`dissect.target.plugins.apps.browser.chromium`¶

Module Contents¶

Classes¶

`ChromiumMixin`	Mixin class with methods for Chromium-based browsers.
`ChromiumPlugin`	Chromium browser plugin.
`ChromiumKeys`	Contains decrypted Chromium-variant encryption keys.

Functions¶

`decrypt_v10_linux`	Decrypt a version 10 Linux ciphertext.
`decrypt_v10_windows`	Decrypt a version 10 Windows ciphertext using key `os_crypt_key`.
`decrypt_v20_windows`	Decrypt a version 20 ciphertext using App Bound Encryption (`app_bound_key`).
`decrypt_v11_linux`	Decrypt Linux GNOME or Kwallet encrypted passwords. Currently not implemented.
`decrypt_dpapi`	Decrypt a DPAPI user blob for Windows-based Chromium installs.
`decrypt_unsupported`

Attributes¶

`HAS_CRYPTO`
`CHROMIUM_DOWNLOAD_RECORD_FIELDS`
`elevation_def`
`c_elevation`
`DOWNLOAD_STATES`

dissect.target.plugins.apps.browser.chromium.HAS_CRYPTO = True¶

dissect.target.plugins.apps.browser.chromium.CHROMIUM_DOWNLOAD_RECORD_FIELDS = [('uri', 'tab_url'), ('uri', 'tab_referrer_url'), ('string', 'mime_type')]¶

dissect.target.plugins.apps.browser.chromium.elevation_def = Multiline-String¶

Show Value

"""
struct Envelope {
    uint32  program_len;
    char    program[program_len];
    uint32  ciphertext_len;
    char    ciphertext[ciphertext_len]; // basically until EOF
};
struct GoogleChromeCipher {
    uint8   flag;                       // 0x01 = AES GCM, 0x02 = ChaCha20 Poly1305
    char    iv[12];
    char    ciphertext[32];
    char    mac_tag[16];
};
"""

dissect.target.plugins.apps.browser.chromium.c_elevation¶

dissect.target.plugins.apps.browser.chromium.DOWNLOAD_STATES¶

class dissect.target.plugins.apps.browser.chromium.ChromiumMixin(target: dissect.target.target.Target)¶

Mixin class with methods for Chromium-based browsers.

DIRS = ()¶

BrowserHistoryRecord¶

BrowserCookieRecord¶

BrowserDownloadRecord¶

BrowserExtensionRecord¶

BrowserPasswordRecord¶

userdirs¶

check_compatible() → None¶

history(browser_name: str | None = None) → collections.abc.Iterator[BrowserHistoryRecord]¶

Return browser history records from supported Chromium-based browsers.

Parameters:: browser_name – The name of the browser as a string.

Yields:

Records with the following fields:
    ts (datetime): Visit timestamp.
    browser (string): The browser from which the records are generated from.
    id (string): Record ID.
    url (uri): History URL.
    title (string): Page title.
    description (string): Page description.
    host (string): Hostname.
    visit_type (varint): Visit type.
    visit_count (varint): Amount of visits.
    hidden (string): Hidden value.
    typed (boolean): Typed value.
    session (varint): Session value.
    from_visit (varint): Record ID of the "from" visit.
    from_url (uri): URL of the "from" visit.
    source: (path): The source file of the history record.

cookies(browser_name: str | None = None) → collections.abc.Iterator[BrowserCookieRecord]¶

Return browser cookie records from supported Chromium-based browsers.

Attempts to decrypt cookie values where possible.

Parameters:: browser_name – The name of the browser as a string.

Yields:

Records with the following fields:
    ts_created (datetime): Cookie created timestamp.
    ts_last_accessed (datetime): Cookie last accessed timestamp.
    browser (string): The browser from which the records are generated from.
    name (string): The cookie name.
    value (string): The cookie value.
    host (string): Cookie host key.
    path (string): Cookie path.
    expiry (varint): Cookie expiry.
    is_secure (bool): Cookie secury flag.
    is_http_only (bool): Cookie http only flag.
    same_site (bool): Cookie same site flag.

downloads(browser_name: str | None = None) → collections.abc.Iterator[BrowserDownloadRecord]¶

Return browser download records from supported Chromium-based browsers.

Parameters:: browser_name – The name of the browser as a string.

Yields:

Records with the following fields:
    ts_start (datetime): Download start timestamp.
    ts_end (datetime): Download end timestamp.
    browser (string): The browser from which the records are generated from.
    id (string): Record ID.
    path (string): Download path.
    url (uri): Download URL.
    tab_url (string): Tab URL.
    tab_referrer_url (string): Referrer URL.
    size (varint): Download file size.
    mime_type (string): MIME type.
    state (varint): Download state number.
    source: (path): The source file of the download record.

extensions(browser_name: str | None = None) → collections.abc.Iterator[BrowserExtensionRecord]¶

Iterates over all installed extensions for a given browser.

Parameters:: browser_name (str) – Name of the browser to scan for extensions.

Yields:

Records with the following fields:
    ts_install (datetime): Extension install timestamp.
    ts_update (datetime): Extension update timestamp.
    browser (string): The browser from which the records are generated.
    id (string): Extension unique identifier.
    name (string): Name of the extension.
    short_name (string): Short name of the extension.
    default_title (string): Default title of the extension.
    description (string): Description of the extension.
    version (string): Version of the extension.
    ext_path (path): Relative path of the extension.
    from_webstore (boolean): Extension from webstore.
    permissions (string[]): Permissions of the extension.
    manifest (varint): Version of the extensions' manifest.
    source: (path): The source file of the download record.

passwords(browser_name: str | None = None) → collections.abc.Iterator[BrowserPasswordRecord]¶

Return browser password records from Chromium browsers.

Chromium on Linux has basic, gnome and kwallet methods for password storage:

basic ciphertext prefixed with v10 and encrypted with hard coded parameters.
gnome and kwallet ciphertext prefixed with v11 which is not implemented (yet).

Chromium on Windows uses DPAPI user encryption with varying methods of encryption (v10 and v20).

The SHA1 hash of the user’s password or the plaintext password is required to decrypt passwords when dealing with encrypted passwords created with Chromium v80 (February 2020) and newer (v10).

Supports decrypting Windows App Bound Encryption passwords from Google Chrome and Microsoft Edge (v20).

You can supply a SHA1 hash or plaintext password using the keychain (-Kv or -K).

References

decryption_keys(local_state_path: pathlib.Path, username: str) → ChromiumKeys¶

Return decrypted Chromium os_crypt.encrypted_key``and ``os_crypt.app_bound_encrypted_key values.

Used by ChromiumMixin.passwords() and ChromiumMixin.cookies() for Windows targets.

References

decrypt_value(user: dissect.target.plugins.general.users.UserDetails, keys: ChromiumKeys, encrypted: bytes) → bytes¶: Attempt to decrypt the given encrypted bytes.

class dissect.target.plugins.apps.browser.chromium.ChromiumPlugin(target: dissect.target.target.Target)¶

Bases: ChromiumMixin, dissect.target.plugins.apps.browser.browser.BrowserPlugin

Chromium browser plugin.

__namespace__ = 'chromium'¶: Defines the plugin namespace.

DIRS = ('.config/chromium/Default', '.var/app/org.chromium.Chromium/config/chromium/Default',...¶

history() → collections.abc.Iterator[ChromiumMixin]¶: Return browser history records for Chromium browser.

cookies() → collections.abc.Iterator[ChromiumMixin]¶: Return browser cookie records for Chromium browser.

downloads() → collections.abc.Iterator[ChromiumMixin]¶: Return browser download records for Chromium browser.

extensions() → collections.abc.Iterator[ChromiumMixin]¶: Return browser extension records for Chromium browser.

passwords() → collections.abc.Iterator[ChromiumMixin]¶: Return browser password records for Chromium browser.

class dissect.target.plugins.apps.browser.chromium.ChromiumKeys¶

Contains decrypted Chromium-variant encryption keys.

os_crypt_key: bytes | None = None¶: Windows Chromium version 80 and up for b"v10" ciphertexts.

app_bound_key: bytes | None = None¶: Windows Google Chrome and Microsoft Edge versions 127 and up for b"v20" ciphertexts.

dissect.target.plugins.apps.browser.chromium.decrypt_v10_linux(target: dissect.target.target.Target, user: dissect.target.plugins.general.users.UserDetails, keys: ChromiumKeys, encrypted: bytes, *, hardcoded_key: str = 'peanuts') → bytes | None¶

Decrypt a version 10 Linux ciphertext.

v10 ciphertexts are encrypted using a PBKDF2 key derivation of the static string peanuts or an empty string and salt saltysalt using AES CBC with an IV of 0x20 * 16. Padded using PKCS7.

Parameters:: ciphertext – The encrypted bytes.
Returns:: Decrypted password string.

References

https://chromium.googlesource.com/chromium/src/+/refs/heads/main/components/os_crypt/sync/os_crypt_linux.cc

dissect.target.plugins.apps.browser.chromium.decrypt_v10_windows(target: dissect.target.target.Target, user: dissect.target.plugins.general.users.UserDetails, keys: ChromiumKeys, encrypted: bytes) → bytes | None¶

Decrypt a version 10 Windows ciphertext using key os_crypt_key.

v10 variant 2 (Windows-specific) ciphertexts can be decrypted using a derived AES GCM key called os_crypt_key stored in an encrypted form in Local State files.

The IV is prepended to the ciphertext as described in the structure definition below.

References

struct chrome_pass {
    byte signature[3] = 'v10';
    byte iv[12];
    byte ciphertext[EOF];
}

Parameters:

encrypted – Ciphertext bytes.
key – The encryption key.

Returns:

Decrypted password string.

dissect.target.plugins.apps.browser.chromium.decrypt_v20_windows(target: dissect.target.target.Target, user: dissect.target.plugins.general.users.UserDetails, keys: ChromiumKeys, encrypted: bytes) → bytes | None¶

Decrypt a version 20 ciphertext using App Bound Encryption (app_bound_key).

v20 (Windows) ciphertexts can be decrypted using a derived AES GCM key called app_bound_key stored in a double or triple encrypted form in Local State files.

The IV and a MAC-tag for verification are stored in the ciphertext blob as can be observed in the structure definition below.

References

struct chrome_pass {
    byte flag[3] = 'v20';
    byte iv[12];
    byte ciphertext[...];
    byte mac_tag[16];
};

Parameters:

data – Encrypted ciphertext in structured format with flag, iv, ciphertext and tag.
key – AES GCM key to decrypt data with.

Returns:

Decrypted plaintext.

dissect.target.plugins.apps.browser.chromium.decrypt_v11_linux(target: dissect.target.target.Target, user: dissect.target.plugins.general.users.UserDetails, keys: ChromiumKeys, encrypted: bytes) → None¶: Decrypt Linux GNOME or Kwallet encrypted passwords. Currently not implemented.

dissect.target.plugins.apps.browser.chromium.decrypt_dpapi(target: dissect.target.target.Target, user: dissect.target.plugins.general.users.UserDetails, keys: ChromiumKeys, encrypted: bytes) → bytes | None¶

Decrypt a DPAPI user blob for Windows-based Chromium installs.

Chromium on Windows prior to version 80 encrypts passwords using user DPAPI master keys.

They can be decrypted directly by utilizing the DPAPI plugin.

References

https://chromium.googlesource.com/chromium/src/+/refs/heads/main/components/os_crypt/sync/os_crypt_win.cc

dissect.target.plugins.apps.browser.chromium.decrypt_unsupported(target: dissect.target.target.Target, user: dissect.target.plugins.general.users.UserDetails, keys: ChromiumKeys, encrypted: bytes) → None¶

dissect.target.plugins.apps.browser.chromium¶

Module Contents¶

Classes¶

Functions¶

Attributes¶

`dissect.target.plugins.apps.browser.chromium`¶