search

shaddy43 / BrowserSnatch

This project steals important data from all chromium and gecko browsers installed in the system and gather the data in a stealer db to be exfiltrated out. A powerful Browser Stealer
MIT License
112 stars 21 forks source link

BCrypt Decrypt (2) failed with status: -1073700862 #2

Closed Fomovet closed 1 week ago

Fomovet commented 1 week ago

OS Version: Windows 11 OS Architecture: 64-bit Browser Name: Chrome Browser Version: 129.0.6668.59

Log Output


C:\Users\0xTest\Desktop\hack-browser-data-windows-64bit>BrowserSnatch64.exe -cookies
Target Chromium Browser cookies...
BCrypt Decrypt (2) failed with status: -1073700862
BCrypt Decrypt (2) failed with status: -1073700862
BCrypt Decrypt (2) failed with status: -1073700862
BCrypt Decrypt (2) failed with status: -1073700862
BCrypt Decrypt (2) failed with status: -1073700862
BCrypt Decrypt (2) failed with status: -1073700862
BCrypt Decrypt (2) failed with status: -1073700862
BCrypt Decrypt (2) failed with status: -1073700862
BCrypt Decrypt (2) failed with status: -1073700862
BCrypt Decrypt (2) failed with status: -1073700862
BCrypt Decrypt (2) failed with status: -1073700862
BCrypt Decrypt (2) failed with status: -1073700862
BCrypt Decrypt (2) failed with status: -1073700862
BCrypt Decrypt (2) failed with status: -1073700862
BCrypt Decrypt (2) failed with status: -1073700862
BCrypt Decrypt (2) failed with status: -1073700862
BCrypt Decrypt (2) failed with status: -1073700862
BCrypt Decrypt (2) failed with status: -1073700862
BCrypt Decrypt (2) failed with status: -1073700862
BCrypt Decrypt (2) failed with status: -1073700862
Stealer db path: C:\Users\0xTest\AppData\Local\Temp\upX1i0
shaddy43 commented 1 week ago

Please check if the password versions stored in your chrome browsers are older than v10. Anything older than v10 passwords will not be decrypted. BrowserSnatch works on latest v10,v11 version encrypted passwords only. Same goes for the cookies !

You can check the version of you encrypted data in sqlite db browser for passwords or cookies file. Every encrypted data has prepended version meta info as shown in the screenshot below:

Screenshot 2024-09-19 at 5 07 22 PM
Fomovet commented 1 week ago

Please check if the password versions stored in your chrome browsers are older than v10. Anything older than v10 passwords will not be decrypted. BrowserSnatch works on latest v10,v11 version encrypted passwords only. Same goes for the cookies !

You can check the version of you encrypted data in sqlite db browser for passwords or cookies file. Every encrypted data has prepended version meta info as shown in the screenshot below:

Screenshot 2024-09-19 at 5 07 22 PM

The latest version of Chrome cookie encryption is v20 image

shaddy43 commented 1 week ago

Google has recently updated its security policy on saving encrypted cookies. Unlike before, they encryption keys are not only secured by DPAPI (which could be easily accessed by malware running with the same user mode privileges) but now chrome has introduced something called Application-Bound Encryption Primitives which basically improves on DPAPI by running a SYSTEM Level Chrome Service which first authenticates if the application requesting the key is Chrome itself and then uses SYSTEM level privileges to decrypt keys with DPAPI and return to the requesting process (which would be chrome).

Screenshot 2024-09-19 at 10 26 08 PM

Because the App-Bound service is running with system privileges, attackers need to do more than just coax a user into running a malicious app. Now, the malware has to gain system privileges, or inject code into Chrome. This complicates the process of stealing chrome cookies. For now, chrome passwords saving policy has not been shifted to this mechanism but eventually it will. So I need to do some R&D on how to include this bypass in upcoming versions of BrowserSnatch.

For your reference: https://security.googleblog.com/2024/07/improving-security-of-chrome-cookies-on.html

shaddy43 commented 1 week ago

Will be handled in upcoming versions