SecurityXploded by Nagareshwar Talekar

HOME TOOLS ARTICLES RESEARCH DOWNLOAD BLOG ABOUT

Book of the Month

Recommended book for anyone seriously willing to pursue his career as Pentester. Book of the month list.

Latest Stuff

Released SpyDLLRemover v3.2

New research article on 'Exposing Secret of Decrypting Network Passwords'

Released the new tool NetworkPasswordDecryptor

Updated article on Rainbow Password Cracking

ProcNetMonitor 2.5 released

Top Tools

FirePasswordViewer

SpyDLLRemover

ChromePasswordDecryptor

FirePassword

GooglePasswordDecryptor

FireMaster

BHORemover

IEPasswordDecryptor

ProcNetMonitor

VistaUACMaker

About FirePassword

FirePassword is the console tool designed to decrypt the username and password list from Firefox sign-on database. Firefox records the login details such as username and password for every website authorized by the user and stores them in the sign-on database file in encrypted format.

FirePassword tool can decrypt and display these secrets on the same lines as the Firefox built-in password manager. The main advantage of FirePassword is that it does not require Firefox to be running. This is very useful in recovering the sign-on details when Firefox fails to function properly. Also FirePassword can be used to display sign-on secrets from different profile (other than current profile) as well as from the different operating system (such as Linux, Mac etc) altogether. This greatly helps forensic investigators who can copy the relevant files from the target system to test machine and view the credentials offline without affecting the target environment.

New version of FirePassword comes with support for latest operating system Windows 7.

About Firefox Password Manager

Firefox has a built-in password manager tool which stores username and passwords for all the visited websites. These credentials are stored in the encrypted form in the Firefox profile's database files such as key3.db and signons.txt.

The key3.db file contains master password related information such as encrypted password check string, salt, algorithm and version information etc.

Signons.txt file contains the actual sign-on information

Reject Host list : List of websites for which user don't want Firefox to remember the credentials.
Normal Host List : Each host URL is followed by username and password.

Internals of FirePassword

Firefox till version 3.5 stores the sign-on secrets in signons.txt file located in the Firefox profile directory. With version 3.5 onwards Firefox started storing the sign-on secrets in Sqlite database file named 'signons.sqlite'. The structure of sign-on information stored in the signons.txt file (signons2.txt for version 2 and signons3.txt for version 3) and signons.sqlite for version 3.5 onwards is described below...

For Firefox < version 2.0

First comes the sign-on file header which is always "#2c"
Next comes the reject host list in clear text, one per line and terminated with full stop.
After that normal host list is stored in the following format
- Host URL
  - Name (username or *password)
  - Value (encrypted)
  - .(full stop)

For Firefox version 2.0

First comes the sign-on file header which is always "#2d"
Next comes the reject host list in clear text, one per line and ends with full stop.
After that normal host list is stored in the following format
- Host URL
  - Name (username or *password)
  - Value (encrypted)
  - Subdomain URL
  - .(full stop)

For Firefox version 3.0 and below 3.5

First comes the sign-on file header which is always "#2e"
Next comes the excluded host list in clear text, one per line and ends with full stop.
After that saved host list is stored in the following format
- Host URL
  - Name (username or *password)
  - Value (encrypted)
  - Subdomain URL
  - --- (Dashed line denoting the end of host entry)
  - .(full stop)

For Firefox version 3.5 and above

The new signons.sqlite database file has two tables moz_disabledHosts and moz_logins. The moz_disabledHosts table contains list of excluded websites which are exempted from storing passwords by user. The moz_logins table contains all the saved website passwords. Here is more detailed description of each tables...

table - moz_disabledHosts
- id - index of each entry
- hostname - blacklisted website URL

table - moz_logins
- id - index of each entry
- hostname - base website URL
- httpRealm -
- formSubmitURL - Actual website URL for which secrets are saved.
- usernameField - name of username element of form field
- passwordField - name of password element of form field
- encryptedUsername - encrypted username
- encryptedPassword - encrypted password
- guid - unique GUID for each entry
- encType - value 1 indicates encrypted

Here each Host entry can have multiple username/password pairs. Starting from Firefox version 2.0, sub domain URL is also included along with username/password entry. If it is the password field then it begins with '*'. This is the key in distinguishing between username and password entry.

Now once the username and password values are extracted, next task is to decrypt them. Information required to decrypt these values is stored in key3.db file. If the master password is set, then you must provide the master password to proceed with decryption. If you have forgotten the master password, then you can use Firemaster tool to recover the master password. If the master password is set and if you have not provided it, then FirePassword will prompt you to enter the master password.

Using FirePassword

Here is the general usage information

FirePassword.exe [-m "master password" ] <Firefox_Profile_Directory>

Options:
-m specify the master password

FirePassword is the console tool, hence it must be run from the cmd prompt. Type the FirePassword.exe by specifying master password and Firefox profile path. If the master password is not set for that profile then there is no need to specify it. Also if the 'profile path' is not entered then it will automatically use the current profile directory.

One can also copy the Firefox profile files from different operating system such as Linux, Mac to the Windows system locally and then specify this folder path with the FirePassword.

FirePassword in Action

Testing FirePassword

FirePassword is successfully tested with Firefox version 1.0 to latest version 3.5 and should work with any Firefox greater than version 1.0

If you encounter any problem with FirePassword, then please drop a mail to me mentioning your Firefox version and any other details which will help in fixing the problem.

Disclaimer

FirePassword is designed for good purpose to help users to recover and view their sign-on secrets. Like any tool its use either good or bad, depends upon the user who uses it. However author is not responsible for damage caused due to misuse of this tool.

Acknowledgement

Thanks to the Mozilla-Firefox crew for making such an excellent and beautiful browser.
Thanks to Stefano for informing and providing code to make the FirePassword to support Firefox version 2.0

History

Version 3.5 : 27th Dec 2009

Support for Windows 7. The errors messages are now shown in RED color so that they are clearly seen.

Version 3.1 : 21st Aug 2009

Support for recovering the passwords from Sqlite signon database file used by latest Firefox version 3.5.

Version 2.6 : 9th Jan 2009

Fixed the application data folder problem with Vista.
Also it contains some of the security related changes.

Version 2.5 : 18th June 2008

Support for Firefox version 3.0 with its new signon file format.

Other enhancements related to user friendliness and clear display.

Version 2.0 : 3rd March 2007

Support for Firefox version 2.0. New signon format is explained below.