![]() ![]() So how can we get the same data, just as plaintext before it is encrypted? Lets just target the SSL encryption functions instead. The only problem with this is that WSASend is only going to contain plaintext data when the user is connecting to sites without SSL enabled, which is not likely to be any of the sites we want to steal data from. The majority of Chromes code is stored inside chrome.dll so loading that into IDA and looking at the xrefs to WSASend I can confirm that assumption. So its likely that Chrome will be using Winsock for its network communication. I know that I will be targeting Chrome running on windows and also that windows has its own socket library called Winsock. The network service does what it says on the tin… it handles communication with the internet and therefore is guaranteed to be in possession of the sensitive data we are after. Chrome is broken down into 7 different parts, with the most important being the network service, storage service and the renderer. The reason for this is for both security and usability, it allows specific parts of the browser (such as the renderer) to be sandboxed while still allowing other parts of the browser to run without the limitations of the sandbox. Like most browsers Chrome uses a multi-process architecture (as can be seen below): ![]() The browser I decided to target was Google Chrome, the simple reason being that it has nearly a 70% market share of desktop browsers so is by far the most popular browser and therefore is the obvious choice to target. So naturally when I found myself with some time to spend on a research project, I decided to spend it abusing this trust! General overview Throw in password managers with browser extensions and you have a natural target for red teams. From an attackers stand point this trust is an amazing thing, as once you have compromised a users workstation there is a process (with close to zero protections) handling a relatively large amount of sensitive data while being used a great deal by a user. They are trained to trust websites which “have a padlock in the address bar” and that “have the correct name”, This trust leads to users feeling comfortable entering their sensitive data into these websites. Web browsers are inherently trusted by users. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |