CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/documentation/modules/post/windows/gather/enum_chrome.md
Views: 1904
Vulnerable Application
This post-exploitation module will extract saved user data from Google Chrome and attempt to decrypt sensitive information. Chrome encrypts sensitive data (passwords and credit card information) which can only be decrypted with the same logon credentials. This module tries to decrypt the sensitive data as the current user unless told otherwise via the MIGRATE setting.
Verification Steps
Start
msfconsole
Get meterpreter session
Do:
use post/windows/gather/enum_chrome
Do:
set SESSION <session id>
Do:
run
You should be able to see the extracted chrome browser data in the loot files in JSON format
Options
MIGRATE - Migrate automatically to explorer.exe. This is useful if you're having SYSTEM privileges, because the process on the target system running meterpreter needs to be owned by the user the data belongs to. If activated the migration is done using the metasploit
post/windows/manage/migrate
module. The default value is false.SESSION - The session to run the module on.
Extracted data
Web data:
General autofill data
Chrome users
Credit card data
Cookies
History
URL history
Download history
Search term history
Login data (username/password)
Bookmarks
Preferences
Scenarios
Meterpreter session as normal user
Meterpreter session as system
In this case, you should set the MIGRATE setting to true. The module will try to migrate to explorer.exe to decrypt the encrypted data. After the decryption is done, the script will migrate back into the original process.