dissect.target 3.17.dev31__py3-none-any.whl → 3.17.dev33__py3-none-any.whl

dissect/target/plugins/apps/browser/chromium.py

@@ -1,3 +1,4 @@
+import base64
 import itertools
 import json
 from collections import defaultdict
@@ -12,17 +13,28 @@ from dissect.target.exceptions import FileNotFoundError, UnsupportedPluginError
 from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
 from dissect.target.helpers.fsutil import TargetPath, join
 from dissect.target.helpers.record import create_extended_descriptor
-from dissect.target.plugin import export
+from dissect.target.plugin import OperatingSystem, export
 from dissect.target.plugins.apps.browser.browser import (
     GENERIC_COOKIE_FIELDS,
     GENERIC_DOWNLOAD_RECORD_FIELDS,
     GENERIC_EXTENSION_RECORD_FIELDS,
     GENERIC_HISTORY_RECORD_FIELDS,
+    GENERIC_PASSWORD_RECORD_FIELDS,
     BrowserPlugin,
     try_idna,
 )
 from dissect.target.plugins.general.users import UserDetails
 
+try:
+    from Crypto.Cipher import AES
+    from Crypto.Protocol.KDF import PBKDF2
+
+    HAS_CRYPTO = True
+
+except ImportError:
+    HAS_CRYPTO = False
+
+
 CHROMIUM_DOWNLOAD_RECORD_FIELDS = [
     ("uri", "tab_url"),
     ("uri", "tab_referrer_url"),
@@ -51,6 +63,10 @@ class ChromiumMixin:
         "browser/chromium/extension", GENERIC_EXTENSION_RECORD_FIELDS
     )
 
+    BrowserPasswordRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+        "browser/chromium/password", GENERIC_PASSWORD_RECORD_FIELDS
+    )
+
     def _build_userdirs(self, hist_paths: list[str]) -> list[tuple[UserDetails, TargetPath]]:
         """Join the selected browser dirs with the user home path.
 
@@ -65,12 +81,14 @@ class ChromiumMixin:
             for d in hist_paths:
                 cur_dir: TargetPath = user_details.home_path.joinpath(d)
                 cur_dir = cur_dir.resolve()
-                if not cur_dir.exists() or (user_details.user, cur_dir) in users_dirs:
+                if not cur_dir.exists() or (user_details, cur_dir) in users_dirs:
                     continue
-                users_dirs.append((user_details.user, cur_dir))
+                users_dirs.append((user_details, cur_dir))
         return users_dirs
 
-    def _iter_db(self, filename: str, subdirs: Optional[list[str]] = None) -> Iterator[SQLite3]:
+    def _iter_db(
+        self, filename: str, subdirs: Optional[list[str]] = None
+    ) -> Iterator[tuple[UserDetails, TargetPath, SQLite3]]:
         """Generate a connection to a sqlite database file.
 
         Args:
@@ -98,9 +116,9 @@ class ChromiumMixin:
             except SQLError as e:
                 self.target.log.warning("Could not open %s file: %s", filename, db_file, exc_info=e)
 
-    def _iter_json(self, filename: str) -> Iterator[tuple[str, TargetPath, dict]]:
+    def _iter_json(self, filename: str) -> Iterator[tuple[UserDetails, TargetPath, dict]]:
         """Iterate over all JSON files in the user directories, yielding a tuple
-        of user name, JSON file path, and the parsed JSON data.
+        of username, JSON file path, and the parsed JSON data.
 
         Args:
             filename (str): The name of the JSON file to search for in each
@@ -120,7 +138,7 @@ class ChromiumMixin:
                 self.target.log.warning("Could not find %s file: %s", filename, json_file)
 
     def check_compatible(self) -> None:
-        if not len(self._build_userdirs(self.DIRS)):
+        if not self._build_userdirs(self.DIRS):
             raise UnsupportedPluginError("No Chromium-based browser directories found")
 
     def history(self, browser_name: Optional[str] = None) -> Iterator[BrowserHistoryRecord]:
@@ -179,7 +197,7 @@ class ChromiumMixin:
                         from_url=try_idna(from_url.url) if from_url else None,
                         source=db_file,
                         _target=self.target,
-                        _user=user,
+                        _user=user.user,
                     )
             except SQLError as e:
                 self.target.log.warning("Error processing history file: %s", db_file, exc_info=e)
@@ -205,14 +223,48 @@ class ChromiumMixin:
                 same_site (bool): Cookie same site flag.
         """
         for user, db_file, db in self._iter_db("Cookies", subdirs=["Network"]):
+            decrypted_key = None
+
+            if self.target.os == OperatingSystem.WINDOWS.value:
+                try:
+                    local_state_parent = db_file.parent.parent
+                    if db_file.parent.name == "Network":
+                        local_state_parent = local_state_parent.parent
+                    local_state_path = local_state_parent.joinpath("Local State")
+
+                    decrypted_key = self._get_local_state_key(local_state_path, user.user.name)
+                except ValueError:
+                    self.target.log.warning("Failed to decrypt local state key")
+
             try:
                 for cookie in db.table("cookies").rows():
+                    cookie_value = cookie.value
+
+                    if (
+                        not cookie_value
+                        and decrypted_key
+                        and (enc_value := cookie.get("encrypted_value"))
+                        and enc_value.startswith(b"v10")
+                    ):
+                        try:
+                            if self.target.os == OperatingSystem.LINUX.value:
+                                cookie_value = decrypt_v10(enc_value)
+                            elif self.target.os == OperatingSystem.WINDOWS.value:
+                                cookie_value = decrypt_v10_2(enc_value, decrypted_key)
+                        except (ValueError, UnicodeDecodeError):
+                            pass
+
+                    if not cookie_value:
+                        self.target.log.warning(
+                            "Failed to decrypt cookie value for %s %s", cookie.host_key, cookie.name
+                        )
+
                     yield self.BrowserCookieRecord(
                         ts_created=webkittimestamp(cookie.creation_utc),
                         ts_last_accessed=webkittimestamp(cookie.last_access_utc),
                         browser=browser_name,
                         name=cookie.name,
-                        value=cookie.value,
+                        value=cookie_value,
                         host=cookie.host_key,
                         path=cookie.path,
                         expiry=int(cookie.has_expires),
@@ -220,7 +272,7 @@ class ChromiumMixin:
                         is_http_only=bool(cookie.is_httponly),
                         same_site=bool(cookie.samesite),
                         source=db_file,
-                        _user=user,
+                        _user=user.user,
                     )
             except SQLError as e:
                 self.target.log.warning("Error processing cookie file: %s", db_file, exc_info=e)
@@ -280,7 +332,7 @@ class ChromiumMixin:
                         state=row.get("state"),
                         source=db_file,
                         _target=self.target,
-                        _user=user,
+                        _user=user.user,
                     )
             except SQLError as e:
                 self.target.log.warning("Error processing history file: %s", db_file, exc_info=e)
@@ -366,11 +418,135 @@ class ChromiumMixin:
                             manifest_version=manifest_version,
                             source=json_file,
                             _target=self.target,
-                            _user=user,
+                            _user=user.user,
                         )
                 except (AttributeError, KeyError) as e:
                     self.target.log.info("No browser extensions found in: %s", json_file, exc_info=e)
 
+    def _get_local_state_key(self, local_state_path: TargetPath, username: str) -> Optional[bytes]:
+        """Get the Chromium ``os_crypt`` ``encrypted_key`` and decrypt it using DPAPI."""
+
+        if not local_state_path.exists():
+            self.target.log.warning("File %s does not exist.", local_state_path)
+            return None
+
+        try:
+            local_state_conf = json.loads(local_state_path.read_text())
+        except json.JSONDecodeError:
+            self.target.log.warning("File %s does not contain valid JSON.", local_state_path)
+            return None
+
+        if "os_crypt" not in local_state_conf:
+            self.target.log.warning(
+                "File %s does not contain os_crypt, Chrome is likely older than v80.", local_state_path
+            )
+            return None
+
+        encrypted_key = base64.b64decode(local_state_conf["os_crypt"]["encrypted_key"])[5:]
+        decrypted_key = self.target.dpapi.decrypt_user_blob(encrypted_key, username)
+        return decrypted_key
+
+    def passwords(self, browser_name: str = None) -> Iterator[BrowserPasswordRecord]:
+        """Return browser password records from Chromium browsers.
+
+        Chromium on Linux has ``basic``, ``gnome`` and ``kwallet`` methods for password storage:
+            - ``basic`` ciphertext prefixed with ``v10`` and encrypted with hard coded parameters.
+            - ``gnome`` and ``kwallet`` ciphertext prefixed with ``v11`` which is not implemented (yet).
+
+        Chromium on Windows uses DPAPI user encryption.
+
+        The SHA1 hash of the user's password or the plaintext password is required to decrypt passwords
+        when dealing with encrypted passwords created with Chromium v80 (February 2020) and newer.
+
+        You can supply a SHA1 hash or plaintext password using the keychain.
+
+        Resources:
+            - https://chromium.googlesource.com/chromium/src/+/master/docs/linux/password_storage.md
+            - https://chromium.googlesource.com/chromium/src/+/master/components/os_crypt/sync/os_crypt_linux.cc#40
+        """
+
+        for user, db_file, db in self._iter_db("Login Data"):
+            decrypted_key = None
+
+            if self.target.os == OperatingSystem.WINDOWS.value:
+                try:
+                    local_state_path = db_file.parent.parent.joinpath("Local State")
+                    decrypted_key = self._get_local_state_key(local_state_path, user.user.name)
+                except ValueError:
+                    self.target.log.warning("Failed to decrypt local state key")
+
+            for row in db.table("logins").rows():
+                encrypted_password: bytes = row.password_value
+                decrypted_password = None
+
+                # 1. Windows DPAPI encrypted password. Chrome > 80
+                #    For passwords saved after Chromium v80, we have to use DPAPI to decrypt the AES key
+                #    stored by Chromium to encrypt and decrypt passwords.
+                if self.target.os == OperatingSystem.WINDOWS.value and encrypted_password.startswith(b"v10"):
+                    if not decrypted_key:
+                        self.target.log.warning("Cannot decrypt password, no decrypted_key could be calculated")
+
+                    else:
+                        try:
+                            decrypted_password = decrypt_v10_2(encrypted_password, decrypted_key)
+                        except Exception as e:
+                            self.target.log.warning("Failed to decrypt AES Chromium password")
+                            self.target.log.debug("", exc_info=e)
+
+                # 2. Windows DPAPI encrypted password. Chrome < 80
+                #    For passwords saved before Chromium v80, we use DPAPI directly for each entry.
+                elif self.target.os == OperatingSystem.WINDOWS.value and encrypted_password.startswith(
+                    b"\x01\x00\x00\x00"
+                ):
+                    try:
+                        decrypted_password = self.target.dpapi.decrypt_blob(encrypted_password)
+                    except ValueError as e:
+                        self.target.log.warning("Failed to decrypt DPAPI Chromium password")
+                        self.target.log.debug("", exc_info=e)
+                    except UnsupportedPluginError as e:
+                        self.target.log.warning("Target is missing required registry keys for DPAPI")
+                        self.target.log.debug("", exc_info=e)
+
+                # 3. Linux 'basic' v10 encrypted password.
+                elif self.target.os != OperatingSystem.WINDOWS.value and encrypted_password.startswith(b"v10"):
+                    try:
+                        decrypted_password = decrypt_v10(encrypted_password)
+                    except Exception as e:
+                        self.target.log.warning("Failed to decrypt AES Chromium password")
+                        self.target.log.debug("", exc_info=e)
+
+                # 4. Linux 'gnome' or 'kwallet' encrypted password.
+                elif self.target.os != OperatingSystem.WINDOWS.value and encrypted_password.startswith(b"v11"):
+                    self.target.log.warning(
+                        "Unable to decrypt %s password in '%s': unsupported format", browser_name, db_file
+                    )
+
+                # 5. Unsupported.
+                else:
+                    prefix = encrypted_password[:10]
+                    self.target.log.warning(
+                        "Unsupported %s encrypted password found in '%s' with prefix '%s'",
+                        browser_name,
+                        db_file,
+                        prefix,
+                    )
+
+                yield self.BrowserPasswordRecord(
+                    ts_created=webkittimestamp(row.date_created),
+                    ts_last_used=webkittimestamp(row.date_last_used),
+                    ts_last_changed=webkittimestamp(row.date_password_modified or 0),
+                    browser=browser_name,
+                    id=row.id,
+                    url=row.origin_url,
+                    encrypted_username=None,
+                    encrypted_password=base64.b64encode(row.password_value),
+                    decrypted_username=row.username_value,
+                    decrypted_password=decrypted_password,
+                    source=db_file,
+                    _target=self.target,
+                    _user=user.user,
+                )
+
 
 class ChromiumPlugin(ChromiumMixin, BrowserPlugin):
     """Chromium browser plugin."""
@@ -405,3 +581,49 @@ class ChromiumPlugin(ChromiumMixin, BrowserPlugin):
     def extensions(self) -> Iterator[ChromiumMixin.BrowserExtensionRecord]:
         """Return browser extension records for Chromium browser."""
         yield from super().extensions("chromium")
+
+    @export(record=ChromiumMixin.BrowserPasswordRecord)
+    def passwords(self) -> Iterator[ChromiumMixin.BrowserPasswordRecord]:
+        """Return browser password records for Chromium browser."""
+        yield from super().passwords("chromium")
+
+
+def remove_padding(decrypted: bytes) -> bytes:
+    number_of_padding_bytes = decrypted[-1]
+    return decrypted[:-number_of_padding_bytes]
+
+
+def decrypt_v10(encrypted_password: bytes) -> str:
+    if not HAS_CRYPTO:
+        raise ValueError("Missing pycryptodome dependency for AES operation")
+
+    encrypted_password = encrypted_password[3:]
+
+    salt = b"saltysalt"
+    iv = b" " * 16
+    pbkdf_password = "peanuts"
+
+    key = PBKDF2(pbkdf_password, salt, 16, 1)
+    cipher = AES.new(key, AES.MODE_CBC, IV=iv)
+
+    decrypted = cipher.decrypt(encrypted_password)
+    return remove_padding(decrypted).decode()
+
+
+def decrypt_v10_2(encrypted_password: bytes, key: bytes) -> str:
+    """
+    struct chrome_pass {
+        byte signature[3] = 'v10';
+        byte iv[12];
+        byte ciphertext[EOF];
+    }
+    """
+
+    if not HAS_CRYPTO:
+        raise ValueError("Missing pycryptodome dependency for AES operation")
+
+    iv = encrypted_password[3:15]
+    ciphertext = encrypted_password[15:]
+    cipher = AES.new(key, AES.MODE_GCM, iv)
+    plaintext = cipher.decrypt(ciphertext)
+    return plaintext[:-16].decode(errors="backslashreplace")

dissect/target/plugins/apps/browser/edge.py

@@ -8,6 +8,7 @@ from dissect.target.plugins.apps.browser.browser import (
     GENERIC_DOWNLOAD_RECORD_FIELDS,
     GENERIC_EXTENSION_RECORD_FIELDS,
     GENERIC_HISTORY_RECORD_FIELDS,
+    GENERIC_PASSWORD_RECORD_FIELDS,
     BrowserPlugin,
 )
 from dissect.target.plugins.apps.browser.chromium import (
@@ -47,6 +48,10 @@ class EdgePlugin(ChromiumMixin, BrowserPlugin):
         "browser/edge/extension", GENERIC_EXTENSION_RECORD_FIELDS
     )
 
+    BrowserPasswordRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+        "browser/edge/password", GENERIC_PASSWORD_RECORD_FIELDS
+    )
+
     @export(record=BrowserHistoryRecord)
     def history(self) -> Iterator[BrowserHistoryRecord]:
         """Return browser history records for Microsoft Edge."""
@@ -66,3 +71,8 @@ class EdgePlugin(ChromiumMixin, BrowserPlugin):
     def extensions(self) -> Iterator[BrowserExtensionRecord]:
         """Return browser extension records for Microsoft Edge."""
         yield from super().extensions("edge")
+
+    @export(record=BrowserPasswordRecord)
+    def passwords(self) -> Iterator[BrowserPasswordRecord]:
+        """Return browser password records for Microsoft Edge."""
+        yield from super().passwords("edge")