9

I’m trying to figure out if password managers such as LastPass store passwords in plain text (or hash values that can then be decrypted with the master-password) in memory after a user logs into the browser/extension.

I’m trying to find academic work on this subject but it's hard to find. Does anyone know any academic work regarding this subject?

Also, how to approach this investigation? I plan on getting a complete memory dump of my laptop or would it be better to just get a memory dump of the processes such as browser and LastPass?

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
octo-carrot
  • 316
  • 3
  • 12
  • 3
    Best bet would be to simply review the code of one of the popular opensource managers... But that's not really a security question though, is it. So what exactly are you asking? – AviD Apr 14 '15 at 10:11
  • 7
    Btw hash values can't ever be decrypted, that's the point - you mean "encrypted values" – AviD Apr 14 '15 at 10:11
  • 1
    Don't know how it would go with using last pass but you could try logging in with your browser on a website using last pass then do a memory dump and see if the password is left in the memory in plain text. If you normally logged into a website without last pass your password would be stored in the memory in plain text. Here is a video demo of password extraction i think you would like http://www.securitytube.net/video/6652 If you don't have a linux machine use hex editor to find password strings from raw dump. – Tim Jonas Apr 14 '15 at 10:14

3 Answers3

7

First off I used google academic to find papers about LastPass, password managers and memory forensics. It was the last one I found to be more helpful

Amari, K. (2009) Techniques and Tools for Recovering and Analysing Data from Volatile Memory.

After gaining an understanding memory extracting and analysis I created a windows 7 virtual machine with 2 GB of RAM, installed some browsers made a few accounts on various websites, installed LastPass, restarted the machine and captured a memory dump using DUMPIT (Search DUMP IT Memory dump). I analyzed the memory dump using SIFT Workstation, in the terminal I used the command 

strings windows7.raw | grep “password” > output.txt

Swapping "password" for email addresses, known passwords of the fake accounts, website names etc.. I found nothing, so the memory was clean.

I then logged into LastPass and took another memory dump using the same tool. Analyzing this file highlighted a bunch of hashed values, which confirmed what LastPass says on its site - LastPass stores encrypted hash values in memory.

Next I decided to log into websites and accounts but not all of them just a random number of them and took another memory dump. Using the same methods as before I found decrypted passwords, email address and other information this means that when you visit a website that LastPass has a password for, it decrypt's it and stores in the memory for your browser to use. I should also state that even if you don’t use LastPass and instead use a browser(s) built in password managers you will get the same results.

So you might say that I needed to know the password in the first place, I didn’t as simply searching for “pass” or in the case of google websites “Passwd” in the memory dump gave the passwords.

YouTube password in memory dump

If I do this again I would do all the same steps above however, I would log out the windows account and into another account to see if I can get the the passwords from that memory dump, I suspect you would meaning you can log into a public computer and obtain the previous users passwords from there memory dump.

I would say that LastPass is secure until you log into a website, its very unlikely anyone will be able to decrypted the hashed values. In the end don't use LastPass or any other password on a public computer.

octo-carrot
  • 316
  • 3
  • 12
  • Does DUMPIT work without administrator rights (at least during the install step)? You don't ordinarily have admin rights to public computers in order to make this attack work. – Ben Voigt Oct 05 '15 at 21:37
  • @BenVoigt good question had to look into it, but yes it does require admin rights "One of the major benefits of Dumpit that it is very easy to use and any user with an admin privileges can use it." https://isc.sans.edu/forums/diary/Acquiring+Memory+Images+with+Dumpit/17216/ – octo-carrot Oct 05 '15 at 22:05
3

Maybe a simple way to proceed with such research would be to use some of the tools normally dedicated to game cheating by analyzing and directly editing the target software memory content. Search for things like "game memory search cheat" on your favorite search engine, and you should find several of them.

The programs I'm referring to take a snapshot of the target application virtual memory, and then allows you to:

  • Search for specific value (including text value in some case, which should definitely interest you, since it would allow you to search for your password),
  • Compare snapshots taken at different times in order to analyze changes.
WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
2

The following Google search produces a number of academic papers.

inurl:\.edu\/ filetype:pdf password manager

As a test you could run bulk_extractor on a memory image looking for a known username/password combination.

user2320464
  • 1,802
  • 1
  • 15
  • 18