chromebackdoor is a tool suggested to us by Ryan Malekya on YouTube and is created by Graniet which can be found on GitHub. This tool essentially creates backdoors for Firefox, Chrome and the much loved IE (sense the sarcasm). This tool allows us to generate payloads and has some really cool features like Facebook messenger spy, windows infections etc. It is a good tool, however, it does need a lot of work doing to it in order for it to work as it should. it also requires a bit of time to actually getting it to work how it is intended. We are going to be using DigitalOcean for this tutorial and using the pre-configured Ubuntu server with LAMP. You can grab yourself a free $10 DigitalOcean credit here.
So first we need to git clone the tool.
We can then cd into that directory, and we need to install some dependencies.
As we are using ubuntu we need to install python-m2crytpto
Now we can install crxmake
Before we run the program it will require us to enable https, we can do this by using a built-in package within the LAMP ubuntu server, letsencrypt
We then need to follow the steps within the setup. First by entering in a domain name “c2.iminyour.network”. Followed by an email address “[email protected]”. Then we need to accept the terms of service, and we only allow it to be accessed over https.
We can now run chromebackdoor
This runs the program however in order to create the backdoor we need to use an argument, for this we are going to use the –chrome argument
So these next steps are kinda confusing, and the English in the program isn’t well written, which doesn’t help. So we need to add where the website will be hosted, in this case, we use the full URL of “https://c2.iminyour.network/chromebackdoor” then we add what we think is meant to be relay, so we enter “relais” and confirm the information is correct. We are then presented with a list menu which for this video we use the Facebook Messenger Spy, so we enter “4” and this has now created a zip folder. We can now unzip the folder
From the files that have been extracted, we then need to change the config.php file located in the /web/includes directory using your preferred text editor. We then change the first line of the .php file to.
If you are using DigitalOcean the password file is located in
We can copy this and add it to our config file so we go back to the file and amend the first line and enter our DigitalOcean password
We then need to install phpmyadmin and auto config apache 2
We are going to use the copied password from DigitalOcean for the phpmyadmin. Once the configuration has finished we can then access the phpmyadmin web portal to add chromebackdoor to the database.
We need to locate the chromebackdoor.sql file we can easily find this with mobaXterm with the side panel. We then create a new folder on are host machine and copy the chromebackdoor.sql into our new folder. We then need to go back to phpmyadmin and import that file. Once that has been imported and saved we can then go to that web directory which will navigate us to the chromebackdooor web portal. We can use the credentials that are in the chromebackdoor.sql which is “root” and “toor” as you can see there will be nothing in the web portal.
If we go back to our terminal we need to add i368 architecture to enable us to use wine.
Then we need to install wine
This will throw errors at us, however, we can run the command to fix this issue
Now this is done we can use the build argument for the chromebackdoor
We are then asked the backdoor type, in this case, it is “–chrome” we then need to enter the location of the file “/var/www/html/chromebook/backdoor.crx” this will start the install and will throw loads of errors at us, but its nothing to worry about. We are then given the option to use a Rubber Ducky Payload for this we choose “n”
We can then navigate to our payload “https://c2.iminyour.network/chromebackdoor/bot.exe” this will download the file and if you have anti-virus installed, it should alert you, well it did with avast anyway 😀
We can then run the program which will kill chrome but this will add the extension to chrome. If we go back to the web portal we will be able to see a bot. This should now, in theory, log any facebook messages that are sent or received while the payload is running, although this is not the case. We do a bit of troubleshooting and realize that we need to install curl
We then need to amend the apache php.ini file located in /etc/php/7.0/apache2/ then search for “curl” by using ctrl + w within nano and remove the “;” from the line
after this restart apache
and now we can retest by sending another message and we should be able to see messages being saved within the web portal.
I said we should, but we don’t, so we need to go back to our terminal and copy our .js files to the chromebackdoor directory
We then finally need to amend the facebookmessage.js file that we have just moved. Locate the line that has “http” in it and change it to “https” and then a few lines down change the line that has “http://localhost:8888…” to our domain. “https://iminyour.network /chromebackdoor/….”
And now!! Finally!! it is working!! We should now be able to see messages being recorded!