Retrieving stored passwords in web browsers like Mozilla Firefox and Google Chrome is a part of the post-exploitation methodology. Attackers having backdoor access to a compromised computer can easily dump and decrypt stored credentials in web browsers.
Dumping Stored Mozilla Firefox PasswordsMozilla Firefox built-in password manager stores encrypted credentials in "logins.json". Credentials are stored in logins.json are encrypted with a key that is stored in the "key4.db" file. Both of these files are located in a certain Windows directory.
%LocalAppData%\Mozilla\Firefox\Profiles\randomString.Default\logins.jsonThere's an MSF module which we'll use to dump Firefox stored passwords on a compromised computer.
[+] Downloaded cert9.db: /root/.msf4/loot/20200927050238_default_10.10.78.147_ff.ljfn812a.cert_254315.bin [+] Downloaded cookies.sqlite: /root/.msf4/loot/20200927050241_default_10.10.78.147_ff.ljfn812a.cook_800633.bin [+] Downloaded key4.db: /root/.msf4/loot/20200927050253_default_10.10.78.147_ff.ljfn812a.key4_784345.bin [+] Downloaded logins.json: /root/.msf4/loot/20200927050257_default_10.10.78.147_ff.ljfn812a.logi_176246.bin
This module has downloaded 4 files for us but you can do it download them manually.
These files have been renamed to .bin just rename them to their original extension.
As you know the credentials are encrypted so now we have to decrypt it.
Decrypting Stored Passwords in Mozilla Firefox
Download firefox_decrypt to your local machine and run the script.
git clone https://github.com/unode/firefox_decrypt.git
There’s a manual on the GitHub repo you can follow. let’s decrypt our credential.
python firefox_decrypt.py /root/.msf4/loot
And there you go!
Dumping Stored Google Chrome PasswordsGoogle Chrome utilizes a Windows function called CryptProtectData which is used to encrypt passwords that are stored on a computer with the randomly generated keys. The database can be found in the below directory.
%LocalAppData%\Google\Chrome\User Data\Default\Login DataThere's a Metasploit module available to dump stored credentials from the chrome browser.
Decrypting Stored Passwords in Google Chrome
When using the Metasploit module to retrieve credentials it will dump .txt files containing passwords that will contain a “Decrypted Data” column to display decrypted passwords found in the chrome browser.