Skip to content

Programmatically extract saved passwords from Chromium based browsers.

License

Notifications You must be signed in to change notification settings

breakpointHQ/chrome-bandit

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Chrome Bandit

Programmatically extract saved passwords from Chromium based browsers.

Browser Support

IE / Edge
Edge
Chrome
Chrome
Opera
Opera
macOS only macOS only macOS only

Quick start

brew install breakpointhq/chrome-bandit/chrome-bandit

Usage

chrome-bandit <command>

Useage:

chrome-bandit list                     list browser passwords                 
chrome-bandit decrypt                  decrypt a given password               
chrome-bandit <command> -help          quick help on <command>

List credentials

Usage: chrome-bandit list [options]
    -u, --url <url>                  only show credentials where the origin url match <url>
    -f, --format <format>            set the output format: text, json
    -l, --login_data <path>          set the "Login Data" file path
        --chrome
        --opera
        --edge
    -v, --verbose
chrome-bandit list --opera
+----------+----------------------------+--------------------+
| ID       | URL                        | Username           |
+----------+----------------------------+--------------------+
| 1        | https://paypal.com/        | example@gmail.com  |
| 2        | https://github.com/session | masasron           |
+----------+----------------------------+--------------------+
chrome-bandit list --chrome --url github
+----------+----------------------------+--------------------+
| ID       | URL                        | Username           |
+----------+----------------------------+--------------------+
| 235      | https://github.com/session | masasron           |
+----------+----------------------------+--------------------+

Decrypt a password

Usage: chrome-bandit decrypt [options]
    -x, --port <port>                set HTTP server port
    -f, --format <format>            set the output format: text, json
    -l, --login_data <path>          set the "Login Data" file path
    -b <name>,                       set the browser process name
        --browser_process_name
    -p <path>,                       set the browser executable path
        --browser_executable_path
    -i, --id <id>                    decrypt the password for a given site id
    -u, --url <url>                  decrypt the password for the first match of a given url
        --chrome
        --opera
        --edge
    -v, --verbose
chrome-bandit decrypt --chrome --url paypal
+-------------------------+---------------------------+-----------------+
| URL                     | Username                  | Password        |
+-------------------------+---------------------------+-----------------+
| https://www.paypal.com/ | example@gmail.com         | qwerty          |
+-------------------------+---------------------------+-----------------+

Background

This project started as a proof of concept to demonstrate how saved passwords on Google Chrome and other Chromium-based browsers can easily be stolen by malicious macOS programs. I've decided to turn it into a more robust tool for red teams targeting macOS.

The way passwords are stored on Windows and macOS is different.

On Windows, Chrome uses the Data Protection API (DPAPI) to bind your passwords to your user account. The passwords are store on disk, encrypted with a key accessible only to processes running as the same logged on user.

On macOS, Chrome is storing the credentials in a “Login Data” file located at the Chrome users profile directory. The passwords are stored encrypted on disk, the encryption key is then stored in the user’s Keychain.

macOS Keychain uses Access Control Lists that control which apps have access to Keychain items in macOS. This makes it way harder for malicious programs to programmatically steal saved passwords.

Legal Disclaimer

Usage of this code for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes.