have the IV
• We have the key
• We have the 2-factor token
What about if:
“Remember password” was not clicked
There was no way to obtain 2-factor auth token
Abusing Account recovery
Wait… What?
How is account recovery possible if LastPass
does not know my password?
Recovering the account
Provide your email
Recovering the account
Get a unique link
Recovering the account
Press the button
Boom!
• Full, unrestricted access to the vault
• Attacker can set a new password
• But does not have to!
• Bypasses 2 factor-auth
Recover account flow
Email
GET /s/?s=8aa37bb1bb3FAKE03ad4127
302 Location: /recover.php?
&time=1412381291&timehash=340908c353c099c9FAKE6b387002c5a4881ebdf1
&username=test%40test.com&usernamehash=fc7be7e5f6cbec9FAKE2995bd3331c097
POST /otp.php
&changepw=ccb2501724FAKE2b575a214e1052
d0fa27b0726b6HASHdb2e1da3952e
Recover button
Can I directly generate the
recover url?
• time: timestamp when the recovery was
initiated (the link “expires” in 2 hours)
• timehash: salted hash of the timestamp
• username: the email address
• usernamehash: salted hash of the email
302 Location: /recover.php?
&time=1412381291&timehash=340908c353c099c9FAKE6b387002c5a4881ebdf1
&username=test%40test.com&usernamehash=fc7be7e5f6cbec9FAKE2995bd3331c097
Challenges
• I need to generate a valid timestamp
• I need the be able to generate the hashes
• I need the salt
Let’s try…
• Request my own unique url and reuse the hashes in
the victims url
• BINGO!
• Same salt is used for all users
• Link does not truly expire, only the timestamp is
validated against the hash
• There is no need to request account recovery. You
only need a valid url
The salt is the secret
• Still, we need to change the username, and hash it.
• We are only missing the server salt to be able to
generate valid recover urls
• Salts are not designed to be a secret, only random
and unique.
• Oh wait…
“LastPass account email addresses, password reminders,
server per user salts, and authentication hashes were
compromised”
Can I forge the post
request?
• changepw: a derived “disabled OTP”
POST /otp.php
&changepw=ccb25017c4FAKE2b575a21441055d0fa27b0726b6HASHdb2e1da395e
OTPs in LastPass
• 2 types of OTPs
• “True” OTPs for authentication
• “Disabled” OTP
• Let’s call it dOTP
Disabled OTP
• Used to recover the vault
• Which ultimately means for authentication
• It’s set by default
• It’s not the encryption key
How/Where is it stored?
• Unprotected
• Firefox
• In the file {SHA256(username)}_ff.sotp (binary format)
• Needs the extra step: bin2hex
• Chrome/Safari/Opera
• SQLite DB
How is the request forged?
The dOTP is injected into the DOM
From dOTP to vault
Local-storage
getdOTP(username)
dOTP
token=SHA256(SHA256(username+dOTP)+dOTP)
/otp.php(username, token)
Set-Cookie: PHPSESSID
pwdeckey
GET /accts3.php
encrypted vault
What is”pwdeckey”?
• It’s not the key to decrypt any password
• It’s the seed to derive the key to decrypt the “vault
key”
• The vault key decrypts all the password, notes, etc.
in the vault
How/Where is the vault key
stored?
• Encrypted
• Firefox
• In the file {SHA256(username)}_lpall.slps
• Chrome/Safari/Opera
• SQLite DB
AES-ECB(SHA256(pwdeckey), encryptedVaultKey )
Vault key decryption
Profit!
• We located the token
• We know how to hash it
• We get the vault key
decryption key
• We get the vault
• We decrypt the vault key
• We decrypt the vault
Automating all the stuff
Metasploit module
• Steals and decrypts the master
password
• Steals the 2-factor auth token
• Steals the encryption key
• Decrypts the entire vault
• Supports:
• Win, Mac and Unix
• Chrome, Firefox, Safari and Opera
• Meterpreter and shell
• Multiuser
Demo
What about if there is:
No disabled OTP
No access to the machine
No Exploit
No nothing!
Google dorks
“extensions.lastpass.loginpws”
Stop sharing your LastPass
credentials with the entire world!!!!
Hardening LastPass
Hardening LastPass
• Use the binary version of the plugin
• Do not store your master password
• Disable “Account recovery”
• Do not use “Password reminder”
• Activate 2-factor auth
• Prompt for master password to make passwords visible
• Add country restriction
• Update/Randomize PBKDF2 iterations
• Disallow TOR logins
Thank you!
Questions?
@martin_vigo
martinvigo.com
martinvigo@gmail.com

Contenu connexe

Tendances

BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityPriyanka Aash
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacPriyanka Aash
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) ShenPROIDEA
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at youRob Fuller
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Manich Koomsusi
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 

Tendances (20)

BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-security
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
 
1000 to 0
1000 to 01000 to 0
1000 to 0
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradication
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
I See You
I See YouI See You
I See You
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 

En vedette

Suns Out Guns Out: Hacking without a Vehicle by Charlie Miller & Chris Valasek
Suns Out Guns Out: Hacking without a Vehicle by Charlie Miller & Chris ValasekSuns Out Guns Out: Hacking without a Vehicle by Charlie Miller & Chris Valasek
Suns Out Guns Out: Hacking without a Vehicle by Charlie Miller & Chris ValasekShakacon
 
Exploiting Elevator Security Weaknesses by Deviant Ollam
Exploiting Elevator Security Weaknesses by Deviant OllamExploiting Elevator Security Weaknesses by Deviant Ollam
Exploiting Elevator Security Weaknesses by Deviant OllamShakacon
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawShakacon
 
Automotive Exploitation Techniques by Craig Smith
Automotive Exploitation Techniques by Craig SmithAutomotive Exploitation Techniques by Craig Smith
Automotive Exploitation Techniques by Craig SmithShakacon
 
I am the 100% [*] by Chris Evans & Natalie Silvanovich
I am the 100% [*] by Chris Evans & Natalie SilvanovichI am the 100% [*] by Chris Evans & Natalie Silvanovich
I am the 100% [*] by Chris Evans & Natalie SilvanovichShakacon
 
There's Waldo by Patrick Wardle & Colby Moore
There's Waldo by Patrick Wardle & Colby MooreThere's Waldo by Patrick Wardle & Colby Moore
There's Waldo by Patrick Wardle & Colby MooreShakacon
 
Lock picking 2600
Lock picking 2600Lock picking 2600
Lock picking 2600antitree
 
Elevator controller for multi story building security
Elevator controller for multi story building securityElevator controller for multi story building security
Elevator controller for multi story building securityMayank Jain
 
New Indian Elevators, Maharashtra, Elevator Components
New Indian Elevators, Maharashtra, Elevator ComponentsNew Indian Elevators, Maharashtra, Elevator Components
New Indian Elevators, Maharashtra, Elevator ComponentsIndiaMART InterMESH Limited
 
The Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant OllamThe Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant OllamShakacon
 
An Introduction to Machine Learning
An Introduction to Machine LearningAn Introduction to Machine Learning
An Introduction to Machine LearningAngelo Simone Scotto
 
Diagram of an elevator
Diagram of an elevatorDiagram of an elevator
Diagram of an elevatorbeccapr69
 
Developing an Elevator Pitch
Developing an Elevator PitchDeveloping an Elevator Pitch
Developing an Elevator PitchShai Goldman
 
Thysse krupp introducing tke_nov_2014_16-9_final
Thysse krupp introducing tke_nov_2014_16-9_finalThysse krupp introducing tke_nov_2014_16-9_final
Thysse krupp introducing tke_nov_2014_16-9_finalDavid Heaney
 
Elevator Controller
Elevator Controller Elevator Controller
Elevator Controller Mayank Jain
 
vertical-transportation (mechanical)
vertical-transportation (mechanical)vertical-transportation (mechanical)
vertical-transportation (mechanical)AnsherinaDelMundo
 
Bucket Elevator Basics: Definitions & Details
Bucket Elevator Basics: Definitions & DetailsBucket Elevator Basics: Definitions & Details
Bucket Elevator Basics: Definitions & DetailsWebster Industries Inc.
 

En vedette (20)

Suns Out Guns Out: Hacking without a Vehicle by Charlie Miller & Chris Valasek
Suns Out Guns Out: Hacking without a Vehicle by Charlie Miller & Chris ValasekSuns Out Guns Out: Hacking without a Vehicle by Charlie Miller & Chris Valasek
Suns Out Guns Out: Hacking without a Vehicle by Charlie Miller & Chris Valasek
 
Exploiting Elevator Security Weaknesses by Deviant Ollam
Exploiting Elevator Security Weaknesses by Deviant OllamExploiting Elevator Security Weaknesses by Deviant Ollam
Exploiting Elevator Security Weaknesses by Deviant Ollam
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
 
Automotive Exploitation Techniques by Craig Smith
Automotive Exploitation Techniques by Craig SmithAutomotive Exploitation Techniques by Craig Smith
Automotive Exploitation Techniques by Craig Smith
 
I am the 100% [*] by Chris Evans & Natalie Silvanovich
I am the 100% [*] by Chris Evans & Natalie SilvanovichI am the 100% [*] by Chris Evans & Natalie Silvanovich
I am the 100% [*] by Chris Evans & Natalie Silvanovich
 
There's Waldo by Patrick Wardle & Colby Moore
There's Waldo by Patrick Wardle & Colby MooreThere's Waldo by Patrick Wardle & Colby Moore
There's Waldo by Patrick Wardle & Colby Moore
 
Lock picking 2600
Lock picking 2600Lock picking 2600
Lock picking 2600
 
Elevator controller for multi story building security
Elevator controller for multi story building securityElevator controller for multi story building security
Elevator controller for multi story building security
 
New Indian Elevators, Maharashtra, Elevator Components
New Indian Elevators, Maharashtra, Elevator ComponentsNew Indian Elevators, Maharashtra, Elevator Components
New Indian Elevators, Maharashtra, Elevator Components
 
The Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant OllamThe Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant Ollam
 
An Introduction to Machine Learning
An Introduction to Machine LearningAn Introduction to Machine Learning
An Introduction to Machine Learning
 
Diagram of an elevator
Diagram of an elevatorDiagram of an elevator
Diagram of an elevator
 
Omkar Electronics, Thane, Elevator Components
Omkar Electronics, Thane, Elevator ComponentsOmkar Electronics, Thane, Elevator Components
Omkar Electronics, Thane, Elevator Components
 
Elevator
ElevatorElevator
Elevator
 
Developing an Elevator Pitch
Developing an Elevator PitchDeveloping an Elevator Pitch
Developing an Elevator Pitch
 
Thysse krupp introducing tke_nov_2014_16-9_final
Thysse krupp introducing tke_nov_2014_16-9_finalThysse krupp introducing tke_nov_2014_16-9_final
Thysse krupp introducing tke_nov_2014_16-9_final
 
Elevator Controller
Elevator Controller Elevator Controller
Elevator Controller
 
vertical-transportation (mechanical)
vertical-transportation (mechanical)vertical-transportation (mechanical)
vertical-transportation (mechanical)
 
Elevator1
Elevator1Elevator1
Elevator1
 
Bucket Elevator Basics: Definitions & Details
Bucket Elevator Basics: Definitions & DetailsBucket Elevator Basics: Definitions & Details
Bucket Elevator Basics: Definitions & Details
 

Similaire à Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo

Breaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsMartin Vigo
 
Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!Martin Vigo
 
Nodejsvault austin2019
Nodejsvault austin2019Nodejsvault austin2019
Nodejsvault austin2019Taswar Bhatti
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedOctavio Paguaga
 
Killing Passwords with JavaScript
Killing Passwords with JavaScriptKilling Passwords with JavaScript
Killing Passwords with JavaScriptFrancois Marier
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private tokenOWASP
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwordsFrancois Marier
 
WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020 WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020 stk_jj
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
Bitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & WalletsBitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & WalletsChristopher Allen
 
Maximize your Cache for No Cash
Maximize your Cache for No CashMaximize your Cache for No Cash
Maximize your Cache for No CashYorick Phoenix
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environmentTaswar Bhatti
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
MS LAPS protection: portal for secure access to local admin passwords
MS LAPS protection: portal for secure access to local admin passwordsMS LAPS protection: portal for secure access to local admin passwords
MS LAPS protection: portal for secure access to local admin passwordsNikolay Klendar
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Accesseightbit
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 

Similaire à Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo (20)

Breaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secrets
 
Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!
 
Nodejsvault austin2019
Nodejsvault austin2019Nodejsvault austin2019
Nodejsvault austin2019
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
 
Killing Passwords with JavaScript
Killing Passwords with JavaScriptKilling Passwords with JavaScript
Killing Passwords with JavaScript
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwords
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
 
WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020 WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
Bitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & WalletsBitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & Wallets
 
Maximize your Cache for No Cash
Maximize your Cache for No CashMaximize your Cache for No Cash
Maximize your Cache for No Cash
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Securing your web apps now
Securing your web apps nowSecuring your web apps now
Securing your web apps now
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
MS LAPS protection: portal for secure access to local admin passwords
MS LAPS protection: portal for secure access to local admin passwordsMS LAPS protection: portal for secure access to local admin passwords
MS LAPS protection: portal for secure access to local admin passwords
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 

Plus de Shakacon

Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assemblyShakacon
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can youShakacon
 
Cloud forensics putting the bits back together
Cloud forensics putting the bits back togetherCloud forensics putting the bits back together
Cloud forensics putting the bits back togetherShakacon
 
Pwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCEPwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCEShakacon
 
Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Shakacon
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerShakacon
 
A Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeA Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeShakacon
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server:  A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server:  A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureShakacon
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir   incident response in a containerized, immutable, continually deploy...Dock ir   incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Shakacon
 
Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelReviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelShakacon
 
Silent Protest: A Wearable Protest Network
Silent Protest:  A Wearable Protest NetworkSilent Protest:  A Wearable Protest Network
Silent Protest: A Wearable Protest NetworkShakacon
 
WiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherWiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherShakacon
 
Sad Panda Analysts: Devolving Malware
Sad Panda Analysts:  Devolving MalwareSad Panda Analysts:  Devolving Malware
Sad Panda Analysts: Devolving MalwareShakacon
 
reductio [ad absurdum]
reductio [ad absurdum]reductio [ad absurdum]
reductio [ad absurdum]Shakacon
 
XFLTReat: a new dimension in tunnelling
XFLTReat:  a new dimension in tunnellingXFLTReat:  a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingShakacon
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresShakacon
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...Shakacon
 
Swift Reversing by Ryan Stortz
Swift Reversing by Ryan StortzSwift Reversing by Ryan Stortz
Swift Reversing by Ryan StortzShakacon
 

Plus de Shakacon (20)

Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assembly
 
Macdoored
MacdooredMacdoored
Macdoored
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can you
 
Cloud forensics putting the bits back together
Cloud forensics putting the bits back togetherCloud forensics putting the bits back together
Cloud forensics putting the bits back together
 
Pwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCEPwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCE
 
Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
 
Shamoon
ShamoonShamoon
Shamoon
 
A Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeA Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts Bytecode
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server:  A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server:  A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir   incident response in a containerized, immutable, continually deploy...Dock ir   incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
 
Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelReviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android Kernel
 
Silent Protest: A Wearable Protest Network
Silent Protest:  A Wearable Protest NetworkSilent Protest:  A Wearable Protest Network
Silent Protest: A Wearable Protest Network
 
WiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherWiFi-Based IMSI Catcher
WiFi-Based IMSI Catcher
 
Sad Panda Analysts: Devolving Malware
Sad Panda Analysts:  Devolving MalwareSad Panda Analysts:  Devolving Malware
Sad Panda Analysts: Devolving Malware
 
reductio [ad absurdum]
reductio [ad absurdum]reductio [ad absurdum]
reductio [ad absurdum]
 
XFLTReat: a new dimension in tunnelling
XFLTReat:  a new dimension in tunnellingXFLTReat:  a new dimension in tunnelling
XFLTReat: a new dimension in tunnelling
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul Rascagneres
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
 
Swift Reversing by Ryan Stortz
Swift Reversing by Ryan StortzSwift Reversing by Ryan Stortz
Swift Reversing by Ryan Stortz
 

Dernier

KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimizationarrow10202532yuvraj
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
The Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementThe Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementNuwan Dias
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024Alexander Turgeon
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 

Dernier (20)

KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
The Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementThe Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API Management
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 

Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo

  • 1. Breaking Vaults Stealing LastPass protected secrets Martin Vigo @martin_vigo martinvigo.com
  • 2. Who am I • Product Security Engineer • Spaniard / Galician • Diver • Gin tonic consumer • @martin_vigo / martinvigo.com Most beautiful beach in the world Amazing seafood Charlie Sheen’s grandfather was Galician
  • 3. Wikipedia “LastPass is a password management service which seeks to resolve the password fatigue problem by centralizing user password management in the cloud”
  • 5. Why targeting Password Managers? • All you want to hack is in one place • Social Networks • Banks • Email accounts • Corporate credentials
  • 6. Why LastPass? • Enterprise edition • Large companies use it • “More than 10,000 corporate customers ranging in size all the way up to the Fortune 500” • Not only credentials • Credit Cards, Personal documentation, Private notes, etc. • Arguably the most popular password manager
  • 7. State of the art • Vulnerabilities • DNS poisoning • XSS form injection All focus on leaking specific secrets
  • 8. Target: Master Password All your secrets are belong to us
  • 10. Focus
  • 11. Browser Plugin • Javascript • Sandboxed (SOP) • Injects code into DOM • Access to filesystem
  • 12. Security claims • LastPass has no access to your data • Local encryption • Secure storage
  • 13. Reversing Meaning making sense of 3MB of obfuscated JS
  • 14. siesta.py • Beautifies every JS file • Injects a payload to every function • console.log([file] [function] [params]) • Credits to Alberto Garcia (@algillera)
  • 15. • Identified all accessed files • Minimized JS • Storage on Sqlite DBs • Browser specific implementation • Business logic • File location • Storage • AES own implementation • RSA is based on jsbn library Logic and storage
  • 16. Local encryption • 256-bit AES • CBC and ECB • Their own implementation • PBKDF2 • 500 / 5000 rounds (default) • Unauthenticated query
  • 17. Encryption key PBKDF2(SHA-256, Username, Master Password, Iterations, 32) Salt Password key length
  • 18. LastPass has no access to your data PBKDF2(SHA-256, Master Password, k, 1, 32) E/D(k, vault) Encrypted Vault Encrypted Vault PBKDF2(SHA-256, Per user salt, k’, 100000, 32)
  • 19. What does LastPass see? The encrypted vault A 1-round PBKDF2-SHA256 of the encryption key
  • 21. Remember password • Stores the password locally • Sqlite DB or prefs.js • ECB or CBC • u7W1PsEYsWrtAS1Ca7lOOH== • !waXcJg8b7wI8XYZnV2l45A==|4d0Hiq+spx50pso2tEMtkQ==
  • 22. Storage Chrome Firefox Safari Opera Windows #{user_profile['LocalApp Data']}/Google/Chrome/ User Data/Default/ databases/chrome- extension_hdokiejnpimak edhajhdlcegeplioahd_0 #{user_profile[ 'AppData']}/ Mozilla/ Firefox/Profiles #{user_profile['LocalAppData ']}/Apple Computer/Safari/ Databases/safari- extension_com.lastpass.lpsaf ariextension-n24rep3bmn_0 #{user_profile['AppData']}/ Opera Software/Opera Stable/databases/chrome- extension_hnjalnkldgigidg gphhmacmimbdlafdo_0 Mac #{user_profile['LocalApp Data']}/Google/Chrome/ Default/databases/ chrome- extension_hdokiejnpimak edhajhdlcegeplioahd_0 #{user_profile[' LocalAppData'] }/Firefox/ Profiles #{user_profile['AppData']}/ Safari/Databases/safari- extension_com.lastpass.lpsaf ariextension-n24rep3bmn_0 #{user_profile['LocalAppData'] }/com.operasoftware.Opera/ databases/chrome- extension_hnjalnkldgigidggph hmacmimbdlafdo_0 Unix #{user_profile['LocalApp Data']}/.config/google- chrome/Default/ databases/chrome- extension_hdokiejnpimak edhajhdlcegeplioahd_0 #{user_profile[' LocalAppData'] }/.mozilla/firefox #{user_profile[‘LocalApp Data’]}/.opera/widgets/ wuid-*/pstorage
  • 23. SQLite DB • LastPassSavedLogins2 contains the encrypted credentials • No root needed
  • 24. prefs.js (Firefox) • extensions.lastpass.loginusers contains the usernames • extensions.lastpass.loginpws contains encrypted passwords • No root needed
  • 25. Master password encryption • AES-256 • IV: Random • KEY: SHA256(username) • Data: !L5b/dOyu4EMdmWCYkASQaw==|cHTFJDy1DQi8dPY0AJL/1B= IV 24 chars (ignoring !) Separator 26th char Data Starting 27th char MP encryption key Vault encryption key
  • 26. Profit! • We located the files • We know the encryption system • We have the IV • We have the key • We have the data
  • 27. What about 2 factor auth?
  • 29. 2-factor auth • Supports multiple platforms • Google Auth, Yubikey, Toopher, etc.
  • 30. UUID is the “trust token”
  • 32. What’s going on? • How is the request forged? • How is the token generated? • How is it stored? • Where is it stored?
  • 33. How is the request forged? The token is injected into the DOM
  • 34. How is the token generated? • At plugin installation 32 chars length • 0-9 A-Z a-z !@#$%^&*()_ length lowercase? uppercase? digits? special chars? min digits ambiguous chars? make pronounceable?
  • 35. How/Where is it stored? • In plaintext • Firefox • In the file “lp.suid” • Chrome/Safari/Opera • Local-storage SQLite DB
  • 36. Design Problems? • Browsers don’t encrypt local storage • LocalStorage DB and lp.suid are accessible and unencrypted • The token is stored in plaintext • Token is injected in DOM • XSS means game over
  • 37. More problems • Same token for all browser users • Fixed token till plugin is reinstalled • Untrusting the browser has no real effect • Same token when changing QR Code • Token fixation • Attacker can set a token on the client • Proactive token stealing • Steal token today, use it tomorrow
  • 38. Profit! • We have the file • We know the encryption • We have the data • We have the IV • We have the key • We have the 2-factor token
  • 39. What about if: “Remember password” was not clicked There was no way to obtain 2-factor auth token
  • 41. Wait… What? How is account recovery possible if LastPass does not know my password?
  • 43. Recovering the account Get a unique link
  • 45. Boom! • Full, unrestricted access to the vault • Attacker can set a new password • But does not have to! • Bypasses 2 factor-auth
  • 46. Recover account flow Email GET /s/?s=8aa37bb1bb3FAKE03ad4127 302 Location: /recover.php? &time=1412381291&timehash=340908c353c099c9FAKE6b387002c5a4881ebdf1 &username=test%40test.com&usernamehash=fc7be7e5f6cbec9FAKE2995bd3331c097 POST /otp.php &changepw=ccb2501724FAKE2b575a214e1052 d0fa27b0726b6HASHdb2e1da3952e Recover button
  • 47. Can I directly generate the recover url? • time: timestamp when the recovery was initiated (the link “expires” in 2 hours) • timehash: salted hash of the timestamp • username: the email address • usernamehash: salted hash of the email 302 Location: /recover.php? &time=1412381291&timehash=340908c353c099c9FAKE6b387002c5a4881ebdf1 &username=test%40test.com&usernamehash=fc7be7e5f6cbec9FAKE2995bd3331c097
  • 48. Challenges • I need to generate a valid timestamp • I need the be able to generate the hashes • I need the salt
  • 49. Let’s try… • Request my own unique url and reuse the hashes in the victims url • BINGO! • Same salt is used for all users • Link does not truly expire, only the timestamp is validated against the hash • There is no need to request account recovery. You only need a valid url
  • 50. The salt is the secret • Still, we need to change the username, and hash it. • We are only missing the server salt to be able to generate valid recover urls • Salts are not designed to be a secret, only random and unique. • Oh wait… “LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised”
  • 51. Can I forge the post request? • changepw: a derived “disabled OTP” POST /otp.php &changepw=ccb25017c4FAKE2b575a21441055d0fa27b0726b6HASHdb2e1da395e
  • 52. OTPs in LastPass • 2 types of OTPs • “True” OTPs for authentication • “Disabled” OTP • Let’s call it dOTP
  • 53. Disabled OTP • Used to recover the vault • Which ultimately means for authentication • It’s set by default • It’s not the encryption key
  • 54. How/Where is it stored? • Unprotected • Firefox • In the file {SHA256(username)}_ff.sotp (binary format) • Needs the extra step: bin2hex • Chrome/Safari/Opera • SQLite DB
  • 55. How is the request forged? The dOTP is injected into the DOM
  • 56. From dOTP to vault Local-storage getdOTP(username) dOTP token=SHA256(SHA256(username+dOTP)+dOTP) /otp.php(username, token) Set-Cookie: PHPSESSID pwdeckey GET /accts3.php encrypted vault
  • 57. What is”pwdeckey”? • It’s not the key to decrypt any password • It’s the seed to derive the key to decrypt the “vault key” • The vault key decrypts all the password, notes, etc. in the vault
  • 58. How/Where is the vault key stored? • Encrypted • Firefox • In the file {SHA256(username)}_lpall.slps • Chrome/Safari/Opera • SQLite DB
  • 60. Profit! • We located the token • We know how to hash it • We get the vault key decryption key • We get the vault • We decrypt the vault key • We decrypt the vault
  • 62. Metasploit module • Steals and decrypts the master password • Steals the 2-factor auth token • Steals the encryption key • Decrypts the entire vault • Supports: • Win, Mac and Unix • Chrome, Firefox, Safari and Opera • Meterpreter and shell • Multiuser
  • 63. Demo
  • 64. What about if there is: No disabled OTP No access to the machine No Exploit No nothing!
  • 67. Stop sharing your LastPass credentials with the entire world!!!!
  • 69. Hardening LastPass • Use the binary version of the plugin • Do not store your master password • Disable “Account recovery” • Do not use “Password reminder” • Activate 2-factor auth • Prompt for master password to make passwords visible • Add country restriction • Update/Randomize PBKDF2 iterations • Disallow TOR logins