Hello, and welcome to this course in which we're discussing using Python for data collection. In this video, we're going to be talking about using and abusing the Windows clipboard for copy paste, and how we can use this to collect and potentially modify data on the system. So, shouldn't come as much of a surprise that the Windows clipboard is accessible to a number of different applications on your computer. This makes perfect sense because you're able to copy and paste in and out of applications fairly easily. And so, we're going to be taking advantage of this, in this particular video, both to inspect the data that's contained within a clipboard and actually modify this data to the attackers best interest. And so, to do so, we need to import Win32 clipboard, library for Python. And then we're also going to use our RE for matching regular expressions. We're also going to import the sleep command from the time library, because we don't want our code running constantly, let's say. And so the goal of this particular Python program is to look for cases where a user has an email address stored in their clipboard. And so, you could think of this as someone's copying and pasting an email address from one place to another so that they can send an email to someone. And we can make the assumption that they're not paying much attention to the email address that are copying and pasting. And that there's potentially sensitive information contained within this email. And so, what we're going to do is we're going to scan the Windows clipboard looking for times when that clipboard contains just an email address. In those particular cases, we're going to replace the email address in the clipboard with an attacker controlled one. And so how we're going to do this is we've got an infinite loop running here. So, while true, meaning that we're constantly going to be performing this test, you see down at the bottom that we have a sleep statement. So, in reality, we'll be performing it not quite constantly but regularly. We're going to take advantage of the Win32 clipboard library and call open clipboard which gives us access to the clipboard. We then can read the contents of the clipboard using the function get clipboard data. And then we're using R strip just to remove trailing whitespace from whatever we're copying. And we're going to store the result here in data. And then we'll print the contents of data so that we see what's currently stored on the clipboard. We'll then use our re.search which allows us to use regular expressions to look for things that match this particular email, regular expression up here, in data, so the data that we've extracted from the clipboard. So our if statement is going to return true and execute the code inside it if the user has copied an email address to their clipboard. If so, we're going to empty the clipboard and then set the clipboard text to the attacker's email. And so in our hypothetical situation here, this would mean that someone's copy and pasted a vendor email over from one document to send them an email. And we've substituted in our own attacker controlled email address into the user's clipboard. And so, we should receive the email instead of them assuming that the user has not noticed this. If we've successfully changed the text of the clipboard, we're going to break out of this infinite loop because we've accomplished our objective. If not, we're going to close the clipboard and sleep until the next iteration. And so, the goal here is simply to gain control over the user's clipboard and take advantage of that control. And so, what we're going to do now is we'll go over to our command prompt. And first, let's put something in the clipboard that's innocuous. So say for 4 A's here or five A's here, I'm going to copy that. Right click to put it in the clipboard and so now we know that the clipboard contains five A's. If we run Python and then the Python code, modify clipboard.py, hit enter and we start seeing that periodically this set of five A's is printed. Now let's say what happens if I take Notepad and use it to put some other email address in the clipboard. So we'll do fake@email.com. We're still getting those 5 A's. But if I copy this with the Ctrl C, we see that fake.email.com appeared. We've read that in using our get clipboard data. And then the code stopped, so something has happened. So if I've copy that off and then paste it again, we now have an email address of attacker@evil.com, which looking back at our code is the attacker controlled email address that we're planning on inserting into the clipboard. And so under our potential example here, this allows us to receive whatever email is intended for some other user. And we could definitely be more sophisticated in the email addresses that we switch out. We could look for a particular email addresses and use ones that look a lot like them, etc. Additionally, the potential applications of this sort of code are not limited to email addresses. This is actually very similar to some clipboard related malware that's used for people trying to steal Bitcoin and similar cryptocurrencies. How that sort of scheme works is that often people when they want to send value to a particular address, will copy paste it over, because the address in question is a long string of hex values, and so they don't want to type it themselves, copy, paste makes perfect sense. And so if we instead of looking for email addresses, look for something that was formatted like a Bitcoin or Etherium, etc., address, we could substitute in an attacker controlled public key or address in replacement for the original address. And so the result there would potentially be that value would be sent to the attacker controlled account instead of the intended recipient. And so, that would do to how blockchain works, be an irreversible transaction that makes money for the attacker. So, a variety of different applications here for clipboard modification, the accessing clipboard data set part can be used for the collection stage of a cyber attack and in the attack framework, because sensitive information might end up on the clipboard, and we can look at that sensitive information and potentially collect and exfiltrate it. Or we can actually use this to carry out attacks by redirecting emails, cryptocurrency transfers, etc. Thank you
