EvilSelenium is a new project that weaponizes Selenium to abuse Chromium-based browsers. The current features right now are:
- Steal stored credentials (via autofill)
- Steal cookies
- Take screenshots of websites
- Dump Gmail/O365 emails
- Dump WhatsApp messages
- Download & exfiltrate files
- Add SSH keys to GitHub
Or extend the existing functionality to suit your needs (e.g. Download files from the user’s GDrive/OneDrive).
- When this tool is run it will terminate any existing browser processes in order to be able to run with the user’s browser profile which contains the passwords & active sessions.
- I built this tool in about a week & I didn’t run as many tests as I should therefore there may be some bugs.
- Selenium modules are not always stable. Due to the constant changes in websites some modules may occasionally break. I’ll try my best to maintain the existing modules to ensure they work as intended but you’ve been warned.
- Windows 10
- Chrome v97 & v90
/install command will download the Chrome Driver and Selenium WebDriver which are the necessary requirements. EvilSelenium will work on Chrome versions 100-90.
By default EvilSelenium will try to use Google Chrome’s User Data folder to retrieve data, but other Chromium based browsers are supported as well.
In order to use different Chrome based browsers you should add the
/browserdir following the browser routing in the
%localappdata% directory. Here are examples for a few common browsers (should be added to any CLI command):
- Brave –
- Microsoft Edge –
- Vivaldi –
/enumsavedsites – This will take screenshots of chrome://settings/passwords
/screenshot – Screenshot any website. If the user is authenticated to the website then you get authenticated screenshots :).
IMPORTANT: The credentials module will DELETE COOKIES in order to steal credentials from autofill. Ideally, you should use the credentials module at the end if you want to export cookies.
/autorun – Prebuilt templates for common websites. I’ll continue to add more.
/dynamicid – Provide the login URL along with the username input field’s ID and password field’s ID. This is equivalent to document.getElementById().
/dynamicname – If the fields don’t have IDs, provide the fields’ name values. It will pick the first index of the name values. This is equivalent to document.getElementsByName().value.
/dynamicname2 – Provide the fields’ name values along with their index position. This is equivalent to document.getElementsByName()[x].value where x is the provided position.
/cookies – Dumps cookies from the specified website.
These are additional modules I built to demonstrate what sort of actions you can do with Selenium.
/download – Download a file & specify time to wait for the download. A non-executable file extension should be appended to the file before downloading to avoid Chrome’s Safebrowsing prompt.
/exfil – Uploads a file on filebin.net & specify the time to wait for the upload to complete. Once the upload is completed the file’s download link is written.
/gmail – Fetches emails from mail.google.com if user is authenticated. Max 50 emails.
/outlook – Fetches emails from Outlook if user is authenticated.
/o365 – Fetches emails from O365 Outlook if user is authenticated.
/github – Add your SSH key to Github if user is authenticated.