0

I accidentally cleaned my Chrome passwords with some 3rd party software (yes I know - Im a genius!). I've never synced the passwords online. Still it seems that the data exists in "Login Data" file ( %LocalAppData%\Google\Chrome\User Data\Default\Login Data ). The good thing is that Im still on this machine and windows profile so I have the credentials and key to decrypt files with CryptProtectData (that's what I understood from other topics). This was the major issue when other people had similar question - they didn't have access to their original Chrome and Windows profile where the "Login Data" file came from.

a) I can see plain text URL's and logins in "Login Data" file

b) I could recover small part of passwords with (DPAPI DataProtectionDecryptor v1.10) https://www.nirsoft.net/utils/dpapi_data_decryptor.html (screenshots attached)

BUT - on one hand I have just logins and url's in large file ("Login Data") on the other hand I decrypted few but not related to logins or URL's ...

I tried also other software:

a) DB Browser for SQLite (1 password retrieved because I added new pass not being aware that they were deleted) - so it's from "new" clean database

b) ChromePass v1.52 https://www.nirsoft.net/utils/chromepass.html

c) WebBrowserPassView v2.07 https://www.nirsoft.net/utils/web_browser_password.html

The software also see only new password even when I try different settings.

Helpfull topics that Im not able to understand technically:

https://www.thepythoncode.com/article/extract-chrome-passwords-python

How does Google Chrome store passwords?

Where are Google chrome passwords stored in windows?

Google Chrome. How to restore passwords from profile folder?

https://stackoverflow.com/questions/36300837/decrypt-master-password-of-windows-api-cryptprotectdata-presumably

I've read other topics on this matter but still cannot figure it out (Im NOT a developer). I cannot code but I understand some of it. I don't have servers installed, Im not on linux so please try to not paste line of codes in python for the answer.

Attached images:

Lots of passwords in password decryptor failed to decrypt

Even when it's decrypted I don't know what's the login and what's the URL

My DPAPI configuration

I can see data in "Login Data" file but I have no idea how to extract them and connect with decrypted passwords

Thank you in advance! M.

4lt3r3go
  • 3

2 Answers2

1

Use This Tool: HackBrowserData

You can Recover your passwords using this tool:HackBrowserData

Hack-browser-data is an open-source tool that could help you decrypt data ( passwords|bookmarks|cookies|history ) from the browser. It supports the most popular browsers on the market and runs on Windows, macOS and Linux. This will decrupt Your Passwords and will store them in a simple .CSV fil

Statement: This tool is limited to security research only, and the user assumes all legal and related responsibilities arising from its use! The author assumes no legal responsibility!

Supported Browser

Windows
Browser Password Cookie Bookmark History
Google Chrome
Google Chrome Beta
Firefox
Microsoft Edge
360 Speed Browser
QQ Browser
Brave Browser
Opera Browser
OperaGX Browser
Vivaldi Browser
Internet Explorer

Download

Windows-64bit

Run

You can double-click to run, or use command line.

Amir sohail
  • 26
0

I do not have enough reputation score to comment but I think it could be good for the reader to know the following :

HackBrowserData will not work on a new machine on which you did restore a backup from "Login Data".

You will not be able to access your passwords too in a chrome launched on a new machine where you did restore "Login Data".

I think it's a good thing as it make the job more complicated for a thief to recover all passwords from a stolen "Login Data" directory

Next here is for WH people, only for forensic and legal purpose : To recover your password from chrome in these 2 situations (using or not HackBrowserData), you need to use the same chrome version on the second machine (restoring /opt/google from the backup ?) and you also need to restore your keyring in which chrome store the encryption key of your "Login Data" files (so you need to know it's password to unlock it and you need to restore it during an opened user session of the current user previously existing on the backuped machine). To restore the whole session, you will also need to have an exact same transient hostname on the new machine and you will also need to 'hack' the Singleton protection (including its socket).

Kind regards nbanba

nbanba
  • 232