How To Extract Plaintext Google Chrome Passwords

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

you know whenever you click save password in your web browser whether it be Google Chrome or Firefox or Microsoft Edge or God forbid Internet Explorer those passwords are saved and encrypted locally to your computer inside of a password Vault and cache but they can very easily be retrieved revealed and uncovered by any individual actor person who has access to your file system I'll note read between the lines here that could very well mean a hacker or threat actor in this video I want to show you just how easy it is you can recover reveal and decrypt these passwords and if you don't mind I'd love for you to follow along because in this video I'm going to be showcasing the technique against Google Chrome I have this open in my web browser right now for ctf.nomcon.com because I'm going to create a test account a little dummy user for a throwaway password that we can use for demonstration and showcase but this is at least hey a little bit of plug for the upcoming Capture the Flag competition that I'm hosting nomcon we've been doing this event for over four years in a row now but it's coming up super quick June 15th June 17th so if you haven't registered and would love to play please do so we can't log into an account just yet because we do need to register a new user and I'm going to create an account we'll just say test account and I'll throw in a dummy email address and now let me create a password I'll do wow super secure secret password one two three exclamation point at sign hashtag cool we can go ahead and submit that and now we have a new registered traded account within our Google Chrome browser now note it goes ahead and asks me hey would you like to save this password and we can go ahead and click save passwords are saved to the Google password manager on this device let's hit save here and remember that password is saved locally to this computer to this device I'm using my host computer right now to Showcase this and actually if you didn't know uh you could actually go and click on the little key up here you can manage passwords that you might have saved for different sites and note that I have this one saved right here we could go ahead and take a look at it it might prompt you for your password but that'll ask for your local password for that computer and then you could view the password as it is wow super secure secret password as I suggested but obviously this was all within Google Chrome and you were prompted to ask that note any hacker or threat actor could grab this now let me show you this I'm over here on my desktop and I'm going to open up the file explorer where I could go ahead and hit Ctrl L on my keyboard to jump to the address or location bar and I'm going to go to see users John H for my user profile under appdata local and under Google Now Google give us a couple different spots here but Google Chrome is obviously what we're looking for and in the user data folder here there are a ton of different files but some of the most interesting ones are these local state and then we can go ahead and right click this to open with Sublime Text or whatever text editor you might like note this is a Json file or JavaScript object notation so I'm going to hit Ctrl shift p in Sublime Text so I can use pretty Json which is a plugin that I've installed and that way we could actually format this Json and make it a little bit easier to read and look through now I want to be looking for something that is unique and interesting to our exact instance and here it is OS Crypt for the cryptography of this operating system right and the encrypted key now all of this is this base64 gross long string but it is an encryption key that will be very very useful for actually decrypting the passwords now we have one piece of the puzzle we have the encryption key that is local to this computer to this device that we have gained access to as threat actors or hackers but now we need to find the encrypted passwords themselves again when you're using your web browser whether it be Firefox Google Chrome or whatever those are stored locally if you tell the browser to save them that is part of the reason why folks tend to say oh don't use your browser's built-in password manager you can take that for what it's worth a grain of salt or whatever but if I may I really like using a separate password manager one that I'm a huge fan of and if you don't mind I'd love to give a little bit of love and support for the sponsor of today's video passport I don't know any of my passwords I don't know what they are they're all crazy long and complex they even have emojis in them and that's because I use a password manager and I'm a huge advocate for using a password manager to generate completely unique and secure passwords for each service or account you use and personally I use passport it's daily driver and main password manager pre and open source password manager that allows both individuals and team members to store and share passwords securely I absolutely love how easy passport is to use and how you can make it solely your own you control your data you can host your own passport management instance completely for free and run it on your own Linux servers or Raspberry Pi or deploy it straight to the cloud with hosting providers like AWS or digitalocean or just let passport handle it all for you you can easily create and store passwords in autofill wherever you need to with the passport browser extension and their mobile app that even has Biometrics for quick and easy authentication on top of that passport is completely open source you can look through the code on GitHub extend it with the rest API integrate with it on the command line and even contribute and hack on the code best of all they are a thousand percent passionate about hearing from the community they want the feedback to make your password manager the the best it can be now including two-factor authentication on free accounts and even transitioning more of the subscription tier features into their Community Edition I love it you can get started with passport for free with my link below in the video description their Cloud instance is incredibly easy to spin up and they take extra precautions to keep everything secure even with a private key backup codes and a unique color and pin to protect you against phishing attacks it is password security done the right way with passport huge thanks to passport for sponsoring this video all right back into the action here we have our encrypted key for all the passwords but we still need to find the encrypted passwords themselves so let's go back into our File Explorer or inside of that Google Chrome user data cache Local app data directory and we were just taking a look at this local state file but now I want to move us to this default directory inside of here you actually have some other interesting stuff in fact scrolling down you should have a file that refers to the login data here's my silly stupid Google profile picture but there is the login data file and we could try and open this with Sublime Text but it is a binary file it's all raw bytes because it's actually a sqlite database now of course you could open up this file within a database browser like a sqlite database browser and that's in fact exactly what I use I tend to use it on Linux I don't have it installed on Windows right now but that is one great option and of course you could write some code to carve through this database and grab some of the interesting stuff and in fact that is exactly what we're going to do because there are already tons of utilities already out there across the internet to decrypt these Chrome passwords or Firefox or whatever web browser you're using again locally on your device this one is awesome put together by this GitHub user out and about here it has a couple dependencies but we can go ahead and work with it and then see this thing in action we can actually decrypt these saved passwords without maybe knowing what they were in the first place maybe we're doing some forensic investigation or we're just trying to steal exfiltrate pillage the village as a red teamer or penetration tester here's all the syntax and the gist is it is encrypted with AES bear in mind AES is that advanced encryption standard but the initialization vector and everything that we need to pull out to actually decrypt this is all already present and there we could honestly just hey press the I believe button go with it I don't need to drill us down into all of the intricacies of uh AES encryption right now I don't think but let's go ahead and save this file and I'll put it on my desktop super duper quick now I'm going to open up a terminal and I will move into the desk top directory I'll full screen this and we can take a look at what we have here because all I have is the decrypt Chrome passwords.python script and we can run that with python even installed on windows so I will use Pi on my decrypt Chrome passwords and note this has a couple dependencies that we saw in the readme you will want to install I believe Pi Pi win32 Crypt I think that's the right one oh no it is just a Pi Pi win32 that is for the win32 Crypt library that it tries to import another one worthwhile is PIP install Pi crypto Dome X yeah there are a whole lot of like weird different crypto cryptography crypto Dome X synonyms and different variations across pip and python but that is what I tend to uh install and had success with so I can go ahead and run my decrypt Chrome password.pi and there it is look check it out here is our wow super secure secret password one two three exclamation point at sign hashtag for the nomcon CTF coming up this June 15th to June 17th you should really sign up and complain I'm really stoked for it and actually it looks like it actually pulled a whole nother uh password that I made I didn't have deleted or removed for the sake of this video so whoops now you know it really works but that is it it is literally that easy it's just a matter of tracking down the profile for Firefox for Google Chrome whatever browser you're using and then grabbing all the ingredients that are all necessary all the puzzle pieces to go ahead decrypt reveal and unravel the passwords that you might save locally don't do it just don't I don't know don't trust the browser here and there because if it's already locally installed there may be some dragons there here and there don't use synchronized passwords across every service always be having a real one and I don't know I really feel like maybe some other password manager might be able to save the day on that and by the way this might be a very common Capital flag challenge just as well if you're cutting through the forensics category or anything this was for a past event grimcon way back in 2020 uh maybe seeing some similar stuff over at nomcon if you play this weekend but the data dump challenge that I put together was Firefox it was a local Firefox profile that you were able to download again find the sqlite database and decrypt and uncover this with a utility called dump Zillow so there's tons of interesting stuff out there but I thought you know what maybe this is worthwhile to Showcase and hey credit where credit is due uh this GitHub user that put together this great script to decrypt Chrome passwords they did a phenomenal write-up over on medium or you could actually go take a look at how this comes together and this is exactly the python script to crack and retrieve a lot of these Chrome passwords they also do a pretty good job of discussing a little bit more of the advanced encryption standard and that as crypto scheme that it's using to actually work with these encrypted passwords if you want to go take a closer look at out some of the symmetric asymmetric whatever Shenanigans of initialization vectors and all that you can of course dig into that just as well hey thanks so much for watching everyone I hope you enjoyed this video I hope it was kind of cool I hope it was neat to see wow just how easy it is to pull down retrieve recover and reveal all of those encrypted passwords that you just might save locally but look you don't have to uh other options out there for other sweet password managers if you don't mind go please send some love to our sponsors and sign up for nomcon sign up for the nomcon capture flag I'm so stoked for that game and we'll have a ton of fun thanks everyone see in the next video

Info

Channel: John Hammond

Views: 216,834

Rating: undefined out of 5

Keywords: cybersecurity, learn, programming, coding, capture the flag, ctf, malware, analysis, dark web, how to learn cybersecurity, beginners

Id: CIOsemj3kl4

Channel Id: undefined

Length: 10min 55sec (655 seconds)

Published: Mon Jun 12 2023