239 lines
8.3 KiB
PowerShell
239 lines
8.3 KiB
PowerShell
function Get-BrowserInformation {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Dumps Browser Information
|
|
Author: @424f424f
|
|
License: BSD 3-Clause
|
|
Required Dependencies: None
|
|
Optional Dependencies: None
|
|
|
|
.DESCRIPTION
|
|
|
|
Enumerates browser history or bookmarks for a Chrome, Internet Explorer,
|
|
and/or Firefox browsers on Windows machines.
|
|
|
|
.PARAMETER Browser
|
|
|
|
The type of browser to enumerate, 'Chrome', 'IE', 'Firefox' or 'All'
|
|
|
|
.PARAMETER Datatype
|
|
|
|
Type of data to enumerate, 'History' or 'Bookmarks'
|
|
|
|
.PARAMETER UserName
|
|
|
|
Specific username to search browser information for.
|
|
|
|
.PARAMETER Search
|
|
|
|
Term to search for
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-BrowserInformation
|
|
|
|
Enumerates browser information for all supported browsers for all current users.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-BrowserInformation -Browser IE -Datatype Bookmarks -UserName user1
|
|
|
|
Enumerates bookmarks for Internet Explorer for the user 'user1'.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-BrowserInformation -Browser All -Datatype History -UserName user1 -Search 'github'
|
|
|
|
Enumerates bookmarks for Internet Explorer for the user 'user1' and only returns
|
|
results matching the search term 'github'.
|
|
#>
|
|
[CmdletBinding()]
|
|
Param
|
|
(
|
|
[Parameter(Position = 0)]
|
|
[String[]]
|
|
[ValidateSet('Chrome','IE','FireFox', 'All')]
|
|
$Browser = 'All',
|
|
|
|
[Parameter(Position = 1)]
|
|
[String[]]
|
|
[ValidateSet('History','Bookmarks','All')]
|
|
$DataType = 'All',
|
|
|
|
[Parameter(Position = 2)]
|
|
[String]
|
|
$UserName = '',
|
|
|
|
[Parameter(Position = 3)]
|
|
[String]
|
|
$Search = ''
|
|
)
|
|
|
|
|
|
|
|
function ConvertFrom-Json20([object] $item){
|
|
#http://stackoverflow.com/a/29689642
|
|
Add-Type -AssemblyName System.Web.Extensions
|
|
$ps_js = New-Object System.Web.Script.Serialization.JavaScriptSerializer
|
|
return ,$ps_js.DeserializeObject($item)
|
|
|
|
}
|
|
|
|
function Get-ChromeHistory {
|
|
$Path = "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History"
|
|
if (-not (Test-Path -Path $Path)) {
|
|
Write-Verbose "[!] Could not find Chrome History for username: $UserName"
|
|
}
|
|
$Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
|
|
$Value = Get-Content -Path "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History"|Select-String -AllMatches $regex |% {($_.Matches).Value} |Sort -Unique
|
|
$Value | ForEach-Object {
|
|
$Key = $_
|
|
if ($Key -match $Search){
|
|
New-Object -TypeName PSObject -Property @{
|
|
User = $UserName
|
|
Browser = 'Chrome'
|
|
DataType = 'History'
|
|
Data = $_
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
function Get-ChromeBookmarks {
|
|
$Path = "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\Bookmarks"
|
|
if (-not (Test-Path -Path $Path)) {
|
|
Write-Verbose "[!] Could not find FireFox Bookmarks for username: $UserName"
|
|
} else {
|
|
$Json = Get-Content $Path
|
|
$Output = ConvertFrom-Json20($Json)
|
|
$Jsonobject = $Output.roots.bookmark_bar.children
|
|
$Jsonobject.url |Sort -Unique | ForEach-Object {
|
|
if ($_ -match $Search) {
|
|
New-Object -TypeName PSObject -Property @{
|
|
User = $UserName
|
|
Browser = 'Firefox'
|
|
DataType = 'Bookmark'
|
|
Data = $_
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
function Get-InternetExplorerHistory {
|
|
#https://crucialsecurityblog.harris.com/2011/03/14/typedurls-part-1/
|
|
|
|
$Null = New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS
|
|
$Paths = Get-ChildItem 'HKU:\' -ErrorAction SilentlyContinue | Where-Object { $_.Name -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' }
|
|
|
|
ForEach($Path in $Paths) {
|
|
|
|
$User = ([System.Security.Principal.SecurityIdentifier] $Path.PSChildName).Translate( [System.Security.Principal.NTAccount]) | Select -ExpandProperty Value
|
|
|
|
$Path = $Path | Select-Object -ExpandProperty PSPath
|
|
|
|
$UserPath = "$Path\Software\Microsoft\Internet Explorer\TypedURLs"
|
|
if (-not (Test-Path -Path $UserPath)) {
|
|
Write-Verbose "[!] Could not find IE History for SID: $Path"
|
|
}
|
|
else {
|
|
Get-Item -Path $UserPath -ErrorAction SilentlyContinue | ForEach-Object {
|
|
$Key = $_
|
|
$Key.GetValueNames() | ForEach-Object {
|
|
$Value = $Key.GetValue($_)
|
|
if ($Value -match $Search) {
|
|
New-Object -TypeName PSObject -Property @{
|
|
User = $UserName
|
|
Browser = 'IE'
|
|
DataType = 'History'
|
|
Data = $Value
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
function Get-InternetExplorerBookmarks {
|
|
$URLs = Get-ChildItem -Path "$Env:systemdrive\Users\" -Filter "*.url" -Recurse -ErrorAction SilentlyContinue
|
|
ForEach ($URL in $URLs) {
|
|
if ($URL.FullName -match 'Favorites') {
|
|
$User = $URL.FullName.split('\')[2]
|
|
Get-Content -Path $URL.FullName | ForEach-Object {
|
|
try {
|
|
if ($_.StartsWith('URL')) {
|
|
# parse the .url body to extract the actual bookmark location
|
|
$URL = $_.Substring($_.IndexOf('=') + 1)
|
|
|
|
if($URL -match $Search) {
|
|
New-Object -TypeName PSObject -Property @{
|
|
User = $User
|
|
Browser = 'IE'
|
|
DataType = 'Bookmark'
|
|
Data = $URL
|
|
}
|
|
}
|
|
}
|
|
}
|
|
catch {
|
|
Write-Verbose "Error parsing url: $_"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
function Get-FireFoxHistory {
|
|
$Path = "$Env:systemdrive\Users\$UserName\AppData\Roaming\Mozilla\Firefox\Profiles\"
|
|
if (-not (Test-Path -Path $Path)) {
|
|
Write-Verbose "[!] Could not find FireFox History for username: $UserName"
|
|
}
|
|
else {
|
|
$Profiles = Get-ChildItem -Path "$Path\*.default\" -ErrorAction SilentlyContinue
|
|
$Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
|
|
$Value = Get-Content $Profiles\places.sqlite | Select-String -Pattern $Regex -AllMatches |Select-Object -ExpandProperty Matches |Sort -Unique
|
|
$Value.Value |ForEach-Object {
|
|
if ($_ -match $Search) {
|
|
ForEach-Object {
|
|
New-Object -TypeName PSObject -Property @{
|
|
User = $UserName
|
|
Browser = 'Firefox'
|
|
DataType = 'History'
|
|
Data = $_
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if (!$UserName) {
|
|
$UserName = "$ENV:USERNAME"
|
|
}
|
|
|
|
if(($Browser -Contains 'All') -or ($Browser -Contains 'Chrome')) {
|
|
if (($DataType -Contains 'All') -or ($DataType -Contains 'History')) {
|
|
Get-ChromeHistory
|
|
}
|
|
if (($DataType -Contains 'All') -or ($DataType -Contains 'Bookmarks')) {
|
|
Get-ChromeBookmarks
|
|
}
|
|
}
|
|
|
|
if(($Browser -Contains 'All') -or ($Browser -Contains 'IE')) {
|
|
if (($DataType -Contains 'All') -or ($DataType -Contains 'History')) {
|
|
Get-InternetExplorerHistory
|
|
}
|
|
if (($DataType -Contains 'All') -or ($DataType -Contains 'Bookmarks')) {
|
|
Get-InternetExplorerBookmarks
|
|
}
|
|
}
|
|
|
|
if(($Browser -Contains 'All') -or ($Browser -Contains 'FireFox')) {
|
|
if (($DataType -Contains 'All') -or ($DataType -Contains 'History')) {
|
|
Get-FireFoxHistory
|
|
}
|
|
}
|
|
} |