search

erwan2212 / NTHASH-FPC

33 stars 8 forks source link

nthash /chrome and chrome.exe #15

Closed Papotito123 closed 3 years ago

Papotito123 commented 4 years ago

Hello: I tested NTHASH (chrome.zip) and chrome.exe in a standard user account in Win 1909 x64n using a non-admin cmd(also ran mimikatz latest) , and this is output:

C:\Users\depaso\Downloads\NTHASH-FPC-master\NTHASH-FPC-master\NTHASH>chrome.exe path:C:\Users\depaso\AppData\Local\Google\Chrome\User Data\Default db:C:\Users\depaso\AppData\Local\Google\Chrome\User Data\Default\login data.db os_crypt:encrypted_key:22xxxxxxxxxxxxxxxxxxxxxxxxxxx64 https://login.live.com/login.srf;rmyemail@hotmail.com;mypassword;*

C:\Users\depaso\Downloads\NTHASH-FPC-master\NTHASH-FPC-master\NTHASH>nthash-win64.exe /chrome /binary:%localappdata%\Google\Chrome\User Data\Local State /key:22xxxxxxxxxxxxxxxxxxxxxxxx64 NTHASH 1.8 x64 by erwan2212@gmail.com path:C:\Users\depaso\AppData\Local\Google\Chrome\User Data db:C:\Users\depaso\AppData\Local\Google\Chrome\User Data\login data.db An unhandled exception occurred at $000000010007D906: ESQLite3Exception: Error SQLITE_NOTADB (26) [SELECT origin_url,username_value,password_value,length(password_value) from logins] using 3.29.0 - file is not a database, extended_errcode=26 $000000010007D906 $000000010007D052 $000000010008E4DB $000000010007EEC5 $00000001000805E5 $000000010008035D $0000000100055D60 $000000010000BFC5 $000000010000C2C6 $000000010001DDD3 $000000010001E721 $00007FF811E67C24 $00007FF812D6D4D1

I also ran mimi latest and can grab chrome login.

Thanks.

Papotito123 commented 3 years ago

Hello: I tested , again, NTHASH and chrome.exe in admin user TESTACCOUNT which password was changed recently. chrome.exe works well as expected.

So I used the os_crypt:encrypted_key:xxxxxxxxxx given and ran; nthash-win64.exe /chrome /binary:C:\Users\TESTACCOUNT\AppData\Local\Google\Chrome\User Data\Default\Login Data /key:xxxxxxxxxx
,and did not retrieved any password. I know why.. Because is /input: and not /key:

I used then,

nthash-win64.exe /chrome /binary:C:\Users\TESTACCOUNT\AppData\Local\Google\Chrome\User Data\Default\Login Data /input:xxxxxxxxxx
,and things went well.

Also tested chrome.exe and NTHASH in a MicrosoftAccount user and both works well.

What can I say.