search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
33.1k stars 13.76k forks source link

enum_chrome not decrypting login data #19063

Open Murph000 opened 2 months ago

Murph000 commented 2 months ago

Steps to reproduce

How'd you do it?

  1. Use post/windows/gather/enum_chrome.rb as user or system (with migration true)
  2. Run on Windows 10 machine (tested on multiple up to date windows and chrome installations)

Expected behavior

Standard decryption and exporting of password data

Current behavior

Calls error

Metasploit version

Framework: 6.4.1-dev Console : 6.4.1-dev

Console output:



[*] Impersonating token: 4064
[*] Running as user 'DESKTOP-7IHT9N8\Rick'...
[*] Extracting data for user 'Rick'...
[+] Downloaded Web Data to '/root/.msf4/loot/20240407224804_default_45.79.141.93_chrome.raw.WebD_663155.txt'
[-] Cookies not found
[+] Downloaded History to '/root/.msf4/loot/20240407224805_default_45.79.141.93_chrome.raw.Histo_017257.txt'
[+] Downloaded Login Data to '/root/.msf4/loot/20240407224812_default_45.79.141.93_chrome.raw.Login_408314.txt'
[+] Downloaded Bookmarks to '/root/.msf4/loot/20240407224813_default_45.79.141.93_chrome.raw.Bookm_720767.txt'
[+] Downloaded Preferences to '/root/.msf4/loot/20240407224813_default_45.79.141.93_chrome.raw.Prefe_116106.txt'
[*] Found password encrypted with masterkey
[+] Found masterkey!
[-] Post failed: ArgumentError data must not be empty
[-] Call stack:
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:207:in `update'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:207:in `block (3 levels) in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `block (2 levels) in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `map!'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `block in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:378:in `block in run'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:375:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:375:in `run'
[*] Post module execution completed
nrathaus commented 2 months ago

Can you modify your /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb file and change it from:

            cipher.iv = enc_data[3..14]
            ciphertext = enc_data[15..-17]
            cipher.auth_tag = enc_data[-16..]

To:

            print_status("enc_data: #{enc_data}")
            cipher.iv = enc_data[3..14]
            ciphertext = enc_data[15..-17]
            cipher.auth_tag = enc_data[-16..]

To get the content of enc_data?

Murph000 commented 2 months ago

To my uneducated eye I see no difference



[+] Downloaded Web Data to '/root/.msf4/loot/20240408205508_default_71.226.250.46_chrome.raw.WebD_541215.txt'
[-] Cookies not found
[+] Downloaded History to '/root/.msf4/loot/20240408205509_default_71.226.250.46_chrome.raw.Histo_242454.txt'
[+] Downloaded Login Data to '/root/.msf4/loot/20240408205517_default_71.226.250.46_chrome.raw.Login_819038.txt'
[+] Downloaded Bookmarks to '/root/.msf4/loot/20240408205518_default_71.226.250.46_chrome.raw.Bookm_175064.txt'
[+] Downloaded Preferences to '/root/.msf4/loot/20240408205519_default_71.226.250.46_chrome.raw.Prefe_963829.txt'
[*] Found password encrypted with masterkey
[+] Found masterkey!
[-] Post failed: ArgumentError data must not be empty
[-] Call stack:
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:207:in `update'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:207:in `block (3 levels) in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `block (2 levels) in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `map!'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `block in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:378:in `block in run'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:375:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:375:in `run'
[*] Post module execution completed
nrathaus commented 2 months ago

Nothing got printed, did you reload_all or restart msfconsole?

Murph000 commented 2 months ago

Apologies, forgot to, here is the new output:


[*] Impersonating token: 16308
[*] Running as user 'DESKTOP-7IHT9N8\Rick'...
[*] Extracting data for user 'Rick'...
[+] Downloaded Web Data to '/root/.msf4/loot/20240409190801_default_73.33.253.190_chrome.raw.WebD_912879.txt'
[-] Cookies not found
[+] Downloaded History to '/root/.msf4/loot/20240409190802_default_73.33.253.190_chrome.raw.Histo_393266.txt'
[+] Downloaded Login Data to '/root/.msf4/loot/20240409190809_default_73.33.253.190_chrome.raw.Login_412976.txt'
[+] Downloaded Bookmarks to '/root/.msf4/loot/20240409190810_default_73.33.253.190_chrome.raw.Bookm_315029.txt'
[+] Downloaded Preferences to '/root/.msf4/loot/20240409190810_default_73.33.253.190_chrome.raw.Prefe_486057.txt'
[*] Found password encrypted with masterkey
[+] Found masterkey!
[*] "enc_data: #{enc_data}"
[-] Post failed: ArgumentError data must not be empty
[-] Call stack:
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:208:in `update'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:208:in `block (3 levels) in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `block (2 levels) in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `map!'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `block in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:379:in `block in run'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:376:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:376:in `run'
[*] Post module execution completed
nrathaus commented 2 months ago

Something with your copy-pasting went wrong, it should have printed this: enc_data: [...data...]

And not: "enc_data: #{enc_data}"

I seem to have pasted the wrong code, try this: print_status("enc_data: #{enc_data}")

Murph000 commented 2 months ago

Thank you, apologies for the delay, here is the new output:


[+] Downloaded Web Data to '/root/.msf4/loot/20240411170353_default_71.226.250.46_chrome.raw.WebD_226980.txt'
[-] Cookies not found
[+] Downloaded History to '/root/.msf4/loot/20240411170354_default_71.226.250.46_chrome.raw.Histo_787563.txt'
[+] Downloaded Login Data to '/root/.msf4/loot/20240411170402_default_71.226.250.46_chrome.raw.Login_779870.txt'
[+] Downloaded Bookmarks to '/root/.msf4/loot/20240411170404_default_71.226.250.46_chrome.raw.Bookm_364976.txt'
[+] Downloaded Preferences to '/root/.msf4/loot/20240411170404_default_71.226.250.46_chrome.raw.Prefe_082933.txt'
[*] Found password encrypted with masterkey
[+] Found masterkey!
[*] enc_data: v10???X????W?j???[?N~?e?????Z???E?_
[*] enc_data: v10?*???V?\????c??u^9?7?S?W+N??Nz▒D?
[*] enc_data: v10BLy?Vw?>e0h????h????
                                     %?C?8?z
[*] enc_data: v10??g
?^??Q?~?@?8@??k1?0r?e?7C?X?f
[*] enc_data: v10?Q??g?;?w?f???5?2?c5AK?f9\m??f11?x
[*] enc_data: v10????}??c?\?????????d'pqc
                                         ?
[*] enc_data: v10nD??}<??z?T??+2??8?}?5?oS???As??
[*] enc_data: v10????[?z????R?▒??????`Lc;?f????
[*] enc_data: v10 ▒?????????W?yo?.?,?U?5>@\^[{??8
[*] enc_data: v10????G:?Y??q??<?jP&
                                   Ia?%~E:E??
[*] enc_data: v10V?F*?@?????z?o8???J??Em??????
_E?"?LMp???[: v10b?d?_?'7?)??B ?? ?
[*] enc_data: v10???8**~I???=%?lP?f?m?
[-] Post failed: ArgumentError data must not be empty
[-] Call stack:
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:208:in `update'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:208:in `block (3 levels) in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `block (2 levels) in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `map!'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `block in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:379:in `block in run'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:376:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:376:in `run'
[*] Post module execution completed
nrathaus commented 2 months ago

It seems like your enc_data is too short?!

Can you change it to this: print_status("enc_data len: #{enc_data.length()}")

Murph000 commented 2 months ago

It returned the length as 31:


[*] Impersonating token: 12460
[*] Running as user 'DESKTOP-7IHT9N8\Rick'...
[*] Extracting data for user 'Rick'...
[+] Downloaded Web Data to '/root/.msf4/loot/20240413172341_default_10.0.0.94_chrome.raw.WebD_404667.txt'
[-] Cookies not found
[+] Downloaded History to '/root/.msf4/loot/20240413172342_default_10.0.0.94_chrome.raw.Histo_683194.txt'
[+] Downloaded Login Data to '/root/.msf4/loot/20240413172348_default_10.0.0.94_chrome.raw.Login_678351.txt'
[+] Downloaded Bookmarks to '/root/.msf4/loot/20240413172349_default_10.0.0.94_chrome.raw.Bookm_560730.txt'
[+] Downloaded Preferences to '/root/.msf4/loot/20240413172350_default_10.0.0.94_chrome.raw.Prefe_189370.txt'
[*] Found password encrypted with masterkey
[+] Found masterkey!
[*] enc_data len: 31
[-] Post failed: ArgumentError data must not be empty
[-] Call stack:
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:208:in `update'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:208:in `block (3 levels) in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `block (2 levels) in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `map!'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `block in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:379:in `block in run'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:376:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:376:in `run'
[*] Post module execution completed
nrathaus commented 2 months ago

Yes, 31 is not a "good" number - as the expected minimum value should be at least (X-17-15) where X is 32 as this code: ciphertext = enc_data[15..-17]

Can be empty, but not nil, such is in the case of 31, the value becomes "negative", enc_data[15..14]

I am wondering if: https://github.com/agentzex/chrome_v80_password_grabber/blob/master/chrome_v80_password_grabber.py

Also fails in the same spot, as the logic seems similar, though written in a bit of a different way

Decrypting and then removing the trailing bytes

Can you change: ciphertext = enc_data[15..-17]

To this: ciphertext = enc_data[15..]

And see what it prints out?

If it prints out a valid password (with some residual characters at the end) then it would seem there is an option to store passwords in a length that is smaller than 32 bytes

Murph000 commented 2 months ago

It seems that changing ciphertext = enc_data[15..-17] to ciphertext = enc_data[15..] is causing a cipher error. I had it print the length and the enc data, here is the new output:


[*] Found password encrypted with masterkey
[+] Found masterkey!
[*] enc_data: v10???X????W?j???[?N~?e?????Z???E?_
[*] enc_data len: 46
[-] Post failed: OpenSSL::Cipher::CipherError
[-] Call stack:
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:209:in `final'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:209:in `block (3 levels) in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `block (2 levels) in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `map!'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `block in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:380:in `block in run'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:377:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:377:in `run'
[*] Post module execution completed
nrathaus commented 1 month ago

I don't know what this malformed line (the one that has only 31 bytes in it) means, you can skip it if you wish by doing this:

        item[:encrypted_fields].each do |field|
          name = res['name_on_card'].nil? ? res['username_value'] : res['name_on_card']
          origin = res['label'].nil? ? res['origin_url'] : res['label']
          enc_data = res[field]

          if enc_data.length < 32
            next
          end
Murph000 commented 1 month ago

Hi, I am just about clueless when it comes to ruby, but here is where I used the code you have just provided (lines 204-211), this is what the section of the script looks like: 

            cipher = OpenSSL::Cipher.new('aes-256-gcm')
            cipher.decrypt
            cipher.key = masterkey
            item[:encrypted_fields].each do |field|
          name = res['name_on_card'].nil? ? res['username_value'] : res['name_on_card']
          origin = res['label'].nil? ? res['origin_url'] : res['label']
          enc_data = res[field]

          if enc_data.length < 32
            next
          end
            cipher.iv = enc_data[3..14]
            ciphertext = enc_data[15..-17]
            cipher.auth_tag = enc_data[-16..]

I assume I'm just improperly using your code, here is what was in the log file:


[04/15/2024 18:56:25] [e(0)] core: /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb failed to load - SyntaxError /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:216: else without rescue is useless
          else
          ^~~~
/usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:395: syntax error, unexpected end-of-input, expecting `end'
nrathaus commented 1 month ago

No need for the else part

If the if isn't triggered, the code should flow as it was before, so drop the else part:

          if enc_data.length < 32
            next
          end

          cipher.iv = enc_data[3..14]
          ciphertext = enc_data[15..-17]
          cipher.auth_tag = enc_data[-16..]

I don't know if it will prevent the syntax error you are seeing, as there is no rspec (unit test) file for this one

github-actions[bot] commented 4 weeks ago

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.