Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from os import path
- import sqlite3
- import json
- import base64
- from Crypto.Cipher import AES # pycryptodome
- # 参考にした情報
- # https://github.com/gentilkiwi/mimikatz/commit/b098bf37cf71581882e6a1fa45ac58ec87860fd5
- # https://github.com/borisbabic/browser_cookie3 からパクってきた関数
- def crypt_unprotect_data(
- cipher_text=b'', entropy=b'', reserved=None, prompt_struct=None
- ):
- # we know that we're running under windows at this point so it's safe to try these imports
- import ctypes
- import ctypes.wintypes
- class DataBlob(ctypes.Structure):
- _fields_ = [
- ('cbData', ctypes.wintypes.DWORD),
- ('pbData', ctypes.POINTER(ctypes.c_char))
- ]
- blob_in, blob_entropy, blob_out = map(
- lambda x: DataBlob(len(x), ctypes.create_string_buffer(x)),
- [cipher_text, entropy, b'']
- )
- desc = ctypes.c_wchar_p()
- CRYPTPROTECT_UI_FORBIDDEN = 0x01
- if not ctypes.windll.crypt32.CryptUnprotectData(
- ctypes.byref(blob_in), ctypes.byref(desc), ctypes.byref(blob_entropy),
- reserved, prompt_struct, CRYPTPROTECT_UI_FORBIDDEN, ctypes.byref(blob_out)
- ):
- raise RuntimeError('Failed to decrypt the cipher text with DPAPI')
- description = desc.value
- buffer_out = ctypes.create_string_buffer(int(blob_out.cbData))
- ctypes.memmove(buffer_out, blob_out.pbData, blob_out.cbData)
- map(ctypes.windll.kernel32.LocalFree, [desc, blob_out.pbData])
- return description, buffer_out.value
- # ファイルのパスとか
- sql_query = "select name,encrypted_value from cookies where (host_key='.nicovideo.jp' or host_key='jk.nicovideo.jp' or host_key='.jk.nicovideo.jp') and path='/' and not is_secure and (name='nicosid' or name='user_session' or name='nickname')"
- chrome_cookies = r"%LOCALAPPDATA%\Google\Chrome\User Data\Default\Cookies"
- chrome_local_state = r"%LOCALAPPDATA%\Google\Chrome\User Data\Local State"
- # 暗号化されたクッキーをDBから取得
- con = sqlite3.connect(path.expandvars(chrome_cookies))
- cur = con.cursor()
- cur.execute(sql_query)
- nico_cookies = cur.fetchall()
- con.close()
- # AESキーを'Local State'ファイルから取得
- with open(path.expandvars(chrome_local_state), 'r') as f:
- encrypted_key = json.load(f)["os_crypt"]["encrypted_key"]
- # base64デコードして先頭の'DPAPI'を飛ばしてしてDPAPI unprotect
- _, aes_key = crypt_unprotect_data(base64.b64decode(encrypted_key)[5:])
- # キーが短い場合はパディングが必要らしいけどよく知らん
- while len(aes_key) < 32:
- aes_key = bytearray.fromhex('00') + aes_key
- print('AES Key:', aes_key.hex())
- # クッキーデータをAES-256-GCMでデコードして表示
- # encrypted_valueの構造は 'v10' + Nonce[12] + 暗号文本体 + Tag[16] になってる
- for cookie in nico_cookies:
- if cookie[1][:3] == b'v10':
- cipher_text = cookie[1][3:]
- nonce = cipher_text[:12]
- tag = cipher_text[-16:]
- aes = AES.new(aes_key, AES.MODE_GCM, nonce)
- data = aes.decrypt_and_verify(cipher_text[12:-16:], tag)
- print("{}: {}".format(cookie[0], data.decode('utf-8')))
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement