Transfer: https://3gstudent.github.io/
- Password save mode
- Introduce the principle of
- Common export tool
- Use ideas
As the browser keeps track of the saved user name and password for the next user to automatically log on.
It includes the following information:
- Website address
- Username
- Password
- Created
- Last modified
- Last used
All records are kept in the same file, the specific location is:
% APPDATA% \ Mozilla \ Firefox \ Profiles \ xxxxxxxx.default \
Note:
xxxxxxxx 8-bit random combination of letters and numbers
Different versions of Firefox keep a record of the file name, the specific differences are as follows:
- Version 32.0 or greater, record-keeping files logins.json
- Version 3.5 or greater, less than 32.0, record file is signons.sqlite
A more detailed explanation can refer to the file:
http://kb.mozillazine.org/Profile_folder_-_Firefox
Different versions of Firefox Download:
http://ftp.mozilla.org/pub/firefox/releases/
Logins.json position location can be achieved by the file cmd command, as follows:
dir %APPDATA%\Mozilla\Firefox\Profiles\*logins.json /s /b
View the contents of logins.json file, as shown below
Where encryptedUsername
and encryptedPassword
is the encrypted content, the decryption key file need (key and iv) for 3DES-CBC decryption and
Different locations in different versions of Firefox key files, the specific differences are as follows:
- Version less than 58.0.2, the key file is key3.db
- Version 58.0.2 or greater, the key file is key4.db
Note:
Version difference key3.db and key4.db derived from https://github.com/lclevy/firepwd/blob/master/firepwd.py#L236
I was in my test system (Win7x64), install the 64-bit Firefox, the test results are different, as follows:
- If Firefox versions lower than 58.0, the key file is key3.db
- If Firefox is a later version, the key file is key4.db
By default, the current user's privileges can view all saved passwords in Firefox browser, in order to improve security, support for Firefox browser add additional protection for saved passwords: Set Master Password
DETAILED position below
After adding Master Password, view saved passwords require additional input Master Password
Decryption process:
- Read the key file (key4.db or key3.db), and iv obtain key
- Read the contents of the log file (logins.json or signons.sqlite) of
- If you do not set the Master Password, use the key to encrypt the content and iv records in the file are 3DES-CBC decryption If Master Password, also need to get clear text Master Password, in order to decrypt
0x03 export tool
1.WebBrowserPassView.exe
download link:
https://www.nirsoft.net/utils/web_browser_password.html
Note:
This version does not support command line operation
The command line version need to download another address:
https://www.nirsoft.net/password_recovery_tools.html
Under the command line using the method:
WebBrowserPassView.exe /LoadPasswordsFirefox 1 /shtml "c:\test\passwords.html"
Result is stored in c:\test\passwords.html
the content as shown below
You can get complete information, including the following categories:
- Website address
- Username
- Password
- Created
- Last modified
- Last used
It does not support the use of Master Password to decrypt
2.firepwd.py
Address: https: //github.com/lclevy/firepwd
Need to install dependencies:
pip install pyasn1 pip install pycrypto
Access to part information, including the following categories:
- Website address
- Username
- Password
Command examples:
firepwd.py -d C:\Users\a\AppData\Roaming\Mozilla\Firefox\Profiles\5a4gs6zh.default-release\
The results shown below
It supports the use of Master Password to decrypt
Note:
In my own testing environment, firepwd.py only support the Master Passwor key3.db decryption, key4.db the Master Passwor decrypt a bug
Command examples:
Use a test file mozilla_db (key3.db), Master Password is MISC*
ordered as follows:
python firepwd.py -p 'MISC*' -d mozilla_db/
Normal, below
My test environment (key4.db), Master Password is 12345678
ordered as follows:
firepwd.py -d C:\Users\a\AppData\Roaming\Mozilla\Firefox\Profiles\5a4gs6zh.default-release\ -p "12345678"
Decryption exist bug, failed password prompt, as shown below
3.Lazagne
address:
https://github.com/AlessandroZ/LaZagne/
Export Firefox browser code from https://github.com/lclevy/firepwd
The results above, below
4.firefox_decrypt.py
Address: https: //github.com/unode/firefox_decrypt
Use NSS (Network Security Services) to decrypt support key3.db and key4.db the Master Password to decrypt
Access to part information, including the following categories:
- Website address
- Username
- Password
Test results as shown below
In 64-bit systems, Python and Firefox versions need to be consistent (with the same 32-bit or 64-bit), otherwise it will promptERROR - Problems opening 'nss3.dll' required for password decryption
5.Firefox browser
Achieved by exporting the profile of the way
Documents required to obtain a log file (logins.json or signons.sqlite) and key file (key4.db or key3.db), stored in the local folderC:\test\data1
-Profile parameter to start using Firefox:
firefox.exe -profile C:\test\data1
Enter the correct Master Password, successfully obtained information saved Firefox browser
0x04 exploit ideas
If you set up Firefox Master Password, use the above tools try to export a password, the result will be displayed as 0 results, so you need to read the log file to confirm the existence of records
Firefox version can be obtained by way of querying the registry, open source before you can reference the code here: https: //github.com/3gstudent/ListInstalledPrograms/blob/master/ListInstalledPrograms.ps1
Different versions of the record corresponding to the file Firefox, specifically the following differences:
- Version 32.0 or greater, record-keeping files logins.json
- Version 3.5 or greater, less than 32.0, record file is signons.sqlite
Command to locate logins.json file is as follows:
dir %APPDATA%\Mozilla\Firefox\Profiles\*logins.json /s /b
Command to locate signons.sqlite file is as follows:
dir %APPDATA%\Mozilla\Firefox\Profiles\*signons.sqlite /s /b
If a record exists, then you can use the tool to try to export
Offline export to note the following issues:
1. Master Password not set
Just need to get a log file (logins.json or signons.sqlite) and key file (key4.db or key3.db)
Use firepwd.py or Firefox browser to import configuration files
2. Set Master Password
(1) only obtained record file (logins.json or signons.sqlite) and key file (key4.db or key3.db,)
Local use the Firefox browser import the configuration file, enter the Master Password
(2) requires a complete profile
Need to include the following files:
- %APPDATA%\Mozilla\Firefox\profiles.ini
- % APPDATA% \ Mozilla \ Firefox \ Profiles \ file xxxxxxxx.default \ in
Use firefox_decrypt.py, command example:
firefox_decrypt.py C:\test\data1
For ordinary users, in order to increase password security, it is recommended to set Master Password
Gangster other two articles:
Penetration skills - save export Chrome browser password
Export saved passwords in Firefox browser by Network Security Services