Browser credential dumping guide for post-exploitation: extracting saved passwords, cookies, and payment data from Chromium-based browsers (Chrome, Edge, Brave) and others using ChromElevator, LaZagne, and manual DPAPI decryption on Windows.
Browser credential dumping is the process of extracting saved passwords, cookies, session tokens, and payment data from browsers on a compromised host. These credentials often provide access to web applications, cloud consoles, and internal tools; cookies can enable session hijacking without knowing the password. Modern Chromium-based browsers (Chrome, Edge, Brave) protect this data with App-Bound Encryption (ABE) and DPAPI, so extraction typically requires either an in-memory bypass (e.g. ChromElevator) or running under the same user context with the browser’s decryption keys (e.g. LaZagne).
Scope: This guide focuses on Windows. On Linux, browser data is usually protected by the keyring (e.g. libsecret); tools like LaZagne support Linux as well.
Knowing where browsers store credentials helps when copying databases for offline decryption or when using scripts that expect default paths.
Chromium-based (Chrome, Edge, Brave):
| Data | Typical path (Windows) |
|---|---|
| Passwords | %LocalAppData%\Google\Chrome\User Data\Default\Login Data (Chrome). Replace Google\Chrome with Microsoft\Edge or BraveSoftware\Brave-Browser for Edge/Brave. |
| Cookies | ...\User Data\Default\Network\Cookies (newer) or ...\User Data\Default\Cookies |
| Web Data | ...\User Data\Default\Web Data (autofill, some tokens) |
Firefox:
%AppData%\Mozilla\Firefox\Profiles\<profile>.default-release\logins.json + key4.db (key storage)Opera:
%AppData%\Opera Software\Opera Stable\ (similar structure to Chromium)Note: Browsers often lock these files while running. Close the browser or use volume shadow copy / in-memory techniques to read the files; copying in use can corrupt the SQLite DBs.
Repository: Chrome-App-Bound-Encryption-Decryption
Works on: Chrome, Brave, Edge (Windows)
ChromElevator performs an in-memory bypass of Chromium’s App-Bound Encryption (ABE). It uses direct syscall-based reflective process hollowing to launch a legitimate browser process in a suspended state, inject a payload to hijack its identity and security context, and decrypt sensitive data (cookies, passwords, payments) without touching user-land API hooks. This fileless, living-off-the-land (LOTL) approach can evade some EDR that only monitors file-based access to browser databases.
Precompiled binary: Releases
Dump all supported browsers to an output folder:
.\chromelevator.exe all -o all_output
Credentials and related data are written into the all_output folder.
Dump a specific browser (e.g. Chrome):
.\chromelevator.exe -v -f chrome -o chrome_output
Other supported targets: Use -f with chrome, edge, or brave as appropriate.
Repository: LaZagne
LaZagne extracts passwords from many sources, including browsers (Chrome, Firefox, Edge, Brave, Opera, etc.), and supports Windows, Linux, and macOS. It runs in the target user context and uses the system keychain/DPAPI so decryption works without an ABE bypass. Useful when you have code execution as the user and prefer a single tool for browsers plus other stored creds (Wi‑Fi, Git, SSH, etc.).
Run all modules (browsers + others):
lazagne.exe all
Browsers only:
lazagne.exe browsers
Output to file:
lazagne.exe browsers -oN browser_creds.txt
Single browser (e.g. Chrome):
lazagne.exe browsers -b Chrome
Note: LaZagne is well-known and may be flagged by AV/EDR. Use in controlled engagements and consider custom builds or obfuscation where allowed.
.NET-based dumpers (e.g. SharpChromium) target Chromium data from a .NET process. They typically require execution as the same user and read the browser SQLite databases, using DPAPI to decrypt the master key. Useful in Windows environments where you already use C# tooling or execute in-process.
If you have the encrypted key material from the browser (e.g. from Local State and the SQLite encrypted_key in Chromium), you can decrypt it with DPAPI in the same user context (e.g. with mimikatz dpapi::chrome or a small script). This is more manual but avoids dropping a full credential dumper binary.
Copy the Login Data and (if needed) Cookies SQLite files and Local State to your own machine. Decryption requires either the user’s DPAPI master key (exported from the target) or running the decryption on the target under that user. Chromium’s key is derived from DPAPI and stored in Local State; without the user context or key export, offline decryption is not straightforward.
| Tool | Best for | Browsers covered | Platform |
|---|---|---|---|
| ChromElevator | ABE bypass, fileless, in-memory | Chrome, Edge, Brave | Windows |
| LaZagne | Multi-source, incl. browsers | Chrome, Edge, Brave, Firefox, Opera, etc. | Windows, Linux, macOS |
| SharpChromium | .NET / in-process | Chromium-based | Windows |