• Stars
    star
    107
  • Rank 323,587 (Top 7 %)
  • Language
    C
  • Created over 3 years ago
  • Updated about 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Utilities to extract secrets from 1Password

1PasswordSuite

Blog

https://posts.specterops.io/1password-secret-retrieval-methodology-and-implementation-6a9db3f3c709

1PasswordExtract

This .NET application is built on the same version of the CLR (4.7.2) the latest 1Password binary uses at the time of upload (8/13/21). This binary gets function pointers to various critical functions responsible for decrypting secrets within the 1Password SQLite database and waits until the 1Password application is unlocked by the user. Once unlocked, it writes the results as a JSON array to C:\Users\Public\1Password.log for you to view and parse.

1PasswordInject

This unmanaged application acquires a process handle to the 1Password process and adjusts the Discretionary Access Control List (DACL) on it to allow for full access rights to the process. Once those access rights have been adjusted, a new handle is opened with PROCESS_ALL_ACCESS to inject the 1PasswordExtract shellcode blob generated by @TheWover's donut. This shellcode is embedded as a byte array in the RawData.h header if you choose to modify the 1PasswordExtract code.

sc.py

Simple python script that leverages @TheWover's donut to generate shellcode from a .NET binary. This is placed into loader.bin, which is then copied as a C byte array into RawData.h of 1PasswordInject. This process is manual and not automated at this time, meaning you'll need to copy paste this shellcode into the header file yourself if you choose to make modifications.

Future Development

There's more to look at here. Not included in this project is a way to retrieve the user's proxy credentials from the application. Other avenues that have been explored in the past (but not currently verified) is the retrieval of the master password. Lastly, the ability to decrypt the SQLite database directly instead of using injection is promising, but since this works, I chose to stop working on it any further.

Special Thanks

  • @tifkin, for helping me figure out why I couldn't acquire a process handle to 1Password.

More Repositories

1

SharpChromium

.NET 4.0 CLR Project to retrieve Chromium data, such as cookies, history and saved logins.
C#
590
star
2

SharpWeb

.NET 2.0 CLR project to retrieve saved browser credentials from Google Chrome, Mozilla Firefox and Microsoft Internet Explorer/Edge.
C#
456
star
3

SharpShares

Enumerate all network shares in the current domain. Also, can resolve names to IP addresses.
C#
244
star
4

WireTap

.NET 4.0 Project to interact with video, audio and keyboard hardware.
C#
192
star
5

CSharpSetThreadContext

C# Shellcode Runner to execute shellcode via CreateRemoteThread and SetThreadContext to evade Get-InjectedThread
C#
119
star
6

EventLogParser

Parse PowerShell and Security event logs for sensitive information.
C#
117
star
7

SharpLogger

Keylogger written in C#
C#
115
star
8

SharpSearch

Search files for extensions as well as text within.
C#
114
star
9

cliProxy

Proxy Unix applications in the terminal
Go
113
star
10

ScatterBrain

Suite of Shellcode Running Utilities
VBScript
105
star
11

.NET-Profiler-DLL-Hijack

Implementation of the .NET Profiler DLL hijack in C#
C#
97
star
12

ProcessReimaging

Process reimaging proof of concept code
C++
94
star
13

macos_shell_memory

Execute MachO binaries in memory using CGo
C
79
star
14

KittyLitter

Credential Dumper
C#
74
star
15

TSMSISrv_poc

C# POC code for the SessionEnv dll hijack by utilizing called functions of TSMSISrv.dll
C#
54
star
16

wlbsctrl_poc

C++ POC code for the wlbsctrl.dll hijack on IKEEXT
C
49
star
17

SharpSC

Simple .NET assembly to interact with services.
C#
35
star
18

HookDetector

Playing with PE's and Building Structures by Hand
C++
22
star
19

SharpScreenshot

Dead simple C# project to take a screenshot.
C#
17
star
20

CSharpCreateThreadExample

C# code to run PIC using CreateThread
C#
17
star
21

spfwalker

Tool to walk SPF records for relevant domain names and Whois information.
Go
16
star
22

librarian

Shared library loading application for Linux written in Go.
Go
16
star
23

SharpEdge

C# Implementation of Get-VaultCredential
C#
14
star
24

GitSecrets

Script to help enumerate and dig through Github and Github Enterprise installations.
Python
14
star
25

gosharedlib

Shared library example to be loaded by the github.com/djhohnstein/librarian application
Go
10
star
26

ghidorah

Golang Brute Force Tool
Go
9
star
27

portscanner

Golang portscanning tool
Go
5
star
28

essdp_fork

Fork of Evil SSDP from InitString. Adds base64 authentication, redirect urls and customizable realm options for internal phishing.
Python
4
star
29

polarbearrepo

C++
3
star
30

CPPWebClient

Web client to wrap GET and POST requests in C++
C++
3
star
31

PowerShell-Book-Labs

PowerShell labs from various books
PowerShell
2
star
32

DerbyCon2019

Code & Slides For DerbyCon 2019
C#
2
star
33

Vuln-Server-Exploits

Exploits for Vuln Server (http://www.thegreycorner.com/2010/12/introducing-vulnserver.html)
Python
1
star
34

all-MiniLM-L6-v2-tfjs

all-MiniLM-L6-v2-tfjs
1
star