enum_chrome not decrypting login data

[Murph000]

Steps to reproduce

How'd you do it?

1. Use post/windows/gather/enum_chrome.rb as user or system (with migration true)
2. Run on Windows 10 machine (tested on multiple up to date windows and chrome installations)

Expected behavior

Standard decryption and exporting of password data

Current behavior

Calls error

Metasploit version

Framework: 6.4.1-dev
Console : 6.4.1-dev

Console output:

[*] Impersonating token: 4064
[*] Running as user 'DESKTOP-7IHT9N8\Rick'...
[*] Extracting data for user 'Rick'...
[+] Downloaded Web Data to '/root/.msf4/loot/20240407224804_default_45.79.141.93_chrome.raw.WebD_663155.txt'
[-] Cookies not found
[+] Downloaded History to '/root/.msf4/loot/20240407224805_default_45.79.141.93_chrome.raw.Histo_017257.txt'
[+] Downloaded Login Data to '/root/.msf4/loot/20240407224812_default_45.79.141.93_chrome.raw.Login_408314.txt'
[+] Downloaded Bookmarks to '/root/.msf4/loot/20240407224813_default_45.79.141.93_chrome.raw.Bookm_720767.txt'
[+] Downloaded Preferences to '/root/.msf4/loot/20240407224813_default_45.79.141.93_chrome.raw.Prefe_116106.txt'
[*] Found password encrypted with masterkey
[+] Found masterkey!
[-] Post failed: ArgumentError data must not be empty
[-] Call stack:
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:207:in `update'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:207:in `block (3 levels) in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `block (2 levels) in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `map!'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `block in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:378:in `block in run'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:375:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:375:in `run'
[*] Post module execution completed

[nrathaus]

Can you modify your /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb file and change it from:

            cipher.iv = enc_data[3..14]
            ciphertext = enc_data[15..-17]
            cipher.auth_tag = enc_data[-16..]

To:

            print_status("enc_data: #{enc_data}")
            cipher.iv = enc_data[3..14]
            ciphertext = enc_data[15..-17]
            cipher.auth_tag = enc_data[-16..]

To get the content of enc_data?

[Murph000]

To my uneducated eye I see no difference

[+] Downloaded Web Data to '/root/.msf4/loot/20240408205508_default_71.226.250.46_chrome.raw.WebD_541215.txt'
[-] Cookies not found
[+] Downloaded History to '/root/.msf4/loot/20240408205509_default_71.226.250.46_chrome.raw.Histo_242454.txt'
[+] Downloaded Login Data to '/root/.msf4/loot/20240408205517_default_71.226.250.46_chrome.raw.Login_819038.txt'
[+] Downloaded Bookmarks to '/root/.msf4/loot/20240408205518_default_71.226.250.46_chrome.raw.Bookm_175064.txt'
[+] Downloaded Preferences to '/root/.msf4/loot/20240408205519_default_71.226.250.46_chrome.raw.Prefe_963829.txt'
[*] Found password encrypted with masterkey
[+] Found masterkey!
[-] Post failed: ArgumentError data must not be empty
[-] Call stack:
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:207:in `update'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:207:in `block (3 levels) in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `block (2 levels) in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `map!'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `block in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:378:in `block in run'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:375:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:375:in `run'
[*] Post module execution completed

[nrathaus]

Nothing got printed, did you reload_all or restart msfconsole?

[Murph000]

Apologies, forgot to, here is the new output:

[*] Impersonating token: 16308
[*] Running as user 'DESKTOP-7IHT9N8\Rick'...
[*] Extracting data for user 'Rick'...
[+] Downloaded Web Data to '/root/.msf4/loot/20240409190801_default_73.33.253.190_chrome.raw.WebD_912879.txt'
[-] Cookies not found
[+] Downloaded History to '/root/.msf4/loot/20240409190802_default_73.33.253.190_chrome.raw.Histo_393266.txt'
[+] Downloaded Login Data to '/root/.msf4/loot/20240409190809_default_73.33.253.190_chrome.raw.Login_412976.txt'
[+] Downloaded Bookmarks to '/root/.msf4/loot/20240409190810_default_73.33.253.190_chrome.raw.Bookm_315029.txt'
[+] Downloaded Preferences to '/root/.msf4/loot/20240409190810_default_73.33.253.190_chrome.raw.Prefe_486057.txt'
[*] Found password encrypted with masterkey
[+] Found masterkey!
[*] "enc_data: #{enc_data}"
[-] Post failed: ArgumentError data must not be empty
[-] Call stack:
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:208:in `update'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:208:in `block (3 levels) in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `block (2 levels) in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `map!'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `block in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:379:in `block in run'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:376:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:376:in `run'
[*] Post module execution completed

[nrathaus]

Something with your copy-pasting went wrong, it should have printed this:
enc_data: [...data...]

And not:
"enc_data: #{enc_data}"

I seem to have pasted the wrong code, try this:
print_status("enc_data: #{enc_data}")

[Murph000]

Thank you, apologies for the delay, here is the new output:

[+] Downloaded Web Data to '/root/.msf4/loot/20240411170353_default_71.226.250.46_chrome.raw.WebD_226980.txt'
[-] Cookies not found
[+] Downloaded History to '/root/.msf4/loot/20240411170354_default_71.226.250.46_chrome.raw.Histo_787563.txt'
[+] Downloaded Login Data to '/root/.msf4/loot/20240411170402_default_71.226.250.46_chrome.raw.Login_779870.txt'
[+] Downloaded Bookmarks to '/root/.msf4/loot/20240411170404_default_71.226.250.46_chrome.raw.Bookm_364976.txt'
[+] Downloaded Preferences to '/root/.msf4/loot/20240411170404_default_71.226.250.46_chrome.raw.Prefe_082933.txt'
[*] Found password encrypted with masterkey
[+] Found masterkey!
[*] enc_data: v10???X????W?j???[?N~?e?????Z???E?_
[*] enc_data: v10?*???V?\????c??u^9?7?S?W+N??Nz▒D?
[*] enc_data: v10BLy?Vw?>e0h????h????
                                     %?C?8?z
[*] enc_data: v10??g
?^??Q?~?@?8@??k1?0r?e?7C?X?f
[*] enc_data: v10?Q??g?;?w?f???5?2?c5AK?f9\m??f11?x
[*] enc_data: v10????}??c?\?????????d'pqc
                                         ?
[*] enc_data: v10nD??}<??z?T??+2??8?}?5?oS???As??
[*] enc_data: v10????[?z????R?▒??????`Lc;?f????
[*] enc_data: v10 ▒?????????W?yo?.?,?U?5>@\^[{??8
[*] enc_data: v10????G:?Y??q??<?jP&
                                   Ia?%~E:E??
[*] enc_data: v10V?F*?@?????z?o8???J??Em??????
_E?"?LMp???[: v10b?d?_?'7?)??B ?? ?
[*] enc_data: v10???8**~I???=%?lP?f?m?
[-] Post failed: ArgumentError data must not be empty
[-] Call stack:
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:208:in `update'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:208:in `block (3 levels) in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `block (2 levels) in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `map!'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `block in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:379:in `block in run'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:376:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:376:in `run'
[*] Post module execution completed

[nrathaus]

It seems like your enc_data is too short?!

Can you change it to this:
print_status("enc_data len: #{enc_data.length()}")

[Murph000]

It returned the length as 31:

[*] Impersonating token: 12460
[*] Running as user 'DESKTOP-7IHT9N8\Rick'...
[*] Extracting data for user 'Rick'...
[+] Downloaded Web Data to '/root/.msf4/loot/20240413172341_default_10.0.0.94_chrome.raw.WebD_404667.txt'
[-] Cookies not found
[+] Downloaded History to '/root/.msf4/loot/20240413172342_default_10.0.0.94_chrome.raw.Histo_683194.txt'
[+] Downloaded Login Data to '/root/.msf4/loot/20240413172348_default_10.0.0.94_chrome.raw.Login_678351.txt'
[+] Downloaded Bookmarks to '/root/.msf4/loot/20240413172349_default_10.0.0.94_chrome.raw.Bookm_560730.txt'
[+] Downloaded Preferences to '/root/.msf4/loot/20240413172350_default_10.0.0.94_chrome.raw.Prefe_189370.txt'
[*] Found password encrypted with masterkey
[+] Found masterkey!
[*] enc_data len: 31
[-] Post failed: ArgumentError data must not be empty
[-] Call stack:
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:208:in `update'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:208:in `block (3 levels) in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `block (2 levels) in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `map!'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `block in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:379:in `block in run'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:376:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:376:in `run'
[*] Post module execution completed

[nrathaus]

Yes, 31 is not a "good" number - as the expected minimum value should be at least (X-17-15) where X is 32 as this code:
ciphertext = enc_data[15..-17]

Can be empty, but not nil, such is in the case of 31, the value becomes "negative", enc_data[15..14]

I am wondering if: https://github.com/agentzex/chrome_v80_password_grabber/blob/master/chrome_v80_password_grabber.py

Also fails in the same spot, as the logic seems similar, though written in a bit of a different way

Decrypting and then removing the trailing bytes

Can you change:
ciphertext = enc_data[15..-17]

To this:
ciphertext = enc_data[15..]

And see what it prints out?

If it prints out a valid password (with some residual characters at the end) then it would seem there is an option to store passwords in a length that is smaller than 32 bytes

[Murph000]

It seems that changing ciphertext = enc_data[15..-17] to ciphertext = enc_data[15..] is causing a cipher error.
I had it print the length and the enc data, here is the new output:

[*] Found password encrypted with masterkey
[+] Found masterkey!
[*] enc_data: v10???X????W?j???[?N~?e?????Z???E?_
[*] enc_data len: 46
[-] Post failed: OpenSSL::Cipher::CipherError
[-] Call stack:
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:209:in `final'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:209:in `block (3 levels) in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:187:in `block (2 levels) in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `map!'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:183:in `block in process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:167:in `process_files'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:380:in `block in run'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:377:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:377:in `run'
[*] Post module execution completed

[nrathaus]

I don't know what this malformed line (the one that has only 31 bytes in it) means, you can skip it if you wish by doing this:

        item[:encrypted_fields].each do |field|
          name = res['name_on_card'].nil? ? res['username_value'] : res['name_on_card']
          origin = res['label'].nil? ? res['origin_url'] : res['label']
          enc_data = res[field]

          if enc_data.length < 32
            next
          end

[Murph000]

Hi, I am just about clueless when it comes to ruby, but here is where I used the code you have just provided (lines 204-211), this is what the section of the script looks like:

            cipher = OpenSSL::Cipher.new('aes-256-gcm')
            cipher.decrypt
            cipher.key = masterkey
            item[:encrypted_fields].each do |field|
          name = res['name_on_card'].nil? ? res['username_value'] : res['name_on_card']
          origin = res['label'].nil? ? res['origin_url'] : res['label']
          enc_data = res[field]

          if enc_data.length < 32
            next
          end
            cipher.iv = enc_data[3..14]
            ciphertext = enc_data[15..-17]
            cipher.auth_tag = enc_data[-16..]

I assume I'm just improperly using your code, here is what was in the log file:

[04/15/2024 18:56:25] [e(0)] core: /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb failed to load - SyntaxError /usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:216: else without rescue is useless
          else
          ^~~~
/usr/share/metasploit-framework/modules/post/windows/gather/enum_chrome.rb:395: syntax error, unexpected end-of-input, expecting `end'

[nrathaus]

No need for the else part

If the if isn't triggered, the code should flow as it was before, so drop the else part:

          if enc_data.length < 32
            next
          end
 
          cipher.iv = enc_data[3..14]
          ciphertext = enc_data[15..-17]
          cipher.auth_tag = enc_data[-16..]

I don't know if it will prevent the syntax error you are seeing, as there is no rspec (unit test) file for this one

[github-actions]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.