Web browsers
MITRE ATT&CK™ Sub-technique T1555.003

Theory

Just like other common programs and applications, most web browsers offer "credential saving" features allowing users to access restricted resources without supplying a username and password every time. The downside of this kind of features is that attackers that have access to the storage of these browsers can potentially extract those credentials and use them for credentials spraying, stuffing, and so forth.

Practice

The LaZagne (Python) project is a go-to reference from browser credentials dumping (among other awesome dumping features).
1
laZagne browsers
Copied!
There are other tools and modules that allow to operate browser credential dumping attacks like metasploit's post/multi/gather/firefox_creds and post/windows/gather/enum_chrome modules, firefox decrypt (Python) and chrome decrypter (Python). On Windows systems, browsers like Chrome, Brave and Opera rely on Windows's DPAPI to store credentials. Mimikatz (C) can then be used (e.g. dpapi::chrome).

Resources

GitHub - AlessandroZ/LaZagne: Credentials recovery project
GitHub
Last modified 2mo ago
Copy link