Even the LastPass Will be Stolen Deal with It!

Presented at Black Hat Europe 2015, Unknown date/time (Unknown duration).

Password managers have become very popular as a solution to avoid reusing passwords. With that in mind, password managers are a prized target for pentesters and attackers. If a password manager is compromised, the consequences are catastrophic as all the victim's secrets reside in the vault. One breach to get it all. LastPass is arguably one of the most popular password managers in the market. Over 10,000 corporate customers ranging in various sizes including Fortune 500's rely on LastPass to protect all their data. Research has been done on how to attack password managers but it has all focused on leaking specific credentials from the vault. LastPass not only stores credentials, but also bank accounts, ssh keys, personal records, etc. Therefore, we focused our research on finding the silver bullet to gain full access to the vault and steal all the secrets. By reversing LastPass plugins, we found several ways to do so. We will demonstrate how it is possible to steal and decrypt the master password. We also found how it is possible to abuse account recovery to ultimately obtain the encryption key for the vault. In addition, we discovered ways to bypass 2 factor authentication. We wrote a Metasploit module that takes care of all of this. The module is able to search for all LastPass data in the machine comprising all accounts present. It will find and decrypt the master password, it will derive the encryption key for the vault, it will find the 2FA trust token and it will steal the vault so it can be decrypted. All secrets in the vault will be printed out for the pen-tester's satisfaction.


Presenters:

  • Alberto Garcia - Salesforce.com
    Alberto Garcia Illera (@algillera) is passionate about hacking and social engineering. Alberto studied mathematics and computer systems in Spain and has spent the past several years working as a professional penetration tester. Alberto has presented at several seminars where he has helped teach hacking techniques to large companies such as Microsoft, the Spanish government, and the cyberterrorism Spanish police department. At DEF CON 20 in Las Vegas, Alberto has presented a talk titled "How to Hack All the Transport Networks of a Country" that had a great repercussion. He has also spoken at ZeroNights in Moscow, Black Hat in Abu Dhabi, Infiltrate in Miami, DEF CON 21 and Black Hat Arsenal in Vegas.
  • Martin Vigo - Salesforce.com
    Martin Vigo is a Product Security Engineer with a special interest in web and mobile security. He previously worked as a Software Engineer where he developed a strong passion for information security. Currently, he helps engineers design secure systems and applications, conducts security reviews and penetration testing, and is responsible for mobile security. Martin is also involved in educating fellow developers on security essentials and best practices. He has also presented secure development and mobile apps hardening talks at several conferences. Outside the office, Martin enjoys research, bug bounties, gin tonics, and scuba diving.

Links:

Similar Presentations: