EvilSelenium v1.1 releases: weaponizes Selenium to attack Chrome
EvilSelenium
EvilSelenium is a new project that weaponizes Selenium to abuse Chrome. The current features right now are:
- Steal stored credentials (via autofill)
- Steal cookies
- Take screenshots of websites
- Dump Gmail/O365 emails
- Dump WhatsApp messages
- Download & exfiltrate files
- Add SSH keys to GitHub
Or extend the existing functionality to suit your needs (e.g. Download files from the user’s GDrive/OneDrive).
Note
-
When this tool is run it will terminate any existing Chrome processes in order to be able to run with the user’s Chrome profile which has the passwords & active sessions.
-
I built this tool in about a week & I didn’t run as many tests as I should therefore there may be some bugs.
-
Selenium modules are not always stable. Due to the constant changes in websites, some modules may occasionally break. I’ll try my best to maintain the existing modules to ensure they work as intended but you’ve been warned.
Recon Module
/enumsavedsites
– This will take screenshots of chrome://settings/passwords
/screenshot
– Screenshot any website. If the user is authenticated to the website then you get authenticated screenshots :).
Credentials Module
IMPORTANT: The credentials module will DELETE COOKIES in order to steal credentials from autofill. Ideally, you should use the credentials module at the end if you want to export cookies.
/autorun
– Prebuilt templates for common websites. I’ll continue to add more.
/dynamicid
– Provide the login URL along with the username input field’s ID and password field’s ID. This is equivalent to document.getElementById().
/dynamicname
– If the fields don’t have IDs, provide the fields’ name values. It will pick the first index of the name values. This is equivalent to document.getElementsByName()[0].value.
/dynamicname2
– Provide the fields’ name values along with their index position. This is equivalent to document.getElementsByName()[x].value where x is the provided position.
Cookies Module
/cookies
– Dumps cookies from the specified website.
Misc Modules
These are additional modules I built to demonstrate what sort of actions you can do with Selenium.
/download
– Download a file & specify time to wait for the download. A non-executable file extension should be appended to the file before downloading to avoid Chrome’s Safebrowsing prompt.
/exfil
– Uploads a file on filebin.net & specify the time to wait for the upload to complete. Once the upload is completed the file’s download link is written.
/gmail
– Fetches emails from mail.google.com if user is authenticated. Max 50 emails.
/outlook
– Fetches emails from Outlook if user is authenticated.
/o365
– Fetches emails from O365 Outlook if user is authenticated.
/github
– Add your SSH key to Github if user is authenticated.
/whatsapp
– Fetches Whatsapp messages if user is authenticated (BETA).
Changelog v1.1
- Support Chromium-based browsers thanks to @davidl-talon
- Support Chrome 99 & 100