HTDark | Underground Hacking Forum and Cybersecurity Community
  • Earn real money by being active: Hello Guest, earn real money by simply being active on the forum — post quality content, get reactions, and help the community. Once you reach the minimum credit amount, you’ll be able to withdraw your balance directly. Learn how it works.

Stealer ChromeKatz - Dump cookies and credentials directly from Chrome/Edge process memory

dEEpEst

dEEpEst

☣☣ In The Depths ☣☣
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
Joined
Mar 29, 2018
Messages
13,860
Solutions
4
Reputation
27
Reaction score
45,546
Points
1,813
Credits
55,090
‎7 Years of Service‎
 
56%

ChromeKatz​

ChromeKatz is a solution for dumping sensitive information from memory of Chromium based browsers. As for now, ChromeKatz consists of two projects:

  1. CookieKatz - The cookie dumper
  2. CredentialKatz - The password dumper
Both tools have an exe, Beacon Object File, and minidump parser available.

CredentialKatz - Dump credential manager contents from memory​

CredentialKatz is a project that allows operators to dump all credentials from Credential Manager of Chrome and Edge. Most of the time Chromium based browsers keep your passwords in the credential manager encrypted until they are needed, either viewed in the credential manager, or auto filled to a login form. But for whatever reason, passwords_with_matching_reused_credentials_ of PasswordReuseDetectorImpl class is populated with all credentials from the credential manager, in plain text. This will include all credentials that you have added to the password manager locally. If you have logged in the browser with your account, this will also include all the passwords you have ever synced with that account.

There are few perks in accessing credentials in this way.:

  1. Dump credentials of other user's browsers when running elevated
  2. DPAPI keys not needed to decrypt the credentials
  3. No need to touch on-disk database file
  4. Parse credential manager offline from a minidump file
This solution consists of three projects, CredentialKatz that is a PE executable, CredentialKatz-BOF the Beacon Object File version and CredentialKatzMinidump which is the minidump parser.

CookieKatz - Dump cookies directly from memory​

CookieKatz is a project that allows operators to dump cookies from Chrome, Edge or Msedgewebview2 directly from the process memory. Chromium based browsers load all their cookies from the on-disk cookie database on startup.

The benefits of this approach are:

  1. Support dumping cookies from Chrome's Incogntio and Edge's In-Private processes
  2. Access cookies of other user's browsers when running elevated
  3. Dump cookies from webview processes
  4. No need to touch on-disk database file
  5. DPAPI keys not needed to decrypt the cookies
  6. Parse cookies offline from a minidump file
On the negative side, even as the method of finding the correct offsets in the memory are currently stable and work on multiple different versions, it will definitely break at some point in the future. 32bit browser installations are not supported and 32bit builds of CookieKatz are not supported either.

Currently only regular cookies are dumped. Chromium stores
This link is hidden for visitors. Please Log in or register now.
in a different place and they are currently not included in the dump.

This solution consists of three projects, CookieKatz that is a PE executable, CookieKatz-BOF that is a Beacon Object File version and CookieKatzMinidump which is the minidump parser.


DOWNLOAD​

 
You must log in or register to reply here.
Back
Top