Transcription

You know, whenever you click save password in your web browser, whether it be Google Chrome or Firefox or Microsoft edge, or God forbid, internet explorer, those passwords are saved and encrypted locally to your computer inside of a password vault and cash, but they can very easily be retrieved, revealed, and uncovered by any individual actor or person who has access to your file system. I'll note read between the lines here. That could very well mean a hacker or threat actor in this video. I want to show you just how easy it is. You can recover, reveal, and decrypt these passwords. And if you don't mind, I'd love for you to follow along because in this video, I'm going to be showcasing the technique against Google Chrome. I have this open in my web browser right now for ctf.nomcon.com because I'm going to create a test account, a little dummy user for a throwaway password that we can use for demonstration and showcase, but this is at least a little bit of plug for the upcoming capture the flag competition that I'm hosting. Nomcon. We've been doing this event for four years in a row now, but it's coming up super quick, June 15th, June 17th. So if you haven't registered and would love to play, please do so. We can't log into an account just yet because we do need to register a new user and I'm going to create an account. We'll just say test account and I'll throw in a dummy email address. And now let me create a password. I'll do wow. Super secure secret password. One, two, three exclamation point at sign hashtag. Cool. We can go ahead and submit that. And now we have a new registered created account within our Google Chrome browser. Now note, it goes ahead and asks me, Hey, would you like to save this password and we can go ahead and click save passwords are saved to the Google password manager on this device. Let's hit save here. And remember that password is saved locally to this computer, to this device. I'm using my host computer right now to showcase this. And actually, if you didn't know, uh, you could actually go and click on the little key up here. You can manage passwords that you might have saved for different sites. And note that I have this one saved right here. We could go ahead and take a look at it. Uh, it might prompt you for your password, but that'll ask for your local password for that computer. And then you could view the password as it is. Wow. A super secure secret password, as I suggested, but obviously this is all within Google Chrome. And you were prompted to ask that note. Any hacker or threat actor could grab this. Now, let me show you this. I'm over here on my desktop and I'm going to open up the file explorer where I could go ahead and hit control L on my keyboard to jump to the address or location bar. And I'm going to go to C users, John H for my user profile under app data, local and under Google. Now Google will give us a couple of different spots here, but Google Chrome is obviously what we're looking for. And in the user data folder here, there are a ton of different files, but some of the most interesting ones are these local state. And then we can go ahead and right. Click this to open with sublime texts or whatever text editor you might like. No, this is a Jason file or JavaScript object notation. So I'm going to hit control shift P in sublime text. So I can use pretty Jason, which is a plugin that I've installed. And that way we could actually format this Jason and make it a little bit easier to read and look through. Now I want to be looking for something that is unique and interesting to our exact instance. And here it is OS crypt for the cryptography of this operating system, right? And the encrypted key. Now, all of this is this base 64 gross long string, but it is an encryption key that will be very, very useful for actually decrypting the passwords. Now we have one piece of the puzzle. We have the encryption key that is local to this computer, to this device that we have gained access to as threat actors or hackers. But now we need to find the encrypted passwords themselves. Again, when you're using your web browser, whether it be Firefox, Google Chrome, or whatever, those are stored locally. If you tell the browser to save them, that is part of the reason why folks tend to say, Oh, don't use your browser's built-in password manager. You can take that for what it's worth a grain of salt or whatever. But if I may, I really liked using a separate password manager, one that I'm a huge fan of. And if you don't mind, I'd love to give a little bit of love and support for the sponsor of today's video passport. I don't know any of my passwords. I don't know what they are. They're all crazy long and complex. They even have emojis in them. And that's because I use a password manager and I'm a huge advocate for using a password manager to generate completely unique and secure passwords for each service or account you use. And personally, I use Passbolt. It's become my daily driver and main password manager. Passbolt is a free and open source password manager that allows both individuals and team members to store and share passwords securely. I absolutely love how easy Passbolt is to use and how you can make it solely your own. You control your data. You can host your own Passbolt management instance completely for free and run it on your own Linux servers or Raspberry Pi, or deploy it straight to the cloud with hosting providers like AWS or DigitalOcean, or just let Passbolt handle it all for you. You can easily create and store passwords and autofill wherever you need to with the Passbolt browser extension and their mobile app that even has biometrics for quick and easy authentication. On top of that, Passbolt is completely open source. You can look through the code on GitHub, extend it with their REST API, integrate with it on the command line, and even contribute and hack on the code. Best of all, they are a thousand percent passionate about hearing from the community. They want the feedback to make your password manager the best it can be. Now including two-factor authentication on free accounts and even transitioning more of the subscription tier features into their community edition. I love it. You can get started with Passbolt for free with my link below in the video description. Their cloud instance is incredibly easy to spin up, and they take extra precautions to keep everything secure, even with a private key, backup codes, and a unique color and PIN to protect you against phishing attacks. It is password security done the right way with Passbolt. Huge thanks to Passbolt for sponsoring this video. All right, back into the action here. We have our encrypted key for all the passwords, but we still need to find the encrypted passwords themselves. So let's go back into our file explorer. We're inside of that Google Chrome user data cache, local app data directory. And we were just taking a look at this local state file, but now I want to move us to this default directory. Inside of here, you actually have some other interesting stuff. In fact, scrolling down, you should have a file that refers to the login data. Here's my silly, stupid Google profile picture, but there is the login data file. And we can try and open this with Sublime Text, but it is a binary file. It's all raw bytes because it's actually a SQLite database. Now, of course you could open up this file within a database browser, like a SQLite database browser, and that's in fact exactly what I use. I tend to use it on Linux. I don't have it installed on windows right now, but that is one great option. And of course you could write some code to carve through this database and grab some of the interesting stuff. And in fact, that is exactly what we were going to do because there are already tons of utilities already out there across the internet to decrypt these Chrome passwords or Firefox or whatever web browser you're using. Again, locally on your device. This one is awesome put together by this GitHub user out and about here. It has a couple dependencies, but we can go ahead and work with it and then see this thing in action. We can actually decrypt these saved passwords without maybe knowing what they were in the first place. Maybe we're doing some forensic investigation or we're just trying to steal, exfiltrate, pillage the village as a red teamer or penetration tester. Here's all the syntax and the gist is it is encrypted with AES. Bear in mind, AES is that advanced encryption standard, but the initialization vector and everything that we need to pull out to actually decrypt this is all already present. And there we could honestly just, Hey, press the I believe button, go with it. I don't need to drill us down into all of the intricacies of AES encryption right now. I don't think, but let's go ahead and save this file and I'll put it on my desktop super duper quick. Now I'm going to open up a terminal and I will move into the desktop directory. I'll full screen this, and we can take a look at what we have here because all I have is the decrypt Chrome passwords dot Python script. And we can run that with Python, even installed on windows. So I will use PI on my decrypt Chrome passwords and note. This has a couple of dependencies that we saw in the read me. You will want to install, I believe, PI PI win 32 crypt. I think that's the right one. Oh no. It is just a PI PI win 32. Uh, that is for the win 32 crypt library that it tries to import. Another one worthwhile is PIP install PI crypto dome X. Yeah. There are a whole lot of like weird, different crypto cryptography, crypto dome X synonyms and different variations across PIP and Python. But that is what I tend to, uh, install and had success with. So I can go ahead and run my decrypt Chrome password dot PI. And there it is. Look, check it out. Here is our wow. Super secure secret password. One, two, three exclamation point at sign hashtag for the nom con CTF coming up this June 15th to June 17th. You should really sign up and complain. I'm really stoked for it. And actually it looks like it actually pulled a whole nother, uh, password that I may be, I didn't have deleted or removed for the sake of this video. So whoops, now, you know, it really works, but that is it. It is literally that easy. It's just a matter of tracking down the profile for Firefox, for Google Chrome, whatever browser you're using, and then grabbing all the ingredients that are unnecessary, all the puzzle pieces to go ahead, decrypt, reveal, and unravel the passwords that you might save locally, don't do it. Just don't, I don't know. Don't trust the browser here and there, because if it's already locally installed, there might be some dragons there here and there don't use synchronized passwords across every service, always be having a real one. And I don't know, I really feel like maybe some other password manager might be able to save the day on that. And by the way, this might be a very common capture the flag challenge just as well. If you're cutting through the forensics category or anything, this was for a past event, grim Conway back in 2020, uh, maybe seeing some similar stuff over at nom con, if you play this weekend, but the data dump challenge that I put together was Firefox. It was a local Firefox profile that you were able to download again, find the SQL light database and decrypt and uncover this with the utility called dump Zillow. So there's tons of interesting stuff out there, but I thought, you know what, maybe this is worthwhile to showcase and hey, credit where credit is due, uh, this GitHub user that put together this great script to decrypt Chrome passwords. They did a phenomenal writeup over on medium where you could actually go take a look at how this comes together. And this is exactly the Python script to crack and retrieve a lot of these Chrome passwords. They also do a pretty good job of discussing a little bit more of the advanced encryption standard and that AES crypto scheme that it's using to actually work with these encrypted passwords. If you want to go take a closer look at some of the symmetric, asymmetric, whatever shenanigans of initialization vectors and all that you can, of course, uh, dig into that just as well. Hey, thanks so much for watching everyone. I hope you enjoyed this video. I hope it was kind of cool. I hope it was neat to see. Wow. Just how easy it is to pull down, retrieve, recover, and reveal all of those encrypted passwords that you just might save locally, but look, you don't have to, uh, other options out there for other sweet password managers. If you don't mind go, please send some love to our sponsors and sign up for sign up for the nom con capture flag. I'm so stoked for that game. We're gonna have a ton of fun. Thanks everyone. See you in the next video.