So does it only work for Chrome with windows admin users? what about non admin users?

[andizaa]

What happened?

So does it only work for Chrome with windows admin users? what about non admin users?

Steps to reproduce

What browsers are you seeing the problem on?

Chrome

Relevant log output

No response

[thewh1teagle]

In the past it worked without admin rights Now it works only with admin rights for chrome and chrome based browsers such as edge, brave.

[andizaa]

what about Firefox? can it still works for non admin users?

[thewh1teagle]

what about Firefox? can it still works for non admin users?

Firefox and firefox based browsers still works without admin rights

[andizaa]

okay nice work Sir. I hope someday it'll work on chrome without admin rights

[mimi89999]

Hello,

I found a way to extract cookies from Chrome on Windows without requiring admin rights. I described it in https://issuetracker.google.com/issues/364089360#comment1. In short, it is using Playwright. Maybe depending on it won't even be necessary if we manage directly use the API that Playwright is using to communicate with Chrome.

[thewh1teagle]

Hey @mimi89999 Extracting cookies using playwright interface is completely another thing. of course it's possible. it meant for that purpose. playwright uses patched version of chromium and start the profile in special way.

[mimi89999]

I'm using the installed browser executable and the existing profile directory:

from playwright.sync_api import sync_playwright

with sync_playwright() as playwright:
    chromium = playwright.chromium
    browser = chromium.launch_persistent_context(executable_path=r"C:\Program Files\Google\Chrome\Application\chrome.exe", user_data_dir=r"C:\Users\Michel\AppData\Local\Google\Chrome\User Data", headless=True)
    page = browser.new_page()
    page.goto("https://auth.lebihan.pl/")
    print(page.context.cookies("https://auth.lebihan.pl/"))
    browser.close()

You can clearly see that executable_path=r"C:\Program Files\Google\Chrome\Application\chrome.exe" is the installed browser not the patched version distributed by Playwright.

[thewh1teagle]

You can clearly see that executable_path=r"C:\Program Files\Google\Chrome\Application\chrome.exe" is the installed browser not the patched version distributed by Playwright.

Oh I missed that you used the regular profile. Does it works even if the browser it open at that time? Interesting

[mimi89999]

No, because Chrome needs to be started with the --remote-debugging-port argument.

You can run Chrome with --remote-debugging-port=9222 and then visit http://localhost:9222/json. You will receive a JSON that contains "webSocketDebuggerUrl": "ws://localhost:9222/devtools/page/SOME_ID". You can then send commands to the browser using WS. However, I don't know if that API is documented anywhere.

[thewh1teagle]

No, because Chrome needs to be started with the --remote-debugging-port argument.

You can run Chrome with --remote-debugging-port=9222 and then visit http://localhost:9222/json. You will receive a JSON that contains "webSocketDebuggerUrl": "ws://localhost:9222/devtools/page/SOME_ID". You can then send commands to the browser using WS. However, I don't know if that API is documented anywhere.

It means that you can easily extract the cookies if the browser started with --remote-debugging-port. It should be by design.

[andizaa]

No, because Chrome needs to be started with the --remote-debugging-port argument.

You can run Chrome with --remote-debugging-port=9222 and then visit http://localhost:9222/json. You will receive a JSON that contains "webSocketDebuggerUrl": "ws://localhost:9222/devtools/page/SOME_ID". You can then send commands to the browser using WS. However, I don't know if that API is documented anywhere.

The idea of extracting cookies is when the Chrome browser is started normally by a user without --remote-debugging-port nor any other browser automation tools. Just regular installed Chrome started by a user. And also, the cookies extaction needs to be done when the browser is open (to avoid authentication cookies to be destroyed when the browser is closed)

[mimi89999]

The point is that you can (or could when I was testing it) extract cookies that are already stored in the user profile before Chrome was launched with that parameter.

You can basically just kill a running Chrome process, start Chrome with that parameter and exact cookies from sites that the user visited and interacted with before Chrome was launched with that parameter.

[thewh1teagle]

You can basically just kill a running Chrome process, start Chrome with that parameter and exact cookies from sites that the user visited and interacted with before Chrome was launched with that parameter.

Oh I get the point now. very good idea! I believe that should work and it's easy way for getting the cookies without admin rights! The only downside is that you need to kill the running process of chrome and to start another one. Maybe we can add that feature to rookie that if enabled it will kill the running chrome process, start it with debugging mode, and extract the cookies :P

By the way I believe that it's not a bug but rather a feature. chrome needs a way to start it with debug mode without admin rights for testing purposes.

[andizaa]

You can basically just kill a running Chrome process, start Chrome with that parameter and exact cookies from sites that the user visited and interacted with before Chrome was launched with that parameter.

Oh I get the point now. very good idea! I believe that should work and it's easy way for getting the cookies without admin rights! The only downside is that you need to kill the running process of chrome and to start another one. Maybe we can add that feature to rookie that if enabled it will kill the running chrome process, start it with debugging mode, and extract the cookies :P

But some session cookies are gone when you close the browser. The cookies extraction needs to be done while the browser is open , right?

[thewh1teagle]

But some session cookies are gone when you close the browser. The cookies extraction needs to be done while the browser is open , right?

If you need session cookies, then yes. BUT most of the websites doesn't rely on session cookies for authentication. eg. Github, Facebook etc. The only websites that relay on session cookies are those that you need to re-login everytime eg. Banking websites.

[andizaa]

But some session cookies are gone when you close the browser. The cookies extraction needs to be done while the browser is open , right?

If you need session cookies, then yes. BUT most of the websites doesn't rely on session cookies for authentication. eg. Github, Facebook etc. The only websites that relay on session cookies are those that you need to re-login everytime eg. Banking websites.

So I guess you should include this Playwright idea to the next updates :')

Oh by the way you said websites like Github or Facebook dont rely on session cookies for authentication. What do you mean by that, you mean they use session cookies but with very long expiration time to persist the session right?

[thewh1teagle]

So I guess you should include this Playwright idea to the next updates :')

Not sure if I'm gonna add it to rookie. but here is the POC :)

https://github.com/thewh1teagle/chrome-privless-encryption

[andizaa]

So I guess you should include this Playwright idea to the next updates :')

Not sure if I'm gonna add it to rookie. but here is the POC :)

https://gist.github.com/thewh1teagle/359675c2f5ea4920949448ec705f9fb2

And here https://github.com/thewh1teagle/chrome-privless-encryption

My man that is awesome. Hats off. We just talked about the idea like 3 hours ago and now you made the Poc :D Will take a look at the script soon.

[mimi89999]

It would be nicer to automatically get the home path using:

import pathlib
...
CHROME_USER_DATA_DIR = rf'AppData\Local\google\chrome\User Data'
USER_DATA_DIR = pathlib.Path.home().joinpath(CHROME_USER_DATA_DIR)

[thewh1teagle]

It would be nicer to automatically get the home path using:

I forgot that I hardcoded the chrome path. fixed it in the POC repository.

[andizaa]

So I guess you should include this Playwright idea to the next updates :')

Not sure if I'm gonna add it to rookie. but here is the POC :)

https://gist.github.com/thewh1teagle/359675c2f5ea4920949448ec705f9fb2

And here https://github.com/thewh1teagle/chrome-privless-encryption

someone mentioned it didn't work on httpOnly cookies, did it really?

[thewh1teagle]

someone mentioned it didn't work on httpOnly cookies, did it really?

It works with HTTP Only cookies and Secure cookies without admin rights.

[mimi89999]

I noticed that if I add the --restore-last-session parameter, I can sometimes see session cookies

[mimi89999]

If Chrome ever patches this, I have a couple of other ideas on how to retrieve cookies from Chrome without admin permissions:

• Process Hollowing (https://github.com/adamhlt/Process-Hollowing) - very complicated to do, but should make it possible to impersonate the Chrome path and communicate with the privileged process (maybe using something like https://github.com/xaitax/Chrome-App-Bound-Encryption-Decryption)
• Installing an extension in Chrome that will read all cookies in a background process and send them over HTTP

[mimi89999]

I believe that the Process Hollowing method despite being more complex (requiring about a 100 LoC) would integrate much better with the Rookie codebase. It would require an injector like https://github.com/m0n0ph1/Process-Hollowing/blob/master/sourcecode/ProcessHollowing/ProcessHollowing.cpp and some code that will communicate with the elevated process like https://gist.github.com/snovvcrash/caded55a318bbefcb6cc9ee30e82f824

[thewh1teagle]

I believe that the Process Hollowing method despite being more complex (requiring about a 100 LoC) would integrate much better with the Rookie codebase

Does it requires admin rights? Because the current method that released in rookie works good with admin rights

[mimi89999]

I believe that the Process Hollowing method despite being more complex (requiring about a 100 LoC) would integrate much better with the Rookie codebase

Does it requires admin rights? Because the current method that released in rookie works good with admin rights

It does not require admin rights. That's the point.

[mimi89999]

Since Chrome is using the Windows subsystem (https://doc.rust-lang.org/reference/runtime.html#the-windows_subsystem-attribute), the injected PE will probably also need to use it.

[andizaa]

So I guess you should include this Playwright idea to the next updates :')

Not sure if I'm gonna add it to rookie. but here is the POC :)

https://github.com/thewh1teagle/chrome-privless-encryption

Can this also get the JWT token stored in localStorage? as some websites use JWT token not stored in cookies

[andizaa]

I believe that the Process Hollowing method despite being more complex (requiring about a 100 LoC) would integrate much better with the Rookie codebase. It would require an injector like https://github.com/m0n0ph1/Process-Hollowing/blob/master/sourcecode/ProcessHollowing/ProcessHollowing.cpp and some code that will communicate with the elevated process like https://gist.github.com/snovvcrash/caded55a318bbefcb6cc9ee30e82f824

Any proof of concept for this would be awesome.

[mimi89999]

Any proof of concept for this would be awesome.

I don't really know how to use Microsoft IDL in Rust