Data Security, Identity

Recovering Firefox Passwords for World Domination

To quote Carlos “dark0perator” Perez, “shell is just the beginning”. Now that we have access to a machine, we can gather all sorts of goodies, we just need to know where to look.
Firefox.jpg Some of my favorite local system information gathering techniques include grabbing Firefox stored passwords. Prior to version 3.5, (for version 3) the list of sites and associated passwords were stored in signons3.txt. If a master password is set you also need the file “key3.db” as it will allow you to unlock the password store. For Firefox versions 3.5 or better, you need to acquire the file “signons.sqlite”. For a detailed description of the contents and format of each of these files, check out the FirePassword page.
But why recover these usernames and passwords? How many people do you know let their browser store passwords for them? Personally, I know a lot. Users store passwords for just about everything; personal sites, banking and corporate resources.
Yes, corporate resources. If you have credentials to these resources, this may open up a whole new world to your testing. Imagine that you now have credentials to web based management utilities allowing access to a million credit card numbers (or something as equally juicy such as social security numbers).
So how do we do it? Ok, first grab the signons3.txt and key3.db files (or signins.sqlite for Firefox 3.5) and get them to a system where you can work with them. I’m finding that a windows system is best, given the tools available. I’m using Windows 7 in a VM, with firefox installed. Many of the tools like to look for the default Firefox profile directory, so I often copy the files there – I’m not concerned about the install of firefox in this VM.
The Firefox browser itself can be used to view the passwords in the password store. Firefox 3.5 uses a different format for storing passwords; they now store them in a sqllite database. If we copy over the files (signons3.txt and key3.db) to the default firefox profile (C:Documents and Settings[user]Application DataMozillaProfiles[random].profle in many cases) run Firefox, and go to Tools -> Options -> Security -> Saved Passwords -> Show Passwords we can see them in plain text. Neat, now we have the URL, username and password! But wait, you mean now we are being asked for a master password? Well, we need to provide one in order to view the passwords!
We can use FireMaster to obtain the master password. FireMaster is a Windows-based master password brute force tool, and operates against key3.db and signons3.txt. It will do all of the typical brute force attacks; dictionary, hybrid, and bruteforce. It is a fairly simple tool to use, but here are a few examples. In these examples, Firemaster is in the same directory as key3.db and signons3.txt so my profile path is set as “.” at the end of the command:
[Update: During the writing of this segment, I noted that the author updated FireMaster so automatically detect the version of Firefox based on the storing of the information in signons3.txt or the sqlite method! We can now use this tool to get the goods from Firefox 3.5 as well.]
Below is an example of a dictionary attack:

FireMaster.exe -d -f wordlist.txt .

Note that you need to be careful with your wordlist. I used a copy of the all inclusive free version from which I had to convert LF to CRLF. I also had to remove words with spaces and non US character sets. If I didn’t I got a nasty crash from FireMaster. Can you say potential buffer overflow anyone?
Below is an example of a hybrid attack:

Firemaster.exe -h -f wordlist.txt -n 3 -g "0123456789" -s -p .

Again, same wordlist issues. With the hybrid, it will append (-s) and prepend (-p) the number of characters (-n 3) as defines by the defined character set (-g). The larger your number of characters and character sets the more time you will need.
Below is an example of a brute force attack:

FireMaster.exe -b -l 10 .

This one will set the max password length to 10 characters (-l), so adjust to you needs. It also uses the default character set of “abcdefghijklmnopqrstuvwxyz*@#!$123” which you may also need to tailor with the -g option. On my machine this would take over 300,000 days to complete at about 120,000 guesses a second. On a high end, non-virtual system the guessing jumped up to about 250,000 guesses a second for about 160,000 days to completion.
My vote is for a good dictionary. We covered scraping websites for making custom wordlists in Episode 129 of the podcast.
I’ve also had some good luck with Firefox Password recovery from Granted, it wasn’t free, but the $18 was something I could afford for expenses on an engagement. It won’t crack or bypass the master password, but may be a little more safe than a machine running an old version of Firefox. Just another option. It hasn’t been updated for Firefox versions 3.5 or better signons.sqlite yet.
So, want a free solution? The author of FireMaster has a command line FirePass and GUI FirePasswordViewer tool to do the same, with Firefox 3.5 support! Start recovering and use the results responsibly (and with permission)!
– Larry “haxorthamtrix” Pesce

Larry Pesce

Larry’s core specialties include hardware and wireless hacking, architectural review, and traditional pentesting. He also regularly gives talks at DEF CON, ShmooCon, DerbyCon, and various BSides. Larry holds the GAWN, GCISP, GCIH, GCFA, and ITIL certifications, and has been a certified instructor with SANS for 5 years, where he trains the industry in advanced wireless and Industrial Control Systems (ICS) hacking. Larry’s independent research for the show has led to interviews with the New York Times with MythBusters’ Adam Savage, hacking internet-connected marital aids on stage at DEFCON, and having his RFID implant cloned on stage at Shmoocon. Larry is also a Principal Instructor and Course Author for the SANS Institute for SEC617: Wireless Penetration Testing and Ethical Hacking and SEC556: IoT Penetration Testing. When not hard at work, Larry enjoys long walks on the beach weighed down by his ham radio, (DE KB1TNF), and thinking of ways to survive the impending zombie apocalypse.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.