SecurityXploded by Nagareshwar Talekar

HOME TOOLS ARTICLES RESEARCH DOWNLOAD BLOG ABOUT

Book of the Month

Written by the experts this book is highly recommended for any one involved in the web security. Book of the month list.

Latest Stuff

Updated IEPasswordDecryptor

ChromePasswordDecryptor 1.6 with enhanced interface

Published article on remote thread execution using NtCreateThreadEx

NetworkPasswordDecryptor updated to fix Win7 problem

Article on retrieving windows default password

Top Tools

FirePasswordViewer

SpyDLLRemover

ChromePasswordDecryptor

GooglePasswordDecryptor

FirePassword

FireMaster

BHORemover

IEPasswordDecryptor

ProcNetMonitor

VistaUACMaker

About FirePasswordViewer

FirePasswordViewer is the GUI version of popular FirePassword tool designed to decrypt sign-on secrets stored by Firefox. Firefox records the login details such as username and password for every website authorized by the user and stores them in the sign-on database file in encrypted format.

FirePasswordViewer tool can decrypt and display these secrets on the same lines as the Firefox built-in password manager. The main advantage of FirePasswordViewer is that it does not require Firefox to be running. This is very useful in recovering the sign-on details when Firefox fails to function properly. Also FirePasswordViewer can be used to display sign-on secrets from different profile (other than current profile) as well as from the different operating system (such as Linux, Mac etc) altogether. This greatly helps forensic investigators who can copy the relevant files from the target system to test machine and view the credentials offline without affecting the target environment. The displayed sign-on information can then be saved to a file in standard HTML format which can be used as valuable and quick offline reference.

Newer version comes with support for Windows 7 platform and improved user interface with new win7 banner & icons for buttons.

About Firefox Password Manager

Firefox has a built-in password manager tool which stores username and passwords for all the visited websites. These credentials are stored in the encrypted form in the Firefox profile's database files such as key3.db and signons.txt.

The key3.db file contains master password related information such as encrypted password check string, salt, algorithm and version information etc.

Signons.txt file contains the actual sign-on information

Reject Host list : List of websites for which user don't want Firefox to remember the credentials.
Normal Host List : Each host URL is followed by username and password.

Internals of FirePasswordViewer

Firefox till version 3.5 stores the sign-on secrets in signons.txt file located in the Firefox profile directory. With version 3.5 onwards Firefox started storing the sign-on secrets in Sqlite database file named 'signons.sqlite'. The structure of sign-on information stored in the signons.txt file (signons2.txt for version 2 and signons3.txt for version 3) and signons.sqlite for version 3.5 onwards is described below...

For Firefox < version 2.0

First comes the sign-on file header which is always "#2c"
Next comes the reject host list in clear text, one per line and terminated with full stop.
After that normal host list is stored in the following format
- Host URL
  - Name (username or *password)
  - Value (encrypted)
  - .(full stop)

For Firefox version 2.0

First comes the sign-on file header which is always "#2d"
Next comes the reject host list in clear text, one per line and ends with full stop.
After that normal host list is stored in the following format
- Host URL
  - Name (username or *password)
  - Value (encrypted)
  - Subdomain URL
  - .(full stop)

For Firefox version 3.0 and below 3.5

First comes the sign-on file header which is always "#2e"
Next comes the excluded host list in clear text, one per line and ends with full stop.
After that saved host list is stored in the following format
- Host URL
  - Name (username or *password)
  - Value (encrypted)
  - Subdomain URL
  - --- (Dashed line denoting the end of host entry)
  - .(full stop)

For Firefox version 3.5 and above

The new signons.sqlite database file has two tables moz_disabledHosts and moz_logins. The moz_disabledHosts table contains list of excluded websites which are exempted from storing passwords by user. The moz_logins table contains all the saved website passwords. Here is more detailed description of each tables...

table - moz_disabledHosts
- id - index of each entry
- hostname - blacklisted website URL

table - moz_logins
- id - index of each entry
- hostname - base website URL
- httpRealm -
- formSubmitURL - Actual website URL for which secrets are saved.
- usernameField - name of username element of form field
- passwordField - name of password element of form field
- encryptedUsername - encrypted username
- encryptedPassword - encrypted password
- guid - unique GUID for each entry
- encType - value 1 indicates encrypted

Here each Host entry can have multiple username/password pairs. Starting from Firefox version 2.0, sub domain URL is also included along with username/password entry. If it is the password field then it begins with '*'. This is the key in distinguishing between username and password entry.

Now once the username and password values are extracted, next task is to decrypt them. Information required to decrypt these values is stored in key3.db file. If the master password is set, then you must provide the master password to proceed with decryption. If you have forgotten the master password, then you can use Firemaster tool to recover the master password. If the master password is set and if you have not provided it, then FirePasswordViewer will prompt you to enter the master password.

Using FirePasswordViewer

FirePasswordViewer is the simple, standalone tool which does not require any installation. Here are the simple steps...

1. Launch the FirePasswordViewer. It will automatically detect and fill the current profile directory. Alternatively you can copy the Firefox profile files from other machine and specify that folder path manually.

2. Next enter the master password if it is set for that profile. Otherwise leave it blank.

3. Once you have entered the profile path and master password details, click on the "Show" button to view the sign-on information as shown in the screenshot 1.

4. Finally you can click on "Export" button to save the sign-on details to file in HTML format. This will save it to the specified file and display it using default browser as shown in the screenshot 2.

FirePasswordViewer in Action

Screenshot 1: FirePasswordViewer showing sign-on information for the default profile.

FirepasswordViewer showing the sign-on information

Screenshot 2: Exported sign-on information in HTML format generated by FirePasswordViewer

FirepasswordViewer showing the saved sign-on html file

Testing FirePasswordViewer

FirePasswordViewer is successfully tested with Firefox version 1.0 to latest version 3.5.5 and should work with any Firefox greater than version 1.0

If you encounter any problem with FirePasswordViewer, then please drop a mail to me mentioning your Firefox version and any other details which will help in fixing the problem.

Acknowledgement

Thanks to the Mozilla-Firefox crew for making such an excellent and beautiful browser.

History

Version 1.5 : 2nd Dec 2009

This version comes with support for Windows 7. Also buttons now looks better with icons and new win7 banner.

Version 1.2.2 : 21st Aug 2009

Support for recovering the passwords from Sqlite signon database file used by latest Firefox version 3.5.

Version 1.0.1 : 10th June 2009

First public release of FirePasswordViewer which is the GUI version of popular FirePassword tool.

Download FirePasswordViewer

FirePasswordViewer 1.5

License : Freeware
Platform : Windows XP, 2003, Vista, Win7

Download