Add password extraction to browser plugins

dissect/target/loaders/itunes.py

@@ -28,9 +28,9 @@
 try:
     from Crypto.Cipher import AES
 
-    HAS_PYCRYPTODOME = True
+    HAS_CRYPTO = True
 except ImportError:
-    HAS_PYCRYPTODOME = False
+    HAS_CRYPTO = False
 
 
 DOMAIN_TRANSLATION = {
@@ -383,7 +383,7 @@ def _create_cipher(key: bytes, iv: bytes = b"\x00" * 16, mode: str = "cbc") -> A
             raise ValueError(f"Invalid key size: {key_size}")
 
         return _pystandalone.cipher(f"aes-{key_size * 8}-{mode}", key, iv)
-    elif HAS_PYCRYPTODOME:
+    elif HAS_CRYPTO:
         mode_map = {
             "cbc": (AES.MODE_CBC, True),
             "ecb": (AES.MODE_ECB, False),

dissect/target/plugins/apps/browser/brave.py

@@ -8,6 +8,7 @@
     GENERIC_DOWNLOAD_RECORD_FIELDS,
     GENERIC_EXTENSION_RECORD_FIELDS,
     GENERIC_HISTORY_RECORD_FIELDS,
+    GENERIC_PASSWORD_RECORD_FIELDS,
     BrowserPlugin,
 )
 from dissect.target.plugins.apps.browser.chromium import (
@@ -47,6 +48,10 @@ class BravePlugin(ChromiumMixin, BrowserPlugin):
         "browser/brave/extension", GENERIC_EXTENSION_RECORD_FIELDS
     )
 
+    BrowserPasswordRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+        "browser/brave/password", GENERIC_PASSWORD_RECORD_FIELDS
+    )
+
     @export(record=BrowserHistoryRecord)
     def history(self) -> Iterator[BrowserHistoryRecord]:
         """Return browser history records for Brave."""
@@ -66,3 +71,8 @@ def downloads(self) -> Iterator[BrowserDownloadRecord]:
     def extensions(self) -> Iterator[BrowserExtensionRecord]:
         """Return browser extension records for Brave."""
         yield from super().extensions("brave")
+
+    @export(record=BrowserPasswordRecord)
+    def passwords(self) -> Iterator[BrowserPasswordRecord]:
+        """Return browser password records for Brave."""
+        yield from super().passwords("brave")

dissect/target/plugins/apps/browser/browser.py

@@ -1,6 +1,10 @@
+from functools import cache
+
+from dissect.target.helpers import keychain
 from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
 from dissect.target.helpers.record import create_extended_descriptor
 from dissect.target.plugin import NamespacePlugin
+from dissect.target.target import Target
 
 GENERIC_DOWNLOAD_RECORD_FIELDS = [
     ("datetime", "ts_start"),
@@ -63,6 +67,21 @@
     ("uri", "from_url"),
     ("path", "source"),
 ]
+
+GENERIC_PASSWORD_RECORD_FIELDS = [
+    ("datetime", "ts_created"),
+    ("datetime", "ts_last_used"),
+    ("datetime", "ts_last_changed"),
+    ("string", "browser"),
+    ("varint", "id"),
+    ("uri", "url"),
+    ("string", "encrypted_username"),
+    ("string", "encrypted_password"),
+    ("string", "decrypted_username"),
+    ("string", "decrypted_password"),
+    ("path", "source"),
+]
+
 BrowserDownloadRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
     "browser/download", GENERIC_DOWNLOAD_RECORD_FIELDS
 )
@@ -75,11 +94,35 @@
 BrowserCookieRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
     "browser/cookie", GENERIC_COOKIE_FIELDS
 )
+BrowserPasswordRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+    "browser/password", GENERIC_PASSWORD_RECORD_FIELDS
+)
 
 
 class BrowserPlugin(NamespacePlugin):
     __namespace__ = "browser"
 
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self.keychain = cache(self.keychain)
+
+    def keychain(self) -> set:
+        """Retrieve a set of passphrases to use for decrypting saved browser credentials.
+
+        Always adds an empty passphrase as some browsers encrypt values using empty passphrases.
+
+        Returns:
+            Set of passphrase strings.
+        """
+        passphrases = set()
+        for provider in [self.__namespace__, "browser", "user", None]:
+            for key in keychain.get_keys_for_provider(provider) if provider else keychain.get_keys_without_provider():
+                if key.key_type == keychain.KeyType.PASSPHRASE:
+                    passphrases.add(key.value)
+
+        passphrases.add("")
+        return passphrases
+
 
 def try_idna(url: str) -> bytes:
     """Attempts to convert a possible Unicode url to ASCII using the IDNA standard.

dissect/target/plugins/apps/browser/chrome.py

@@ -8,6 +8,7 @@
     GENERIC_DOWNLOAD_RECORD_FIELDS,
     GENERIC_EXTENSION_RECORD_FIELDS,
     GENERIC_HISTORY_RECORD_FIELDS,
+    GENERIC_PASSWORD_RECORD_FIELDS,
     BrowserPlugin,
 )
 from dissect.target.plugins.apps.browser.chromium import (
@@ -49,6 +50,10 @@ class ChromePlugin(ChromiumMixin, BrowserPlugin):
         "browser/chrome/extension", GENERIC_EXTENSION_RECORD_FIELDS
     )
 
+    BrowserPasswordRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+        "browser/chrome/password", GENERIC_PASSWORD_RECORD_FIELDS
+    )
+
     @export(record=BrowserHistoryRecord)
     def history(self) -> Iterator[BrowserHistoryRecord]:
         """Return browser history records for Google Chrome."""
@@ -68,3 +73,8 @@ def downloads(self) -> Iterator[BrowserDownloadRecord]:
     def extensions(self) -> Iterator[BrowserExtensionRecord]:
         """Return browser extension records for Google Chrome."""
         yield from super().extensions("chrome")
+
+    @export(record=BrowserPasswordRecord)
+    def passwords(self) -> Iterator[BrowserPasswordRecord]:
+        """Return browser password records for Google Chrome."""
+        yield from super().passwords("chrome")