Before we can attack LastPass (click here to download our guide), we must have some basic idea of how it works:
Usernames, passwords, secure notes, and many other items are encrypted. However, stored URLs are not.
vla.local_keywith one iteration of PBKDF2-HMAC-SHA256 to make
vla.hashand this serves as the “password” to authenticate the user to LastPass. In this way, LastPass does not know
vla.local_keynor the master password.
vla.hashare sent to LastPass for authentication. If authentication is successful, the database containing encrypted credentials is obtained with a POST request to
Utilizing reverse proxies offers a more advanced approach for creating phishing web pages that not only allow users to fully authenticate to their accounts through a malicious site, but also automate the theft of information within the account. Reverse proxies are servers that sit between clients and web servers, often to increase security, performance, and reliability of web applications.
From an attacker’s perspective, reverse proxies can be used to sit between victim users and services of interest in order to extract sensitive information or inject malicious code. Download our guide to learn how to utilize reverse proxies for malicious purposes: