I am working on a PowerShell script for decrypting Chrome cookies stored in the local machine. According to the documentation related to Chrome 80+ versions, the encryption process at high level for cookies is divided in two main phases:
- Master key encryption
- Encryption of cookies
1- Master key with 32-byte random data is generated. Then it is encrypted using Windows DPAPI (“CryptProtectData”) function. To this encrypted key, it inserts signature “DPAPI” in the beginning for identification. Finally this key is encoded using Base64 and stored in “Local State” file in above “User Data” folder.
2- Chrome encrypts it using AES-256-GCM algorithm with the above master key and 12-byte random IV data. Finally, it inserts signature “v10” to the encrypted cookie and stores it in “Cookies” file.
The script currently produces, for a selected encrypted cookie, the signature (v10), IV and encrypted data.
Import-Module PSSQLite
Add-Type -Assembly System.Security
$ExtensionFile = "$($env:LOCALAPPDATA)\Google\Chrome\User Data\Local State"
$jsondata = Get-Content -Raw -Path $ExtensionFile | ConvertFrom-Json
#convert your key from base64 to a char array
$encKey = [System.Convert]::FromBase64String($jsondata.os_crypt.encrypted_key.ToString());
#remove the first 5 elements from the key array
#Write-Host "DPAPIEncryptedKey: $encKey"
$encKey= $encKey[5..$encKey.Length];
$decKey=[System.Security.Cryptography.ProtectedData]::Unprotect($encKey,$null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser);
$hexdecKey = ($decKey | ForEach-Object ToString X2) -join '' #Convert byte[] to hex
Write-Host "DPAPIDecryptedKey[HEX]: $hexdecKey"
Write-Host ""
$Database = "$($env:LOCALAPPDATA)\Google\Chrome\User Data\Default\Cookies"
$query = "SELECT * FROM cookies"
$encAll = (Invoke-SqliteQuery -DataSource $Database -Query $query | Where-Object {$_.host_key -eq "<host_key_name>" -and $_.name -eq "<field_name>"}).encrypted_value
Write-Host $encAll
[byte[]]$signature = $encAll[0..2]
[byte[]]$iv = $encAll[3..14]
[byte[]]$encData = $encAll[15..($encAll.Length-1-16)]
[byte[]]$auth_tag = $encAll[($encAll.Length-16)..($encAll.Length-1)]
Write-Host "SIGNATURE: $signature"
Write-Host "IV: $iv"
Write-Host "EncData: $encData"
Write-Host "Auth Tag: $auth_tag"
(just substitute <host_key_name> and <field_name> with the proper ones).
The next step should be decrypting $encData by using AES-256-GCM algorithm.
According to the GCM specifications, the decryption process is the following:
In my case, the input elements I have: Seq. [$iv]; Encrypted Data [$encData].
So, in the variable $encAll, where are the Authentication Tag ("ICV" in the image) and the Additional Authentication Data ("Header" in the image) specified for the Chrome cookie encryption/decryption process?
UPDATE: added auth_tag part by @topaco comment.
Is there a PowerShell module with functions/methods to decrypt by AES-256-GCM?
Sources:
https://xenarmor.com/how-to-recover-saved-passwords-google-chrome/
"The Galois/Counter Mode of Operation (GCM)", D. A. McGrew, J. Viega
