A comprehensive Windows-based tool for extracting and decrypting browser data from multiple Chromium-based and Firefox-based browsers.
This tool is designed for legitimate security research, forensics, and authorized pentesting purposes only. Usage of this tool without proper authorization may be illegal. Users are responsible for complying with all applicable laws and regulations.
- Google Chrome - Full cookie, password, and autofill extraction
- Brave - Complete data extraction with v20 decryption
- Microsoft Edge - Full support for all profiles
- Opera - Standard and GX editions supported
- Yandex Browser - Full data extraction
- Vivaldi - Complete profile support
- Chromium - Native chromium builds
- CentBrowser - Full support
- Mozilla Firefox - Cookie and password extraction
- Firefox Developer Edition - Full support
- Tor Browser - Profile data extraction
- Decrypts stored login credentials
- Supports v20 encryption (latest Chrome/Edge encryption)
- Handles legacy DPAPI encryption
- Extracts username/password pairs with associated URLs
- Retrieves all stored cookies
- Decrypts encrypted cookie values
- Exports in Netscape cookie format
- Preserves cookie attributes (secure, httponly, expiry)
- Extracts form autofill data
- Decrypts encrypted field values
- Captures name-value pairs from web forms
The tool implements state-of-the-art decryption for Chrome's v20 encryption scheme:
- Flag 1: AES-256-GCM with hardcoded key
- Flag 2: ChaCha20-Poly1305 encryption
- Flag 3: LSASS impersonation with CNG decryption
- Legacy DPAPI: Backward compatibility support
- LSASS Impersonation: Elevates privileges to decrypt app-bound keys
- CNG Integration: Windows Cryptography Next Generation API support
- DPAPI Unprotection: Data Protection API for legacy encryption
- Debug Privileges: SeDebugPrivilege for system-level access
Local State β Encrypted Key β DPAPI Decrypt β Key Blob Parser β V20 Master Key
- Creates temporary copies of locked SQLite databases
- Prevents file access conflicts with running browsers
- Automatic cleanup of temporary files
- Automatically terminates browser processes
- Uses psutil for cross-process termination
- Ensures clean database access
- Scans all browser profiles (Default, Profile 1, Profile 2, etc.)
- Processes each profile independently
- Organizes output by browser and profile
- Operating System: Windows 10/11 (64-bit)
- Python Version: Python 3.8 or higher
- Administrator Rights: Required for LSASS impersonation and process termination
- Clone the repository
git clone https://github.com/yanaksalvo/Browser-Data-Cookie-Extractor.git
cd browser-data-extractor- Install required dependencies
pip install -r requirements.txt- Verify installation
python main.py --helpImportant: This script must be run with Administrator privileges.
# Run as Administrator
python main.py- Process Termination: All detected browser processes are closed
- Key Extraction: Master keys are retrieved from each browser
- Data Decryption: Passwords, cookies, and autofill data are decrypted
- Archive Creation: All data is saved to
output.zip - Logging: Detailed logs are written to
browser_data_extractor.log
output.zip
βββ decrypted_keys/
β βββ chrome_master_key.txt
β βββ brave_master_key.txt
β βββ edge_master_key.txt
β βββ ...
βββ chrome/
β βββ Default/
β β βββ passwords.txt
β β βββ cookies.txt
β β βββ auto_fills.txt
β βββ Profile 1/
β βββ passwords.txt
β βββ cookies.txt
β βββ auto_fills.txt
βββ brave/
β βββ ...
βββ edge/
β βββ ...
βββ firefox/
βββ ...
The tool uses a comprehensive browser configuration dictionary in BROWSERS. To add a new browser:
'browser_key': {
'name': 'Browser Display Name',
'data_path': r'AppData\Local\BrowserPath\User Data',
'local_state': r'AppData\Local\BrowserPath\User Data\Local State',
'process_name': 'browser.exe',
'key_name': 'BrowserKeyName',
'chromium_based': True
}The tool maintains detailed logs in browser_data_extractor.log:
- Process start/end times
- Administrator privilege status
- Browser processes killed
- Profiles processed
- Data extraction counts
- Errors and warnings
- INFO: Normal operations
- WARNING: Non-critical issues
- ERROR: Operation failures
- CRITICAL: Fatal errors
-
Locate Local State File
- Reads
Local StateJSON file - Extracts
app_bound_encrypted_keyorencrypted_key
- Reads
-
Decrypt Master Key
- DPAPI unprotection (system context)
- DPAPI unprotection (user context)
- Parse key blob structure
- Derive final master key based on flag type
-
Extract Database Data
- Copy locked SQLite databases to temp directory
- Query passwords, cookies, autofill tables
- Decrypt v20 encrypted values
-
Save Decrypted Data
- Format data in human-readable format
- Add to ZIP archive with organized structure
-
Locate Profile Directory
- Scan Firefox profiles folder
- Identify active profiles
-
Extract Cookies
- Read
cookies.sqlitedirectly - Export in Netscape format
- Read
-
Extract Passwords
- Parse
logins.jsonfile - Extract encrypted credentials (Note: Full decryption requires NSS libraries)
- Parse
Solution: Right-click Python/CMD and select "Run as Administrator"
Solution: Manually close all browser instances before running
Solution: Browser may not be installed or has different file structure
Solution: Check browser_data_extractor.log for specific errors
- Authorization: Only use on systems you own or have explicit permission to test
- Data Handling: Extracted data contains sensitive information - handle accordingly
- Legal Compliance: Ensure compliance with local laws and regulations
- Cleanup: Securely delete extracted data after analysis
This tool:
- Terminates browser processes (may trigger security software)
- Requires administrator privileges (logged by Windows)
- Accesses sensitive Windows APIs (may be monitored)
- Creates temporary files (leaves forensic traces)
- windows: Windows API interactions
- pycryptodome: AES-GCM and ChaCha20 implementations
- psutil: Process management
- sqlite3: Database operations (built-in)
- ctypes: Windows DLL interactions (built-in)
- NCrypt: CNG key decryption
- DPAPI: Data protection
- Token Impersonation: Privilege elevation
- Process Management: Browser termination
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project is provided for educational and authorized security research purposes only. Users are responsible for ensuring their use complies with all applicable laws.
This software is provided "as is" without warranty of any kind. The authors are not responsible for any misuse or damage caused by this tool. Usage of this tool for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state, and federal laws.
- Chrome v20 encryption research community
- Windows PythonForWindows library maintainers
- Security researchers who documented browser encryption mechanisms
For questions, issues, or security concerns, please open an issue on GitHub.
Version: 1.0.0
Last Updated: December 2025
Compatibility: Windows 10/11 (64-bit)