Decode passwords in sequel pro5/15/2023 ![]() ASN.1 decode, then 3DES decrypt the login data using the master key.Read and JSON deserialise the encrypted logins from logins.json.ASN.1 decode, then 3DES decrypt the master key.Extract the encoded encrypted master key from key4.db.This is done to confirm that either the supplied master password is correct, or that no password was supplied.ASN.1 decode, then 3DES decrypt the “password-check” data.Locate user profiles, then extract the encoded encrypted “password-check” data from key4.db.Putting it all together - Decrypting loginsīased on this information, the steps for decrypting logins is as follows: key4.db Stores the master key for 3DES decryption of all passwords stored in logins.json, along with a “password-check” value that is used to validate decryption of the master key.Search the current user’s %LocalAppData%\Google\Chrome directory for profilesĬatch ( SQLiteException ) I’ll use snippets of code from HarvestBrowserPasswords below to demonstrate each step. Finding and Extracting Encrypted Loginsīy following a few simple steps, I can begin gathering saved credentials for decryption. This awesome blog post shows Mimikatz “/unprotect”-ing DPAPI encrypted creds using a target user’s known password. The downside is that some extra work needs to be done in order to decrypt credentials if I don’t have code execution in the target user’s context. The upside to DPAPI encrypted credentials is that I don’t need to know any of the target user’s passwords or keys in order to decrypt their creds if I am already executing code in that user’s context. The DPAPI was intended to be extremely simple to use, and consists of only two functions: CryptProtectData() and CryptUnprotectData() which symetrically encrypt/decrypt data “blobs” (arbitrary arrays of bytes) using implicit crypto keys tied to a specific user or system. This value is encrypted using Microsoft’s Data Protection API (DPAPI). In the image below I’m using SQLiteStudio to view the database which shows me that only the password_value gets encrypted. For simplicity, I only care about the db’s Logins table - specifically the ‘signon_realm’, username_value and password_value columns of the table. Login Data SQLite databases primarily exist to store the usernames and passwords you wish to store for auto-fill, but also store a bunch of metadata and information about how to submit your credentials to the correct URL. The artefacts of particular interest for credential gathering are the Login Data (SQLite 3 database) files contained within each user’s profile directory. C:\Users\Apr4h\AppData\Local\Google\Chrome\User Data\Profile 2 (Subsequent profiles are iteratively named).C:\Users\Apr4h\AppData\Local\Google\Chrome\User Data\Default (This is always the name of the first profile).For example, user account ‘Apr4h’ with two Google Chrome profiles would have one directoy containing login data for each profile, each containing their own set of stored credentials: Google Chrome conveniently stores all of its forensic artefacts in a single location for each profile under a user’s %LocalAppData% directory. If you’d like to give feedback please let me know at - otherwise, make a pull request! Google Chrome Where are the creds stored? ![]() My code is far from perfect and I’m still very much trying to learn. He’s written an awesome python script for decrypting Firefox passwords - but I’ve tried to stay away from replicating his code for the benefit of my own learning. ![]() I’d also like to add upfront that I relied heavily on lClevy’S diagram of Mozilla Password-Based Encryption for writing my own tool. Microsoft DPAPI, ASN.1, 3DES.) but I’ll include some good references for further research along the way rather than try to explain these in depth. Someday I might bother doing that, if it turns out anyone actually uses those browsers.ĭisclaimer - This post will gloss over a few topics (e.g. Based on the research/work that’s gone into building this tool, it would be pretty straightforward to add functionality for Internet Explorer/Edge credential decryption as well. The following is my attempt to explain what I’ve learned and how my tool HarvestBrowserPasswords.exe extracts and decrypts credentials locally stored by Google Chrome and Mozilla Firefox in Windows. ![]() What resulted was a pretty fun project that taught me a lot - and I figure it’s worth documenting here. This presented me with the idea for a relatively straightfoward task to start getting into C#. I’ve also recently come across a few HackTheBox machines requiring decryption of passwords from browsers for privilege escalation. I was recently learning about web browser forensics and became interested in understanding the different ways that browsers locally store a user’s credentials. ![]()
0 Comments
Leave a Reply. |