While talking with a client this morning, I started to get nerdy about passwords and password managers.  A few things I emphasized were that passwords should be unique across all logins, password managers should be used by everyone, and saving passwords in Chrome (and other browsers) is a risky proposition.  

I've actually wanted to write this up for a while now but the conversation this morning motivated me to put the pen to the paper.  So here we are....

The actual time it took to root the box was just a few minutes and the setup actually took longer.  I wanted to have a Windows 10 Pro machine, fully patched, and running current antivirus. 

As a side note, there's a misconception that antivirus will protect you.  Antivirus is a must but it's trivial to get around as you'll see in a moment.  


I feel like this took a LOT longer than it should have:




After much waiting, my machine is running the latest and greatest updates.  We fire up BeEF to hook our victim:




Hopping over to my victim Windows 10 machine, I point to the malicious URL:




As you can see, I'm not trying to masquerade the site, the point is show how simple it is to steal the credentials from Chrome. 

On our attacking machine:




Our victim is connected to BeEF, now we need to build a Meterpreter shell using unicorn:




I'm going to send a popup to our victim asking them to install our bogus plugin:




On the victim machine, we see the popup:




Upon hitting "install missing plugin", our malicious download is pushed across:




Our victim chooses to run the malicious download and our Metasploit session is already setup thanks to unicorn:




We catch our shell. 

At this point, we own the user on this box.  




But that's not why we're here -- we're here for Chrome credentials:




We point Metasploit to the session for the Chrome goodies:




Metasploit dumps everything into the loot folder and when we open the file with the credentials:




We find gold!

Yeah, yeah, I went to town hiding my info.  I trust you!  It's those other people who aren't trustworthy.  ;)

Couple of things I want to point out -- First, this system is running a solid antivirus program.  The antivirus software never even noticed the machine takeover.  Second, Windows 10, with its own protection mechanism, is also asleep at the wheel:



And let's not forget about Chrome -- we also managed to sneak around it as well.

As a final point, I'm sure someone is asking -- who would have clicked the link, and who would have clicked the install plugin link, and finally, who would have hit run for the malicious download?  All of us.  I'm not immune to mistakes nor are any of us.  No matter how good our opsec, we are human and we make mistakes given the right situation.

The page above seems obvious but I can dress it up, and further dress it up, and take it to a very convincing level.  Toss a screenshot of the Gmail login into the same page and now all of the sudden, we're taking that first step into dressing it up.  




Change the popup to state something about a Google, Gmail, or Chrome plugin, and we're taking another step.  Register a domain, add an SSL certificate, another step.  It could be convincing!

If we stop saving passwords in the browser and we move them into a password manager, we can further complicate the process of password stealing.  This is also a good time to talk about Multi Factor Authentication (MFA).  If someone steals your passwords but you have that second factor enabled, again, we're complicating the process.  The idea is to make the process as difficult as possible for the attacker.  There's a balance though -- we have to make it difficult for the attacker but we also have to minimize the impact to conducting business.  The products we use add protection but keep the impact to business at a minimum and I feel like we've found that balance.