Decrypt AES-encrypted Windows Chrome cookies [python]

Overview

Chrome on Windows has used AES to encrypt browser cookies since v80.

(The cookie of Chrome browser for Linux and macOS is not mentioned here. The term "cookie" below refers to the cookie of Chrome browser for Windows.)

Previously, it was encrypted using the DPAPI Windows API (CryptUnprotectData in crypt32.dll), but cookies encrypted with the new method cannot be decrypted with the old method.

Apps that read the contents of Windows Chrome cookie files directly to log in to web services are affected by this change. (Example: Nico Live Comment Viewer)

The outline of the decryption procedure of the AES-encrypted cookie is shown below.

Location of cookies files in Windows Chrome

The default is as follows (same as before) %userprofile%\appdata\local\google\chrome\user data\default\cookies (It will change if you move the profile, reinstall Windows, change the google account, etc.)

Identification of AES-encrypted cookies

Encrypted cookie The beginning of the data is "0x01 00 00 00" → cookie encrypted by DPAPI

Encrypted cookie The beginning of the data is "v10" → AES-encrypted cookie

What you need for decryption

Decryption requires not only a key but also a value called a nonce.

Position / length of nonce

For nonce, 12 bytes after the 4th byte excluding the prefix 3 bytes ('v10') from the beginning of each encrypted cookie data are used as they are.

Storage location of encrypted_key

By default, the key is encoded and encrypted and stored in the Local State file below. %userprofile%\appdata\local\google\chrome\user data\local state

The contents of Local State are in JSON format. Encrypted key data is stored in ["os_crypt"]-> ["encrypted_key"] in this.

aes.png

Decryption of key

  1. Decode the encrypted_key value extracted from JSON (Local State file) with BASE64.
  2. Remove the first 5 bytes (prefix 'DPAPI') of the decoded data. 3.2 Decrypt the data in 2 with DPAPI. Decryption by DPAPI should use CryptUnprotectData of crypt32.dll which is the same as the old method.

The length of the obtained key should be 256 bits (32 bytes).

You have now decrypted the key needed to decrypt the cookie.

Decryption of cookie data

The part of the encrypted cookie data excluding the first 15 bytes ('v10' + nonce 12bytes) is decrypted by 256bit AES-GCM using the nonce and key obtained above.

In addition, the last 16 bytes of the decrypted data are removed.

Implementation by python

https://github.com/taizan-hokuto/chrome_cookie I am using the cryptography library for AES-GCM. If cryptography is not included, do pip install cryptography. python 3.7.4 Chrome version: Confirmed to work with 80.0.3987.87 (Official Build) (64-bit).

Referenced

browsercookiejar (regen100) https://github.com/regen100/browsercookiejar

AES GCM example in python and go (sumanmukherjee03) https://gist.github.com/sumanmukherjee03/dd16d6c732a1055b6af97daba484809d

A little tool to play with Windows security (gentilkiwi) https://github.com/gentilkiwi/mimikatz

Recommended Posts

Decrypt AES-encrypted Windows Chrome cookies [python]
Python on Windows
python windows environment
Python installation (Windows)
python windows environment construction
Python installation method Windows
Python starting with Windows 7
python basic on windows ②
Install python on windows
Install Python (for Windows)
Set-enable Python virtualenv on Windows
Python with VS Code (Windows 10)
Run Openpose on Python (Windows)
How to install Python [Windows]
Run python with PyCharm (Windows)
Install watchdog on Windows + Python 3.3
Install Python and Flask (Windows 10)
Python 3.6 installation procedure [for Windows]
[Python] Eliminate Chrome Webdriver errors
Windows10: Install python dlib library
Python + Kivy development on Windows
Python environment construction (Windows10 + Emacs)
Sphinx-autobuild (0.5.2) on Windows7, Python 3.5.1, Sphinx 1.3.5
Fastest Python installation on Windows
Build Python environment on Windows
Build python environment on windows
Python environment construction under Windows7 environment
I ran python on windows
[Python] [Chainer] [Windows] Install Chainer on Windows
Python install in 2 lines @Windows
Use Python on Windows (PyCharm)
Time synchronization (Windows) with Python
Install dlib for Python (Windows)