Chrome Bandit Save
Programmatically extract saved passwords from Chromium based browsers.
Chrome Bandit
Programmatically extract saved passwords from Chromium based browsers.
Browser Support
 Edge |
 Chrome |
 Opera |
|---|---|---|
| macOS only | macOS only | macOS only |
Quick start
brew install breakpointhq/chrome-bandit/chrome-bandit
Usage
chrome-bandit <command>
Useage:
chrome-bandit list list browser passwords
chrome-bandit decrypt decrypt a given password
chrome-bandit <command> -help quick help on <command>
List credentials
Usage: chrome-bandit list [options]
-u, --url <url> only show credentials where the origin url match <url>
-f, --format <format> set the output format: text, json
-l, --login_data <path> set the "Login Data" file path
--chrome
--opera
--edge
-v, --verbose
chrome-bandit list --opera
+----------+----------------------------+--------------------+
| ID | URL | Username |
+----------+----------------------------+--------------------+
| 1 | https://paypal.com/ | [email protected] |
| 2 | https://github.com/session | masasron |
+----------+----------------------------+--------------------+
chrome-bandit list --chrome --url github
+----------+----------------------------+--------------------+
| ID | URL | Username |
+----------+----------------------------+--------------------+
| 235 | https://github.com/session | masasron |
+----------+----------------------------+--------------------+
Decrypt a password
Usage: chrome-bandit decrypt [options]
-x, --port <port> set HTTP server port
-f, --format <format> set the output format: text, json
-l, --login_data <path> set the "Login Data" file path
-b <name>, set the browser process name
--browser_process_name
-p <path>, set the browser executable path
--browser_executable_path
-i, --id <id> decrypt the password for a given site id
-u, --url <url> decrypt the password for the first match of a given url
--chrome
--opera
--edge
-v, --verbose
chrome-bandit decrypt --chrome --url paypal
+-------------------------+---------------------------+-----------------+
| URL | Username | Password |
+-------------------------+---------------------------+-----------------+
| https://www.paypal.com/ | [email protected] | qwerty |
+-------------------------+---------------------------+-----------------+
Background
This project started as a proof of concept to demonstrate how saved passwords on Google Chrome and other Chromium-based browsers can easily be stolen by malicious macOS programs. I've decided to turn it into a more robust tool for red teams targeting macOS.
The way passwords are stored on Windows and macOS is different.
On Windows, Chrome uses the Data Protection API (DPAPI) to bind your passwords to your user account. The passwords are store on disk, encrypted with a key accessible only to processes running as the same logged on user.
On macOS, Chrome is storing the credentials in a “Login Data” file located at the Chrome users profile directory. The passwords are stored encrypted on disk, the encryption key is then stored in the user’s Keychain.
macOS Keychain uses Access Control Lists that control which apps have access to Keychain items in macOS. This makes it way harder for malicious programs to programmatically steal saved passwords.
Legal Disclaimer
Usage of this code for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes.
Open Source Agenda Badge
