How to extract password from the browser?

Hands up if there’s someone here who has NEVER EVER stored a password in a browser… Honestly, I don’t think such human exists — we all did it at some point. So, how safe is it, really?

the different ways that passwords can be extracted from different kinds of browsers (Internet Explorer/Edge, Firefox or Chrome). If you are interested in how those passwords are stored, that’s a subject for you.

I would like to show you two types of browsers and how the password is stored. I would like to show you what the storage depends on. We will start with Edge. Since this a relatively new browser in Windows 10, it’s important to know whenever we are storing a password in Edge, where is it and how this is happening.

Storing password from the Edge

In Edge:

• we go to Settings,
• we go to Advanced Settings,
• here you’ve got an option which is called Offer to save passwords,
• And then you can go to Manage my saved passwords,
• here, you’ve got information about the certain type of passwords being stored.

But obviously, we’ve got some little dots over here and that is actually quite interesting – it’s a P-@-s-s-w-0-r-d-#-1-2-3-!, so these dots correspond to the password. You can see basically what that is, more or less, by a number of letters but we are not able to guess at that moment. If you are wondering how to get those passwords, you can always go to Credential Manager and Web Credentials. Here you can see the password. Right no, I am authenticated but normally, you will be asked for providing the password over here.

How to extract password from the browser? Go to Manage Web Credentials

Let’s get into Manage Web Credentials and as you see, I got this one and that’s what I’m talking about. I’m gonna specify here, the password, and that’s the moment I’m able to see the password.

This access is clearly dependent on the current user’s password and therefore it’s so important to take into consideration how this password is changed. For example, this machine that I’ve got right now, it is in a very, very special state because I have been playing with cached logon data and I’ve changed a user password illegally. Basically, I have changed the cached logon data (some people call it cached credentials), and then a user was able to logon with the password. In this case, Mimikatz for example, and previously my password was just P-@-S-S-W-0-R-D.

How to prove this to you that this kind of data is dependent on your password? Of course, underneath, there’s a big Data Protection API platform that is managing the access to your secrets but since this is a very short tutorial, I think we can stop on that kind of explanation.

Using ChromePass

I also have here ChromePass. ChromePass, it’s a tool that you can get from Nirsoft, a very nice set of tools that you can download for free from the Nirsoft website.

I was mentioning previously that your passwords (like this in the browser) depend on your logon password. They may not always be. For example, you can have a root password or a master password. The same story is with the Firefox. Firefox can do stuff like that too but if we are not using those, then our password is this point of entry on there.

Master Key Containers

Over here, we’ve got ChromePass and I have a password of the user stored like that. As you can see here, the password is not really displayed and the question is: why is that?

And answer to that is quite simple.

It is because, in such scenario, I have played with that password change illegally. So when we are thinking about the Data Protection API, technically If we get into C:/Users/Username/AppData/Roaming/Microsoft/Protect and then UserSID, then these little files (we should call them, Master Key Containers) contain the master keys, which more or less are used to decrypt our secrets, passwords, etc. Master keys that are in those Master Key Containers are encrypted by the user’s password hash.

Effectively, when I played with the password and it’s no longer my password P@ssw0rd but it’s Mimikatz, then I’m not able to decrypt those. I’m unable to read this particular password. Now what I’m going turn on the network connectivity and connect to the domain controller.

What’s going to happen? Well basically, that particular user will connect to the domain. Right now the network is on, so the only thing we can do is to logon with the password that is correct. Right now, I am logging on with the password that is Mimikatz, so I’m going, simply speaking, log out, and logon to the domain.

Credential Manager works a little differently for Edge than for Chrome

I’m going logon to the domain. Hopefully, this should all work out right now. We’ve got a password, P@ssw0rd. The next part I will do, is to get into ChromePass, for example, and as you see, without any problem, I am able to see the user’s password.

What about the other password that I was playing? So let’s get into Credential Manager for Web, and I got this stuff. Here, I will be providing the password. So we’ve got over here the P@ssw0rd#123! visible but this one wasn’t visible before and it’s visible right now, which proves one little thing, that Credential Manager works a little differently for Edge than for Chrome.

Chrome, in this case, purely relies on the Data Protection API, which isn’t bad by the way, it’s just that these types of credentials are a little bit different. Both depend on your password to the operating system. If your machine is not connected to the domain, that is also quite interesting case in case of Data Protection API, then your passwords stored like that, using Data Protection API, depending on your password hash as we already mentioned. We could be thinking, “A flaw in that, it’s not a good idea ’cause we all can grab MD4 from the SAM database.” Well, yes and no. You can always do that but this particular, or these particular secrets are protected with SHA-1 of your password, especially for local accounts so I mean the ones that are not connected to the domains. That is quite interesting over here.

For the accounts that are connected to the domain where we don’t store any hashes on the computer. Cached Credentials are not storing hashes, just for the reference if you are wondering. Then, in the case of a domain, we use MD4 to protect this kind of secrets.

This is a little bit of a summary how passwords are stored in the browser. If you are a geek, then please try the same stuff for Firefox and I’m waiting for your questions in the comments section below because it’s a very long subject and I’m pretty sure we’re gonna have a lot of different types of episodes about it.

So that’s about it. I hope you enjoyed it and don’t forget to leave your comments in our blog post and also on our Facebook page. I’m looking forward to your questions ’cause I bet there might be a couple of those that are burning. Thank you and see you next time.

10+ Cybersecurity Skills You want To get a Windows Security Pro

Last Thursday we hosted our first ever webinar for cyber Newbies (geeks with less than 3 years’ experience), called “How To Hack Your Way To Windows Security Proficiency”. During the webinar, we pointed out 30 skills that every Cyber-Newbie must acquire to become Cyber Security Pro. 

These skills are:

#1 skill group: Windows Internals

• Reviewing Processes and Threads
• Administering System Services
• Managing Service Accounts

# 2 skill group: Managing identity and access in Windows Systems

• Managing System Privileges
• Managing Permissions
• Protecting objects

#3 skill group: Managing Infrastructure Services

• Configuring DNS and Active Directory Domain Services
• Managing Internal Public Key Infrastructure
• Configuring SQL Server Authentication Settings

#4 skill group: Securing Windows networks

• Sniffing on the Network Traffic
• Understanding and analyzing Windows protocols

#5 skill group: Application Whitelisting

• Preparing Application Inventory
• Implementing AppLocker
• Understanding Non-exe executable files
• Reviewing techniques used by Ransomware and implementing prevention

#6 skill group: Practical Cryptography

• Implementing and Using BitLocker
• Understanding DPAPI and Protection of Users Secrets

#7 skill group: High Availability

• Failover Clustering
• Virtualization
• Making SQL Server Databases AlwaysOn

#8 skill group: Scripting and Automation

• Configuring PowerShell with Just Enough Administration
• Group Policy
• Implementing Desired State Configuration

#9 skill group: Monitoring Windows Systems

• Using Windows Built-in monitoring tools
• ETW and EVT
• 3rd party monitoring tools

#10 skill group: Troubleshooting

• Startup troubleshooting
• Understanding Blue Screens

#11 skill group: Forensics

• Performing Disk Forensics
• Memory Analysis

BAMTech Takes Few Step In Swelling By Naming Former Amazon Exec Michael Paull As CEO

BAMTech, the digital media company spun off by Major League Baseball’s MLB Advanced Media, continues to move forward through the maturity process as today they named the former vice president, digital video at Amazon, Michael Paull, as BAMTech’s CEO. The move takes place after Bob Bowman, President, Business & Media of Major League Baseball stepped back from the operations of BAMTech after its intial launch.

BAMTech, the streaming service that is owned by MLBAM, The Walt Disney Company, and the National Hockey League, continues to grow its stable of over-the-top (OTT) clients which includes HBO NOW, the NHL, MLB, the PGA TOUR, WWE Network, Riot Games/League of Legends, and Ice Network. Disney is posititioned to continue taking a larger ownership stake, with the option of eventually becoming majority owners in several years. They currently hold a 33% ownership stake and made their final installment of that $1 billion investment in January of this year.

BAMTech also has negotiated a presence in Europe througha partnership last year with Discovery, BAMTech Europe, which was launched to provide tech and video streaming services overseas, including Eurosport’s digital products.

Paull is scheduled to start in March as CEO. and will report directly to the BAMTech board of directors.

“The team at BAMTech has created a best in class Over-The-Top video streaming platform allowing them to develop innovative solutions for their customers,” said Paull. “I am grateful to have the opportunity to work with this highly accomplished team and want to thank Major League Baseball and The Walt Disney Company for this exciting opportunity.”

The move brings a solid leadership presence to BAMTech with more than 20 years of consumer product development, technology, content distribution and acquisition, and media industry experience to his new position. At Seattle-based Amazon, he was in charge of Amazon Channels worldwide and was responsible for its global content, product, technology, operations and marketing. As part of joining Amazon in 2012 he also oversaw Prime Video and Amazon’s TVOD business in the U.S., as well as the development of Prime Music.

“Michael is a talented and accomplished executive who shares our collective vision for BAMTech as it aggressively explores new means to acquire and distribute video content,” said MLB Commissioner, Rob Manfred. “We are confident Michael will deliver on the incredible potential and promise this venture has for building powerful viewing experiences for its clients and their customers.”

Details Leak About Pokémon GO's New 'Fire and Ice' Event

Niantic

We can’t go more than a few weeks without a new Pokémon GO event being either announced or taking place, but something interesting has happened with this latest one. It’s been leaked online 10 days before it begins.

The leak comes from Team Eevolution, who is building up a pretty solid reputation at this point with accurate leaks about Pokémon GO’s Gen 2, the Easter event and the Water Festival in the past. As such, it stands to reason that this Fire and Ice event really is happening. Here’s what they’ve listed as the “official” Niantic rundown of the event, which again, is technically unconfirmed:

"Trainers,

With summer quickly approaching in the Northern Hemisphere and winter approaching in the Southern Hemisphere, we couldn’t think of a better way to celebrate the upcoming solstices than with a Fire-type and Ice-typePokémon GO event.

From 1:00 P.M. PDT on June 13 to 1:00 P.M. PDT on June 20, 2017, Trainers around the world will discover more Charmander, Cyndaquil, Growlithe, Houndour, Ponyta, Swinub, Vulpix, and their Evolutions. You’ll also want to keep an eye out for Sneasel, Magmar, Cloyster, and other Fire types and Ice types!

It’s time to perfect your Poké Ball throws, Trainers! Throughout the event, you’ll receive huge XP bonuses for successfully catching Pokémon with Nice, Great, and Excellent Throws, as well as Curveballs and First Throws. Additionally, as you walk around your neighborhoods or discover new sights, you’ll earn even more XP for hatching Eggs. To help you take advantage of these awesome XP bonuses, Lucky Eggs will be 50% off in the in-game shop.

Get ready to explore the world around you—there are even more exciting updates coming your way soon!

—The Pokémon GO team"

Despite three chunky paragraphs, it’s a relatively simple event as far as these things go. Increased spawns of Fire and Ice types, and XP bonuses for what seems to be every actionexcept evolutions, which is weird, given that’s what people care most about during increased XP events.

Pokemon GO

For those wondering what Pokémon might be spawning at increased rates given the Fire and Ice stipulation, that would be:

Fire:

• Charmander, Charmeleon, Charizard
• Vulpix, Ninetails
• Growlithe, Arcanine
• Ponyta, Rapidash
• Magmar
• Flareon
• Cyndaquil, Quilava, Typhlosion
• Slugma, Magcargo
• Houndoor, Houndoom

Ice:

• Dewgong
• Cloyster
• Jynx
• Lapras
• Sneasel
• Swinub, Piloswine

That’s a pretty wide range, and includes a lot of Pokémon that are already pretty common. In Chicago, I’ve been drowning in Swinub and Jynx for ages now. And I know some desert regions are overrun with Growlithe and Houdoor. But there are some valuable Pokémon in here, Lapras, the Charmander tree, the Cyndaquil tree. And I still don’t even have one Houndoor in the city here.

The problem, and I’ll go into this is in greater detail later, is that the fact that this event is running from June 13^ththrough June 20^th, is that it definitely feels like that means that Pokémon GO’s “summer,” ie. the summer fully of big events like Legendary spawns and a gym rework at the very least, is not going to kick off until July. While I realize July is the one year anniversary of the game, it seems like a waste if they’re delaying these big additions until after June passes, given that the weather is great and many players are on summer break. I knew we probably wouldn’t get through summer without some sort of fire and/or ice event, given the obvious connection there, but I really do hope that other, bigger things happen in June and Niantic doesn’t waste a third of summer doing nothing of real significance.

Again, technically all of this is still a rumor, but a rumor from a reliable source and with incredibly specific details. I will update things if Niantic confirms the event, but they don’t usually do so until a few days out. Stay tuned.