Forum Thread: How to Gather Saved Passwords

I have succesfully exploited a pc and i got the meterpreter i managed to run vnc but the problem is i can't dump sam file , or anyother option similar to it , i already got system id but i guess its because of kaspersky installed on that pc .

My main point is how can i gather all the save accounts in browsers , plus is there a way to steal an open session ? for example if he is using whatsapp web can i steal that session and use in on my pc ,

16 Responses

browser passwords are stored somewhere in User/Appdata/blabla
encrypted in sqlite files..at least that's what i remember..
If you have meterpreter you shoud be able to dump SAM.file..

however, you can use wireshark to sniff tcp packets then add filter : 'http.cookie' to find http cookies and inject them into your browser with the help of greasemonkey for example..

Good Luck

@ANTHON thank you for your reply ,as for the sniffer i will try it out but i need to read a tutorial first .

as for browser passwords i know they are in this folder i already copied them to my local machine but i was wondering .. if i replace the my local profile content with the victim Profile content wouldn't it work ?.

does it still works ?! i tried it with no luck on facebook ..

did you use SSLStrip+ with HSTS bypass?

-Phoenix750

What's the extent of your access? Are you an administrator?

yes i'm an administrator and i'm using psexecpsh exploit , after that i'm using getsystem command my meterpreter is reversetcp

Use the meterpreter and use hashdump to get the password hashes.

didn't work , and i know its strange i used it before on another pc , could it be because of the antivirus ? and is there a new way other than killav to stop it ? thanks you :-)

Have you tried uploading pwdump?

yep and still didn't work .. i tried using it in both ways through memory and executing it from a shell .
my lab pc is windows 8.1 updated + kaspersky installed , does make any difference in case if its updated or not ?

it could make a difference. but i'm not sure.

try disabling kaspersky with killav.

-Phoenix750

thank you phoenix750 for your hint , but i already tried that , and no luck i guess that script is old or its only work when autoprotect on kaspersky is off , and by default its always on .

If you have VNC on the target, why not just turn off the AV?

I adapted a small Python script to decrypt the sql database from chrome and send the text file to a listener. I can release it if you'd like. Chrome uses an inbuilt windows function which means if you encrypt data on a machine it can only be decrypted on the same machine. Which is what my program does; it decrypts it on the same machine and stores it as plaintext. If you'd like I can release it later today, when I get home.

Robyn

I'll also link the page with the original script which I modified :P

Robyn

EDIT: I found it here . It explains the cryptprotectdata function really well

Share Your Thoughts

  • Hot
  • Active