Alright I figured it out and said I would post an answer.
The reason that the passwords showed up like they did is because they are encrypted with a pbkdf2 key that is stored in a specific keychain location (usually having the name 'Chrome' in it). To find this key you can execute the command security find-generic-password -wa 'Chrome' as an administrator and it should pull the key for you.
Once you have the key, in order to decrypt the you would need to;
- Generate the IV (
python -c 'import sys;sys.stdout.write("20" * 16)'
- Get the salt (110% chance it's
saltysalt)
- Encrypt the found key using
pbkdf2_hmac grabbing the first 16 characters and hexlify the encrypted key (python -c 'import binascii;import hashlib;key=hashlib.pbkdf2_hmac("sha1","<KEY>",b"saltysalt",1003)[:16];print binascii.hexlify(key))
- Base64 encode the encrypted password and remove the first three characters (
python -c 'import base64;print base64.b64encode("ENCRYPTED_PASSWORD")[3:]')
- Decrypt the encryption with the following command:
openssl enc -base64 -d -aes-128-cbc -v <IV> '<HEX KEY>' -K '<BASE64 ENCODED PASSWORD>'.
Luckily for you, I created a simple python function to return the same thing:
import base64
import binascii
import subprocess
from hashlib import pbkdf2_hmac
def decrypt(encrypted, key):
iv = ''.join(('20', ) * 16)
key = pbkdf2_hmac('sha1', key, b'saltysalt', 1003)[:16]
hex_key = binascii.hexlify(key)
hex_enc_password = base64.b64encode(encrypted[3:])
try:
decrypted = subprocess.check_output(
"openssl enc -base64 -d "
"-aes-128-cbc -iv '{}' -K {} <<< "
"{} 2>/dev/null".format(iv, hex_key, hex_enc_password),
shell=True)
except subprocess.CalledProcessError:
decrypted = "n/a"
return decrypted
Please note, in order for the to work successfully, you have to have the administrative credentials for the computer you're running this on.
