HTTP Cookie (also called web cookieInternet cookiebrowser cookie, or simply cookie) is a simple data sent by website to the user browser. Whenever we visit any website, HTTP Cookies are sent by the website to our browser and stored in it. These cookies are required to maintain state information of the user and to track user activities (what we like on internet, which product we shop and other things). According to researcher of International Institute of Cyber Security, if a hacker is able to steal your website cookies, he can take complete control of your session.

So today we will talk about a tool called Hmmcookies that can be used to collect cookies from the victim’s machine by simply sending a shortcut file to victim. We can use this tool to collect the cookies from different browsers like Google Chrome, Firefox, and Opera. This tool bypasses the UAC and collects all the data within few minutes and sends back to the hacker’s machine using port forwarding techniques.


  • OS: Ubuntu 2020 64 bit.
  • Kernel version: 5.4.0

Installation steps

root@iicybersecurity-VirtualBox:/home/iicybersecurity# git clone
Cloning into 'hmmcookies'...
remote: Enumerating objects: 41, done.
remote: Counting objects: 100% (41/41), done.
remote: Compressing objects: 100% (40/40), done.
remote: Total 41 (delta 15), reused 0 (delta 0), pack-reused 0
Unpacking objects: 100% (41/41), 31.57 KiB | 214.00 KiB/s, done.
  • Use the cd command to enter into hmmcookies directory.
root@iicybersecurity-VirtualBox:/home/iicybersecurity# cd hmmcookies/
  • Now, use this command to launch the tool  bash
HmmCookies - Tool Launch
HmmCookies – Tool Launch
  • Successfully we launched the tool.
  • Here, we have to port forwarding techniques Ngrok and Custom.
  • Choose the required option.
HmmCookies - Malicious Link
HmmCookies – Malicious Link
  • Here, we selected the Ngrok server.
  • Ngrok server is a traffic collector tool. It is like a reverse proxy. We can use this tool for the communication of our localhost machine and the public internet. Hackers use Ngrok server for capturing the victim’s details.
  • Here we can set the payload name or leave the default.
  • Here, this tool starts downloading the Ngrok server and starts both Ngrok and PHP server with the port number.
  • This tool built two shortcut files.
    • Hmmcookies.lnk: In this file, Tool inserts malicious code.
    • In this file, we can see the PowerShell file which has malicious code inserted in it.
  • Then it displays a malicious link.
  • Now, send this link to the victim using social engineering.
  • If victims open the file on his windows machine, automatically it downloads a zip file.
HmmCookies - Zip File
HmmCookies – Zip File
  • If the victim extracts the zip file, there he can find the Hmmcookies PowerShell file.
HmmCookies - Hmmcookies PowerShell
HmmCookies – Hmmcookies PowerShell
  • If the victim executes the PowerShell file, it extracts all the browser cookies and saves with browser name on hacker machine.
  • Here, hmmcookies tool successfully extracted the cookies and it identifies the victim’s IP, Operating system with the browser.
  • We can also see the Logs on the hacker’s machine.
HmmCookies - Logs
HmmCookies – Logs
  • Directly we can’t open this file because Cookies will be in SQLite format. To view the content use the DB Browser for SQLite.
  • Go to the cookies file path, and open the cookie’s file, there we can view the content.
  • Use this command to install the DB browser, sudo apt-get install sqlitebrowser.
  • Here, we got chrome cookies.
HmmCookies - Chrome Cookies
HmmCookies – Chrome Cookies
  • Here, we got Opera cookies.
HmmCookies - Opera Cookies
HmmCookies – Opera Cookies
  • Here, we got FireFox cookies.
HmmCookies - FireFox Cookies
HmmCookies – FireFox Cookies
  • Successfully we got the cookies from the victim’s browser.


So we saw, how a simple shortcut file can extract the cookies from the victim’s browser by using HmmCookies tool. User should be always caution while downloading any file from internet.