search

AlessandroZ / LaZagne

Credentials recovery project
GNU Lesser General Public License v3.0
9.45k stars 2.02k forks source link

New versions of Firefox #491

Closed ghost closed 4 years ago

ghost commented 4 years ago

Firefox has changed the encryption method used to store passwords (see https://github.com/louisabraham/ffpass/issues/49#issuecomment-586023952). This results in a Traceback (when run in verbose mode):

[!] Traceback (most recent call last):
  File LaZagne/Linux/lazagne/softwares/browsers/mozilla.py", line 164, in get_key
    entry_salt = decoded_a11[0][0][1][0].asOctets()
AttributeError: 'Sequence' object has no attribute 'asOctets'

Perhaps this project is of interest, as it successfully recovers passwords from newer versions of Firefox.

hackw0rld commented 4 years ago

Firefox has changed the encryption method used to store passwords (see louisabraham/ffpass#49 (comment)). This results in a Traceback (when run in verbose mode):

[!] Traceback (most recent call last):
  File LaZagne/Linux/lazagne/softwares/browsers/mozilla.py", line 164, in get_key
    entry_salt = decoded_a11[0][0][1][0].asOctets()
AttributeError: 'Sequence' object has no attribute 'asOctets'

Perhaps this project is of interest, as it successfully recovers passwords from newer versions of Firefox.

Project you've linked is using internal functions, not a good idea because depends on architecture (x86, x64). I did some investigation and found that there asn1 structure has changed a bit, I didn't find out what they've changed in source code yet but I can provide example of new asn1 structure.

Old: SEQUENCE { SEQUENCE { OBJECTIDENTIFIER 1.2.840.113549.1.12.5.1.3 SEQUENCE { OCTETSTRING string INTEGER 01 } } OCTETSTRING string }

New: SEQUENCE { SEQUENCE { OBJECTIDENTIFIER 1.2.840.113549.1.5.13 SEQUENCE { SEQUENCE { OBJECTIDENTIFIER 1.2.840.113549.1.5.12 SEQUENCE { OCTETSTRING string INTEGER 01 INTEGER 20 SEQUENCE { OBJECTIDENTIFIER 1.2.840.113549.2.9 } } } SEQUENCE { OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 OCTETSTRING string } } } OCTETSTRING string }

Looks like they have changed structure and encryption in some places, I didn't figure out where the needed data is placed now, would be great if somebody has dug deeper and could help. As for object identifiers - some of them are in google, others could be found in firefox's source code.

AlessandroZ commented 4 years ago

Thanks to point me out these changes.

All credits for the firefox module implemented in lazagne goes to Laurent Clévy (@lclevy) for his awesome reverse engineering work: https://github.com/lclevy/firepwd

I will check with him to found a solution.

Papotito123 commented 4 years ago

Hello: I test latest git(commit 02f971d 9 hours ago) with Firefox 75.0 and a new saved login and retrieve it well.

Very good.

Thanks.

lclevy commented 4 years ago

Hi, it seems existing SQLite dB is not converted to AES CBC in ff 75.0. I have to try with a new db

Papotito123 commented 4 years ago

Hello: @lclevy ,As I remember, I updated to FF 75.0 .Then ran lazagne latest git(and few other tools) and grabbed this old-saved password. Then I deleted that old login and saved a new password(a new URL).lazagne grabs the new login (and few others tools) well.

hackw0rld commented 4 years ago

Hello: @lclevy ,As I remember, I updated to FF 75.0 .Then ran lazagne latest git(and few other tools) and grabbed this old-saved password. Then I deleted that old login and saved a new password(a new URL).lazagne grabs the new login (and few others tools) well.

Hi, it seems existing SQLite dB is not converted to AES CBC in ff 75.0. I have to try with a new db

It will work if you updated. In order to break it you must either delete key4.db or install a new firefox 74.0+. They aren't changing it after update.

lclevy commented 4 years ago

Hi @hackw0rld, I do confirm PBKDF2 and AES 256 CBC are used on new database, not updated ones. Still missing some details to solve it: number of iteration and iv from 14 to 16 bytes

Papotito123 commented 4 years ago

Hello: Just to inform my experience. I was curious about you talking about will works but for only FF updated . So I just did my test.

VBOX Win 10 1809 x64. Firefox 75.0 x32 first time installation.

I saved a login and lazagne give 1 error but repeat it too much times: Papotito123_lazagne latest+Firefox 75.0 output.txt

I tested nirsoft's tools and all failed to retrieved FF login

But Advanced Identity Protector (Systweak) recovered Firefox 75.0 x32 login well. There's mixed opinion about this company and this tool.So be careful. But I'm just share that this tool can recover Firefox 75.0 saved login.

Thanks.

Papotito123 commented 4 years ago

Hello: This is not so pertinent to this issue but I think there's some info ideas about approach Firefox password.

https://medium.com/@jakeflint/chaos-hackthebox-aecc6487e244

Just read it and think can be of some help.

hackw0rld commented 4 years ago

Hello: Just to inform my experience. I was curious about you talking about will works but for only FF updated . So I just did my test.

VBOX Win 10 1809 x64. Firefox 75.0 x32 first time installation.

I saved a login and lazagne give 1 error but repeat it too much times: Papotito123_lazagne latest+Firefox 75.0 output.txt

I tested nirsoft's tools and all failed to retrieved FF login

But Advanced Identity Protector (Systweak) recovered Firefox 75.0 x32 login well. There's mixed opinion about this company and this tool.So be careful. But I'm just share that this tool can recover Firefox 75.0 saved login.

Thanks.

any tool which uses nss libraries to decrypt instead of dissecting key4.db and extracting key works well after update. nothing changed for these applications.

Papotito123 commented 4 years ago

Hello:

https://fossies.org/linux/firefox/security/nss/cmd/sdrtest/sdrtest.c

Papotito123 commented 4 years ago

Hello:

https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/encrypt

lclevy commented 4 years ago

solved : https://twitter.com/lorenzo2472/status/1251117187105984512?s=20

AlessandroZ commented 4 years ago

Thanks a lot @lclevy, you're doing an amazing work. Love your reverse engineering skills ;)

I will add it to lazagne soon.

Really nice work ! :+1:

Papotito123 commented 4 years ago

Hello; @AlessandroZ , I'm testing @lclevy firepwd but I am facing error due to Firefox 75 profiles (1 updated installation and 1 first-time installation) none doesn't have a key3.db file but only key4.db giving error like this; sqlite3.OperationalError: no such table: moz_logins

I posted the issue in @lclevy firepwd git. I will posted when new info.

Thanks.

Papotito123 commented 4 years ago

Hello: I did some trial and error with .@lclevy firepwd.py Also made some changes to the script.

I posted in @lclevy sqlite3.OperationalError: no such table: moz_logins #14 . I hope this mods are real(worked for me) and the dev could take time to test it.

Thanks.

Papotito123 commented 4 years ago

Hello: I did test @lclevy firepwd and works very well grabbing firefox logins. I also gave to the dev attention that when logins.json file exists but is empty/blank/nothing inside,there's an error. As my experience,this is due never having Saved a password and firefox is updated, so it will create an empty logins.json file.

Thanks.

lclevy commented 4 years ago

Hi, fixed thanks for reporting Laurent

Papotito123 commented 4 years ago

Hello: Tested @lclevy firepwd latest git with fix for logins.json empty ,and works very well grabbing firefox logins.

Thanks

AlessandroZ commented 4 years ago

It has been integrated now. Thanks again @lclevy for your great work.