Hi, i'm here to report that anyone using any RAT software with cmd access can get all stored passwords and email addresses on victims machines very easily.
firstly I know well that passwords are encrypted in : C:\Users\USER_NAME\AppData\Local\Google\Chrome\User Data\Default\Login Data
and the only ( normal ) way to show stored passwords and email addresses is using the browser > chrome://settings/passwords .. and if you using password for managing your windows account it will ask for it, but there is another way I found.
first download tease software ( ChromePass , nircmdc )
that you can find at http://www.nirsoft.net/password_recovery_tools.html
I tried to use chromepass.exe in cmd with /stext pass.txt but for some reasons it doesn't work so I used these commands to capture a screenshot and close chromepass automatically
1 - ChromePass.exe
2 - nircmd.exe cmdwait savescreenshot shot.png
3 - TASKKILL /IM ChromePass.exe
and all the password now in shot.png
after doing this I simply used metsaploit and backdoor-factory
after backdoor note++ I sent it to my windows 7 vmware machine and got reverse shell session
after using :
1 - session -u 1
2 - exploit/windows/local/bypassuac with session 2
i successfully got meterpreter session and bypass windows UAC
then uploaded chromepass.exe and nircmd.exe to the victim's machine
dropped to shell and redo commands above
then back to meterpreter and download the screenshot .
I hope that my efforts will be appreciated.
more contacts:
- +201061031594
- facebook.com/rebellionil
|
Deleted:
Screenshot at 2017-03-24 08-33-32.png
143 KB
|
|
|
Deleted:
Screenshot at 2017-03-24 08-31-03.png
107 KB
|
|
|
Deleted:
17495734_423643604637900_933291892_n.png
303 KB
|
|
|
17495734_423643604637900_933291892_n.png
303 KB
View
Download
|
|
|
|
Deleted:
17409584_423661044636156_615133184_n.png
288 KB
|
|
|
17409584_423661044636156_615133184_n.png
288 KB
View
Download
|
|
Comment 1 by jialiul@chromium.org
, Mar 24 2017