Mining Forensics Information from Browser using Infornito Tool
In our lab walkthrough series, we go through selected lab exercises on our AttackDefense Platform. Premium labs require a subscription, but you can sign in for free to try our community labs and view the list of topics — no subscription or VPN required!
Browser Bookmark Discovery (or MITRE ATT&CK T1217) is a part of the post-exploitation phase and deals with mining browser data/configuration files to learn more about the target user/organization.
We have set up the below scenario in our Attack-Defense labs for our students to practice. The screenshots have been taken from our online lab environment.
Lab: T1217: Browser Bookmark Discovery III
This lab comprises a Linux machine. The user or practitioner will get a command-line interface(CLI) access to this Linux machine, through the web browser. The machine has Mozilla firefox installed on it. The required tools are also present on the same machine.
Challenge Statement
In this lab, the user has to use Infornito tool to retrieve the information.
Your mission:
- What is the name of the file downloaded using Google Chrome?
- When was www.nytimes.com first accessed using Google Chrome?
- When was pentesteracademy.com first accessed using Mozilla Firefox?
Solution
Step 1: Check the content present in the current working directory.
Commands: ls -l
Step 2: Also list the hidden directories.
Command: ls -al
Step 3: Check the contents of the tools directory.
Command: ls -l tools/
Step 4: Check the help option for the Infornito tool.
Command: tools/Infornito/infornito.py -h
Step 5: List all available browser profiles on the machine for the user student.
Command: tools/Infornito/infornito.py profiles
Step 6: List the downloaded files for Google Chrome (i.e. profile 4)
Command: tools/Infornito/infornito.py downloads — profile 4
A torrent file kali-linux-2018.3a-amd64.iso.torrent was downloaded from Google Chrome.
Flag 1: kali-linux-2018.3a-amd64.iso.torrent
Step 7: Retrieve the web browsing history for Google Chrome (i.e. profile 4).
Command: tools/Infornito/infornito.py history — profile 4
The www.nytimes.com portal was first accessed at 2018–10–18 14:51:39.776976
Flag 2: 2018–10–16 14:51:39
Step 8: Retrieve the web browsing history for Firefox (i.e. profile 3).
Command: tools/Infornito/infornito.py history — profile 3
The pentesteracademy.com portal was first accessed at 2018–10–16 23:32:06
Flag 3: 2018–10–16 23:32:06
References
Go beyond walkthroughs with hands-on practice. Subscribe now and gain access to 2000+ lab exercises including this one! We also provide on-demand bootcamps — follow along with instructors as they go through the labs and progressively master in-demand topics regardless of time zone!