Hello, and welcome this course in which we're talking about using Python for credential access. In this video, we're going to talk about dumping user credentials from a Chrome browser. And we're going to start out this video by talking about version history of Chrome because it's important here. So prior to 2020, Chrome was in version 79 or earlier. And before that dumping user credentials from the Chrome browser was fairly simple. The code for doing that is shown on the screen here. And the reason for this is that Chrome pretty much just used a built-in Windows encryption for encrypting the user password stored in its browser. So let's walk through this code really quick before we get into the modern version. So here we're talking about just trying to gain access to be directory in the file that stores Chrome's login data. So it's typically in the user's home directory/app data local Google, Chrome user data, the default profile, and then there's a file in there called login data. This file is actually accessible as a database via SQL Lite 3. And so if we use Pythons SQL Lite 3 library, we can connect to that database, get a cursor on it, and then execute statements against the database. In this case, we're asking for the origin URL, the username and the password from table logins, and database login data. We then use our cursor to fetch all results and iterate over them. The URL and username are stored in plain text, making it easy to access those, and the passwords a little bit different. It uses win32crypt unprotect data to access it. And so what this does is it encrypts the user password with the login password of the system, which since we're logged into this particular user account, we have access to. And so if we call it crypt on protect data, we can decrypt the password and read it. And so this is the easy version of dumping credentials from Chrome. If you've got something stored using Chrome browser version lower than 80, this simple version will work. However, with version 80, Chrome updated its encryption and how it's stored this data, making dumping credentials from Chrome a little bit more complicated. And so, over here we have sample code for actually dumping those credentials from Chrome. And so this differs in two important ways from the previous versions or the pre 80 versions. One of these ways is that now AES is used to encrypt the passwords stored in the database. And the second way, it differs is how we get the password for this database. So that password is stored in a file called local state. And so it in very similar directory to the one where we got the database of login data. Just instead of going through the default folder and then accessing login data, we go directly to local state. And so this password naturally is not stored unencrypted either, but it is stored using the same technique as was previously used to store the passwords in the login data database. Meaning that as long as we have access to the system, we have access to the password that we need to decrypt Chrome credentials. And so, let's start down at the bottom of this section of code in our main area and work through it. So, the first step in the process is gaining access to that master key that's used to encrypt the data using AES that's stored in our login data table, that will be accessing in the same way. It's still an SQL database, we can use SQL Lite 3 to access it, etc. But first, we need this key. And so our Git master key function here accesses that local state file. We've got a copy of open here, and what we care about is this section here, OS_crypt, and then it mentions a encrypted key value. And so our code is going to access this which if you're familiar with common and codings you'll notice this base 64 encrypted or decode it. And so our first step after we read in that data, load in the JSON object that we see here, and then extract the particular part that we want in this section. We need to use base 64 decode to decode that to the original stream of bytes. And so if we do this, we've got information that we need about that master key. Bytes 5 onward are the encrypted version of the master key. And so then we can call crypt on protect data like we could in our previous version of the code to gain access to that encryption key. And so this change that Chrome's made, all it really does is add an extra step to the process, while previously, we'd be able to just use crypt on protect data to access the passwords directly. Now that same level of protection is provided to the master key used here. With our master key, we can access the data in the database. So we get our path to login data, we're going to make a copy of this, because if Chrome is running the file is locked, however, if Chrome is closed, the file is not locked. And so making a copy depends on whether or not there's an instance of Chrome running on the system. We'll then connect as before, get a cursor, attempt to extract that same information, the URL, username, and password from the table logins. Fetch all of the results, break them out into the username, or sorry, the username URL and encrypted password. And then we're going to actually decrypt that password. So as I mentioned before, we're using AES now instead of the built-in Windows protections. And so if we call decrypt password, we see that it's got a unique initialization vector that's included in there. We have the actual encrypted password. So then we can use functionality built into pi crypt dumb X to create an instance of a AES decrypt the payload to give us the decrypted password. And then we have to remove a few suffix bytes, and decode to an encoding that our system can use. After we've decrypted that password, we know it and we're able to print out the results as before. And so as I mentioned, this is a lot more complicated than it used to be. However, it's still no, say greater level of protection for the chrome credential. So as long as we have access to a logged-in user account, because the login information is what we use for Krypton protect data to gain access to that master password or previously access to the passwords themselves. So as long as we have that logged-in user account, we can still dump passwords from Chrome. And so let's run this program now. So we'll do Python ChromeDump.py, hit Enter, and we see that in this particular case, we have a URL of example.com, username of user, and password of password exclamation point 123. And so this demonstrates a way to get passwords out of one of the major browsers, or certainly code available, written in Python for dumping passwords from Firefox, Safari, etc. And so when performing disk or trying to access user credentials on a system, it's worth looking at the browser's and seeing if user credentials may be stored there. Because if there are, there's a chance that those same passwords will be reused against other accounts on the system, online, and on the network. Thank you.
