Steal Firefox Passwords from Windows & Linux

S12 - H4CK
5 min readJun 10, 2024

--

Introduction

Welcome to this new article, today I am going to show you how to steal Firefox user profile credentials.
This type of attack is common in CTF and is really useful, besides having several options to automate the whole process.
Basically all you need is that the machine has a firefox profile saved and inside it you need two files:

  • key4.db
  • logins.json

If you have these files you can crack the Firefox profile passwords.

Our Malware Development Text Modules subscription is finally here! Dive deep into Windows OS malware techniques, from beginner to advanced, all in C++.

  • New module every 15 days
  • Over 45 minutes of reading time per module
  • Starting at just $5/month

Also here you have my first course that basically it’s a Introduction to Windows Malware Development using C++. It’s available from $10 since the end of June with the coupon code MEDIUM!

Laboratory

Exploitation

Linux

In Linux environments if you want to discover firefox passwords you have to go to the users personal folder and there run the command ls -a.

If you see a hidden folder called .mozilla, you have to go into it and it would mean that if everything works well if it would be vulnerable.
Once you have located the folder I recommend with a python3 -m http.server and a wget from your local machine to transfer the entire folder to act offline on your own machine.

It’s finished, now i can see this folder:

At this point you have to look for a folder with a very strange name, the stranger it is, the more likely it is to be the folder you are looking for, in this case bzo7sjt1.default

As you can see in the screenshot we have the two files we need to complete this attack, the first file is key4.db and the other is logins.json.
Once we have reached this point it is time to try to decrypt the passwords stored in the logins.json file.

It’s the moment to clone the repository:

git clone https://github.com/unode/firefox_decrypt

And it’s the moment to execute and try to decrypt the passwords from Firefox profile.

python3 firefox_decrypt.py /home/salsa/htb/chaos/10.10.10.120:8080

At this point the script asks for a password, in this case it was the same as the user’s password, but it is possible to brute force it.

Windows

In this case to find the directory that interests us we have to go to the personal folder, here we look for a folder called AppData and then Roaming and there look for a directory called Mozilla, then Firefox, then Profiles and here the same as before we look for the rarest name.

Example Path:

The two files we are interested in in this case are the same again and they are both on the machine, PERFECT!

git clone https://github.com/lclevy/firepwd

You need to download or transfer the two necesary files to your locale machine, in this case i’m with a Evil-WinRM shell i can use command download

Now it’s important send the two files to same directory than firepwd script are.

Now you only need run the tool and the passwords and all it’s automatically cracked without password or anything

python3 firepwd.py

CRACKED!!

Conclusions

Finally here is the end of today’s article, I hope you liked it and be careful where you use this hehe…

Get ready to unlock the secrets of ethical malware development with our unique course. We’re taking a different path through the world of cybersecurity, and here’s why you should jump on board:

If you enjoy my content and would like to help me take this project to the next level, you can become a member by donating a monthly subscription. Your support will help me continue to create high-quality content. Thank you for your generosity!

If donating is not possible for you at this time, no problem at all! Your support in sharing my project and spreading the word is greatly appreciated. I will continue to create and share my work regardless, and I am grateful for your encouragement and interest.

Thanks to read this :)

S12.

--

--