SkillAgentSearch skills...

Pandora

A red team tool that assists into extracting/dumping master credentials and/or entries from different password managers.

GenerateConvertImprove

Install / Use

/learn @efchatz/Pandora
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

<!-- Improved compatibility of back to top link: See: https://github.com/othneildrew/Best-README-Template/pull/73 -->

<a name="readme-top"></a>

<!-- <!-- PROJECT SHIELDS -->

[![Contributors][contributors-shield]][contributors-url] [![Forks][forks-shield]][forks-url] [![Stargazers][stars-shield]][stars-url] [![Issues][issues-shield]][issues-url] [![MIT License][license-shield]][license-url] [![Arsenal][arsenal-shield]][arsenal-url]

<!-- PROJECT LOGO --> <br /> <div align="center"> <a href="https://github.com/efchatz/pandora/blob/main/images/pandora-logo.PNG"> <img src="images/pandora-logo.PNG" alt="Logo" width="700" height="500"> </a> <h3 align="center">Pandora</h3> <p align="center"> A red team tool to extract credentials from password managers. <br /> <a href="https://github.com/efchatz/pandora/issues">Report Bug</a> </p> </div> <!-- TABLE OF CONTENTS --> <details> <summary>Table of Contents</summary> <ol> <li> <a href="#about-the-project">About The Project</a> <ul> <li><a href="#built-with">Built With</a></li> </ul> </li> <li> <a href="#getting-started">Getting Started</a> <ul> <li><a href="#installation">Installation</a></li> </ul> </li> <li><a href="#usage">Usage</a></li> <li><a href="#prerequisites">Prerequisites</a></li> <li><a href="#methodology">Methodology</a></li> <li><a href="#license">License</a></li> <li><a href="#contact">Contact</a></li> <li><a href="#acknowledgments">Acknowledgments</a></li> </ol> </details> <!-- ABOUT THE PROJECT -->

About The Project

This is a red team tool that assists in gathering credentials from different password managers. They are separated into three categories, Windows 10 desktop applications, browsers, and browser plugins. This may work on other OS, like Linux, but it is not tested yet. In this release (v1.0), the tool supports 14 password managers, with 18 different implementations (e.g., the tool could dump credentials either from the desktop app, or the browser plugin of the same product). Specifically, in most cases, password managers must be up and unlocked for the tool to work.

The tool can be executed in Full, Fast, and Local modes. Full mode dumps and checks all processes of this password manager. Fast mode checks the most common process that usually contains the credentials. Local mode checks the dump file locally. Also, local mode has the "merge" option that can assist in merging multiple dump files into one, before doing the analysis. Additionally, the tool can check if a directory of a password manager exists to assist the user in identifying which password manager can be used in this host. The tool will only need common user's permissions to be able to dump a process from a password manager. Only the 1Password desktop app requires high integrity privileges for the user to be able to dump the process.

So, the purpose of this tool is to provide an additional attack vector in red team engagements, since many users are using password managers. Three different videos have been uploaded to assist in understanding how this tool works.

Regarding fixing these issues, most vendors responded that such issues are out-of-scope for them since the attacker needs local access or AV/EDR should protect the user against such attacks. Although some products may provide fixes, their exploits will be released at a later date (they are still under disclosure). Two vendors so far have acknowledged this issue and provided fixes with CVE-2023-23349 (Kaspersky) and CVE-2024-9203 (Enpass).

This is not a completely new concept. It has been well-known for some time that there is no de facto way for desktop applications to be protected against such attacks. However, and to the best of my knowledge, this is the first time such a tool has been presented to the public. Feel free to provide any feedback and/or recommendations/improvements. The tool only handles the relevant versions. A password manager update could potentially change the pattern that the tool uses to identify the credentials.

<p align="right">(<a href="#readme-top">back to top</a>)</p>

Built With

  • [![C++][C++]][C-url]
<p align="right">(<a href="#readme-top">back to top</a>)</p> <!-- GETTING STARTED -->

Getting Started

Simply, clone the code, and compile it. For the development phase, Visual Studio 2022 was used.

Installation

  1. Install Visual Studio 2022, with all C++ dependencies.
  2. Clone the repo. 
    git clone https://github.com/efchatz/pandora.git
  3. Open the project.
  4. Build this project as a release.

In case of an issue with "DbgHelp.lib", do the following:

  1. In Project->Properties->Linker->Input, choose in the "Configuration" dropdown "All Configurations".
  2. Add in the "Additional Dependencies" the "DbgHelp.lib".
  3. In the same tab, in "Ignore All Default Libraries", choose "No".
  4. Press "OK".
<p align="right">(<a href="#readme-top">back to top</a>)</p> <!-- METHODOLOGY -->

Methodology

The code is structured as follows:

  1. The user chooses the mode (full, fast, local). Full mode will dump all processes from a password manager and fast will dump the most common one that in most cases will contain the credentials. Local mode is done locally while providing the dump file.
  2. The user then has the option to check which password manager is installed for either an app or a plugin with a yes/no choice. The code checks if the default installation path of each password manager exists and provides the output. Note that during installation, most password managers do not allow the user to change the default installation path. For instance, Keeper is installed directly from the MS Store. So, this method could assist in identifying which password manager is installed. Note that in Full mode, the tool will not validate the actual size of each process file that will be created. So, if the host does not have the required free space, some processes will not be dumped and no error message will be shown.

pass-exists

  1. The user chooses the relevant password manager.
  2. If the user chooses the "local" mode, then they will be asked if they want to merge different dump files. If yes, they must provide their filenames, each one per line, and enter "done" at the end. Otherwise, they will only have to provide their dump filename.
  3. Based on the relevant password manager, the tool dumps the process into a file.
  4. The dump file then is analyzed to identify any relevant pattern within it, to extract credentials.
  5. In some cases, some junk data will be presented to the user. These data will be noted as unparsed characters. So, they can be easily recognized.
  6. The user then can identify the credentials (either in the cmd output or in the relevant txt file).

It should be noted that in some cases password managers store in plaintext other types of data, like credit card details, addresses, Wi-Fi passwords etc. Users should be wary of such attacks and should not execute untrusted files, enable 2FA, etc.

Regarding the exploits, the methodology is simple, i.e., the purpose is to identify a pattern or a keyword that would pinpoint the relevant credentials within the dump file. Each password manager is different, so, each exploitation method differs. However, the concept is the same, i.e., finding the relevant pattern can pinpoint the credentials within this file. In some cases, the exploit finds when the credentials start and then gathers the next bytes, say 100. I did some extensive testing to identify these values correctly, but they may differ in a real-case scenario. Open an issue if you want to propose another password manager to be included in this tool which contains credentials in plaintext format within the process.

Note that the tool will delete the relevant 'app.dmp' file at the end of execution. Consider commenting out this line in the code 'remove("app.dmp");', in case you want to keep the relevant dump file. Generally, it is advised to first execute the code in a constrained environment in which the master/entry credentials will be known, observe the relevant output, and then execute it in another host.

Any further details can be found in our research work titled "Keep your memory dump shut: Unveiling data leaks in password managers"

<!-- USAGE EXAMPLES -->

Usage

To use this tool, simply execute the compiled executable in the relevant host and type the name of the password manager. Based on the password manager, there are some requirements for the tool to be able to extract credentials. However, I kept in most cases password managers who needed basic interaction to store their credentials in the memory of their process. After executing the tool, it will automatically dump the relevant process based on the chosen password manager, print the credentials in the cmd, and save them into a file (the location of the file is the current folder of the .exe).

Three videos have been uploaded to assist in how this tool works. The videos depict the phase in which an attacker would be able to gather the credentials from a password manager. In the case of Avira and similar password managers, this can be done without any user interaction (check relevant video).

The following table depicts a high-level view of the tool's capabilities. Note that Firefox and the relevant Firefox plugins of password managers may not work correctly. They need further research for the tool to be able to extract the credentials in every case. This is because Firefox changes its pattern with each execution.

Note: The Users column refers to the number of users mentioned in the Chrome Web Store for each browser plugin. **The browser plugins were examined with Chrome v129.0.6668.89/.90. Later versions of Chrome may interfe

efchatz

View profile

View on GitHub
GitHub Stars790
CategoryDevelopment
Updated9d ago
Forks95
efchatz/pandora

Languages

C++

Security Score

100/100

Audited on Mar 22, 2026

No findings