MCPcopy
hub / github.com/moonD4rk/HackBrowserData

github.com/moonD4rk/HackBrowserData @v1.1.0 sqlite

repository ↗ · DeepWiki ↗ · release v1.1.0 ↗
1,016 symbols 3,997 edges 171 files 385 documented · 38%
README

hack-browser-data logo

HackBrowserData

Lint Build Release Tests codecov

HackBrowserData is a command-line tool for decrypting and exporting browser data (passwords, history, cookies, bookmarks, credit cards, download history, localStorage, sessionStorage and extensions) from the browser. It supports the most popular Chromium-based browsers and Firefox on Windows, macOS and Linux, plus Safari on macOS.

It can also decrypt data across machines and operating systems: export the master keys on the origin host, then decrypt a copy of the data offline on any other host — even for a browser that the analyst host's OS cannot run (see Cross-host decryption).

Disclaimer: This tool is only intended for security research. Users are responsible for all legal and related liabilities resulting from the use of this tool. The original author does not assume any legal responsibility.

Supported Data Categories

Category Chromium-based Firefox Safari
Password
Cookie
Bookmark
History
Download
Credit Card - -
Extension
LocalStorage
SessionStorage - -

Supported Browsers

On macOS, some Chromium-based browsers require a current user password to decrypt.

Password decryption may fail on macOS 26.4 or later.

Browser Windows macOS Linux
Chrome ✅²
Chrome Beta ✅²
Chromium
Edge ✅²
Brave ✅²
Opera
OperaGX -
Vivaldi
Yandex -
CocCoc ✅² -
Arc -
DuckDuckGo³ - -
QQ³ - -
360 ChromeX³ - -
360 Chrome³ - -
DC Browser³ - -
Sogou Explorer³ - -
Firefox
Safari¹ - -

¹ Safari requires Full Disk Access; enable it in System Settings → Privacy & Security → Full Disk Access if extraction returns empty results.

² On Windows, decrypting Chromium 127+ cookies (Chrome / Chrome Beta / Edge / Brave / CocCoc) requires the App-Bound Encryption payload built via make build-windows — see Building from source below.

³ These browsers ship only on Windows, but their data is decryptable on any OS: pull the files with archive, export the keys with dumpkeys, then decrypt on macOS or Linux with restore — see Cross-host decryption.

Getting Started

Install

Installation of HackBrowserData is dead-simple, just download the release for your system and run the binary.

In some situations, this security tool will be treated as a virus by Windows Defender or other antivirus software and can not be executed. The code is all open source, you can modify and compile by yourself.

Building from source

Requires Go 1.20+.

git clone https://github.com/moonD4rk/HackBrowserData
cd HackBrowserData
go build ./cmd/hack-browser-data/

Cross-platform build

# For Windows (standard build, no Chromium 127+ ABE cookie support)
GOOS=windows GOARCH=amd64 go build ./cmd/hack-browser-data/

# For Linux
GOOS=linux GOARCH=amd64 go build ./cmd/hack-browser-data/

Windows build with App-Bound Encryption (optional)

Chrome / Chrome Beta / Edge / Brave / CocCoc 127+ protect cookies with App-Bound Encryption. Decrypting those cookies requires a small C payload — Zig (0.13+) is the recommended C toolchain (the Makefile calls zig cc). MinGW-w64 gcc can also build the sources manually if you bypass make payload.

# 1. Install Zig
brew install zig                 # macOS
scoop install zig                # Windows (scoop)
# or download from https://ziglang.org/download/

# 2. Build the payload (outputs crypto/windows/payload/abe_extractor_amd64.bin)
make payload

# 3. Build hack-browser-data.exe with the ABE payload embedded
make build-windows

The resulting hack-browser-data.exe includes full ABE cookie decryption on Chromium 127+.

Usage

$ hack-browser-data -h
hack-browser-data decrypts and exports browser data from Chromium-based
browsers and Firefox on Windows, macOS, and Linux.

GitHub: https://github.com/moonD4rk/HackBrowserData

Usage:
  hack-browser-data [flags]
  hack-browser-data [command]

Available Commands:
  archive     Pack decryption-relevant profile files into a zip for cross-host restore
  dump        Extract and decrypt browser data (default command)
  dumpkeys    Export Chromium master keys as JSON for cross-host decryption
  help        Help about any command
  list        List detected browsers and profiles
  restore     Decrypt copied profile data using exported master keys
  version     Print version information

Flags:
  -b, --browser string        target browser: all|chrome|firefox|edge|... (default "all")
  -c, --category string       data categories (comma-separated): all|password,cookie,... (default "all")
  -d, --dir string            output directory (default "results")
  -f, --format string         output format: csv|json|cookie-editor (default "json")
  -h, --help                  help for hack-browser-data
      --keychain-pw string    macOS keychain password
  -p, --profile-path string   custom profile dir path, get with chrome://version
  -v, --verbose               enable debug logging
      --zip                   compress output to zip

Use "hack-browser-data [command] --help" for more information about a command.

dump - Extract and decrypt browser data (default)

Running hack-browser-data without a subcommand defaults to dump.

Flag Short Default Description
--browser -b all Target browser (all|chrome|firefox|edge|...)
--category -c all Data categories, comma-separated (all|password|cookie|bookmark|history|download|creditcard|extension|localstorage|sessionstorage)
--format -f json Output format (csv|json|cookie-editor)
--dir -d results Output directory
--profile-path -p Custom profile dir path, get with chrome://version
--keychain-pw macOS keychain password
--zip false Compress output to zip

--format cookie-editor writes only cookies, as a JSON array matching the Cookie-Editor browser extension's import format; non-cookie categories are skipped.

Cross-host decryption

Decrypt browser data on an analyst host that was collected on a different origin host — including a browser whose engine the analyst's OS cannot even install (e.g. decrypt Sogou or QQ Browser data on macOS). Nothing platform-bound (DPAPI, macOS Keychain, Chrome App-Bound Encryption) has to leave the origin: the master keys are exported once, and decryption then runs entirely offline from a copy of the data.

The workflow uses three commands and two transportable artifacts:

Step Host Command Produces
1 origin dumpkeys keys.json — portable master keys
2 origin archive browser-data.zip — only the files needed to decrypt
3 analyst restore decrypted output (csv / json / cookie-editor)
# On the origin host (any OS) — export the keys and pack the data
hack-browser-data dumpkeys -o keys.json
hack-browser-data archive  -o browser-data.zip

# Copy keys.json + browser-data.zip to the analyst host, then decrypt offline
hack-browser-data restore --keys keys.json --data-zip browser-data.zip

keys.json contains plaintext master keys — treat it as a secret. dumpkeys -o writes it with 0600 permissions; prefer streaming it over a secure channel instead of leaving it on disk.

dumpkeys - Export master keys for cross-host decryption

Derives each Chromium installation's master keys on the origin host and writes them as JSON (Firefox / Safari have no portable key and are skipped). Defaults to stdout so it can be piped over SSH.

Flag Short Default Description
--browser -b all Target browser (all|chrome|edge|...)
--output -o stdout Output file (written 0600); stdout if omitted
--keychain-pw macOS keychain password

archive - Pack decryption-relevant files for transport

Collects only the files a restore actually needs (cookies, login data, history, …) through the same locked-file bypass used for extraction, so live SQLite files are read safely on Windows. The zip is laid out as <browser-key>/<User Data layout>, so one archive can carry several browsers and restore stays unambiguous. Entry names are always forward-slash, so a Windows-produced archive restores on macOS / Linux.

Flag Short Default Description
--browser -b all Target browser (all|chrome|edge|...)
--category -c all Data categories, comma-separated
--output -o browser-data.zip Output archive path

restore - Decrypt copied data with exported keys

Rebuilds each Chromium engine straight from keys.json and decrypts the supplied data — it never consults the analyst's local browser table, so the browsers you can restore are exactly the vaults in your keys.json. Supply the data one of two ways (exactly one is required):

  • --data-zip — a zip produced by archive; extracted to a temp dir and removed afterward.
  • --data-dir — a directory. Either the archive layout (<browser-key>/..., several browsers at once), or one browser's hand-copied User Data root, which is unambiguous only for a single browser — so pair it with -b.

-b is an optional filter over the dump's vaults, not a required selector.

Flag Short Default Description
--keys required Keys file from dumpkeys (use - for stdin)
--data-zip Zip from archive (mutually exclusive with --data-dir)
--data-dir Copied data dir (mutually exclusive with --data-zip)
--browser -b Restore only this browser; must match a vault in --keys
--category -c all Data categories, comma-separated
--format -f json Output format (csv|json|cookie-editor)
--dir -d results Output directory
--zip false Compress output to zip

Cross-host examples

```bash

Stream keys over SSH (no keys.json on disk), data copied separately

ssh orig

Extension points exported contracts — how you extend this code

Retriever (Interface)
Retriever obtains a Chromium master key from one platform source (DPAPI, Keychain, D-Bus, …). [12 implementers]
masterkey/retriever.go
Browser (Interface)
Browser is one installation: a UserDataDir holding profiles that (for Chromium) share one master key. [4 implementers]
browser/browser.go
ASN1PBE (Interface)
3DES uses 24-byte (192-bit) keys ASN1PBE represents a Password-Based Encryption structure from Firefox's NSS. The key pa [3 …
crypto/asn1pbe.go
Archivable (Interface)
Archivable is implemented by installations that can enumerate their decryption-relevant files for cross-host transport ( [1 …
browser/archive.go
Base (Interface)
Base is the interface that underlies the Logger. It receives the caller skip count, log level, and formatted message. [1 …
log/logger.go
KeyManager (Interface)
KeyManager is implemented by installations accepting external master-key retrievers (Chromium only). BrowserKey/Kind exp [2 …
browser/browser.go
KeychainPasswordReceiver (Interface)
KeychainPasswordReceiver is implemented by installations that need the macOS login password (Safari only). [1 implementers]
browser/browser.go

Core symbols most depended-on inside this repo

Errorf
called by 274
log/logger.go
TempDir
called by 129
filemanager/session.go
Error
called by 71
log/logger.go
String
called by 53
log/level.go
Fatalf
called by 45
log/logger.go
Write
called by 38
output/output.go
Debugf
called by 37
log/log.go
Fatal
called by 33
log/logger.go

Shape

Function 749
Method 146
Struct 103
Interface 9
TypeAlias 7
FuncType 2

Languages

Go100%

Modules by API surface

browser/chromium/chromium_test.go32 symbols
browser/keydump_test.go28 symbols
browser/safari/extract_storage_test.go25 symbols
browser/browser.go22 symbols
log/logger.go21 symbols
crypto/crypto_test.go21 symbols
browser/chromium/chromium.go20 symbols
crypto/asn1pbe.go19 symbols
output/output_test.go18 symbols
browser/firefox/firefox_test.go18 symbols
log/logger_test.go17 symbols
browser/firefox/firefox.go16 symbols

Dependencies from manifests, versioned

github.com/davecgh/go-spewv1.1.1 · 1×
github.com/dustin/go-humanizev1.0.1 · 1×
github.com/godbus/dbus/v5v5.2.2 · 1×
github.com/golang/snappyv0.0.0-2018051805450 · 1×
github.com/hashicorp/golang-lru/v2v2.0.7 · 1×
github.com/inconshreveable/mousetrapv1.1.0 · 1×
github.com/mattn/go-isattyv0.0.20 · 1×
github.com/moond4rk/binarycookiesv1.0.3 · 1×
github.com/moond4rk/keychainbreakerv0.2.5 · 1×
github.com/moond4rk/plistv1.2.2 · 1×
github.com/ncruces/go-strftimev0.1.9 · 1×

For agents

$ claude mcp add HackBrowserData \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact