Skip to content

Tool Overview

shaddy43 edited this page Jul 16, 2026 · 2 revisions

Tool Overview

BrowserSnatch is an open-source offensive-security tool designed to "snatch" sensitive data from a wide range of web browsers on Windows. It targets both Chromium-based browsers (Chrome, Edge, Brave, Opera, Vivaldi, and others) and Gecko-based browsers (Firefox, Thunderbird, Waterfox, and others), covering more than 40 browsers. Extracted data includes saved passwords, cookies (including the latest v20 app-bound-encrypted cookies), bookmarks, and browsing history.

The tool is written almost entirely in C/C++ for speed and to minimize external dependencies, producing a small standalone executable. It is published publicly on GitHub under the MIT license and is intended for penetration testing, red teaming, and adversary emulation.

Source: https://github.com/shaddy43/BrowserSnatch


Metadata

Attribute Detail
Author shaddy43
GitHub https://github.com/shaddy43/BrowserSnatch
Language C / C++ (~98.8% C, ~1.2% C++)
Build environment Visual Studio, ISO C++17 (/std:c++17) or higher; nlohmann/json via NuGet
Target OS Windows x86 / x64
Versions Up to V2.2 (latest release Mar 12, 2025); 5 releases
License MIT

Capabilities

# Capability Stealth Key behavior
1 Snatch saved passwords Low–Medium Reads Chromium Login Data and Gecko logins.json; DPAPI + AES-GCM decryption across 40+ browsers
2 Snatch cookies Low–Medium Extracts cookies from profile SQLite stores; session-cookie theft enables auth-token replay
3 App-bound cookie decryption (v20) Medium–High Decrypts latest app-bound-encrypted cookies (Chrome/Edge/Brave); requires admin
4 Snatch bookmarks Low Reads Bookmarks (Chromium) and Gecko equivalents
5 Snatch history Low Reads History SQLite DB across all supported browsers
6 Greed mode Medium Snatches everything from every browser into a single consolidated stealer database
7 Recalibrate mode N/A Fallback routine when password/cookie extraction fails
8 Service N/A Run as service to decrypt app-bound passwords & cookies (-service)

See Behavioral Detections for the full command-line reference.


Repository structure

shaddy43/BrowserSnatch/
│
├── Assets/                    ← Screenshots, banner, demo GIF
│   ├── browser_snatch1.jpg    ← Tool banner image
│   ├── help-menu.png          ← -h help menu screenshot
│   └── Demo.gif               ← Working demo animation
│
├── BrowserSnatch/             ← Core C/C++ source code
│   └── [C/C++ source files]   ← Snatching technique implementations
│
├── BrowserSnatch.sln          ← Visual Studio solution
├── CODE_OF_CONDUCT.md
├── LICENSE                    ← MIT License
└── README.md                  ← Full documentation

Release artifacts:
  BrowserSnatch.exe            ← Main executable (x86 build)
  BrowserSnatch64.exe          ← Main executable (x64 build)

Why it matters to defenders

  • Credential theft at scale: a single run can harvest passwords and session cookies from dozens of browsers.
  • Session-cookie replay (T1539): stolen cookies enable account takeover that bypasses MFA. Treat any cookie-store exfiltration as an ATO precursor and force session invalidation.
  • App-bound decryption: the tool keeps pace with Chrome's v20 app-bound cookie encryption, so "we're on the latest Chrome" is not mitigation.
  • Masquerading: beyond collection, observed variants establish scheduled-task system privilege and masquerade as legitimate browser binaries (see IOCs).

Continue to → MITRE ATT&CK Mapping

Clone this wiki locally