Web Browsers

MITRE ATT&CK™ Credentials from Password Stores: Credentials from Web Browsers - Technique T1555.003

Theory

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

Practice

Firefox

On UNIX-type systems, stored credentials are kept in firefox profile folders such as :

/home/<Username>/.mozilla/firefox/xxxx.default

We may download the entire ~/.mozilla/firefox folder to our attacking machine and use to decrypt passwords.

python3 firefox_decrypt.py <Victime_ProfileFolder>

On Windows, stored credentials are kept in firefox profile folders such as :

C:\Users\<Username>\AppData\Roaming\Mozilla\Firefox\Profiles\xxxx.default

Firepwd

We may download the entire Profiles folder to our attacking machine and use to decrypt passwords.

# Decrypt
python firepwd.py -d <Victime_ProfileFolder>

# Provide user's password (if secrests are encrypted using DPAPI)
python firepwd.py -d <Victime_ProfileFolder> -p <Password>

LaZagne

The (Python) project is a go-to reference from browser credentials dumping (among other awesome dumping features).

PS> laZagne.exe browsers [-password P@ssword!]

LaZagneForensic

Alternatively, the (Python) project can be used to decrypt passwords from a linux hosst, using a mounted file system (/tmp/disk).

python laZagneForensic.py browsers -local /tmp/disk -password 'Password'

Google Chrome

On UNIX-type systems, stored credentials are kept in Google Chrome profile folders such as :

/home/<Username>/.config/google-chrome/default

We may download the entire Default folder to our attacking machine and use to decrypt passwords. Not that the default script profile folder path should be edited.

python chrome.py

On Windows, stored credentials are kept in Google Chrome profile folders such as :

C:\Users\<Username>\AppData\Local\Google\Chrome\User Data\Default

LaZagne

The (Python) project is a go-to reference from browser credentials dumping (among other awesome dumping features).

PS> laZagne.exe browsers -password P@ssword!

Decrypt-Chrome-Passwords

We may use to decrypt passwords.

PS> python decrypt_chrome_password.py

Chrome-Decrypter

can also be used as follows.

PS> .\chrome_decrypt.exe

LaZagneForensic

Alternatively, the (Python) project can be used to decrypt passwords from a linux hosst, using a mounted file system (/tmp/disk).

python laZagneForensic.py browsers -local /tmp/disk -password 'Password'

Last updated 4 months ago

Was this helpful?

Theory

Practice

Firefox

On UNIX-type systems, stored credentials are kept in firefox profile folders such as :

/home/<Username>/.mozilla/firefox/xxxx.default

We may download the entire ~/.mozilla/firefox folder to our attacking machine and use to decrypt passwords.

python3 firefox_decrypt.py <Victime_ProfileFolder>

On Windows, stored credentials are kept in firefox profile folders such as :

C:\Users\<Username>\AppData\Roaming\Mozilla\Firefox\Profiles\xxxx.default

Firepwd

We may download the entire Profiles folder to our attacking machine and use to decrypt passwords.

# Decrypt
python firepwd.py -d <Victime_ProfileFolder>

# Provide user's password (if secrests are encrypted using DPAPI)
python firepwd.py -d <Victime_ProfileFolder> -p <Password>

LaZagne

The (Python) project is a go-to reference from browser credentials dumping (among other awesome dumping features).

PS> laZagne.exe browsers [-password P@ssword!]

LaZagneForensic

Alternatively, the (Python) project can be used to decrypt passwords from a linux hosst, using a mounted file system (/tmp/disk).

python laZagneForensic.py browsers -local /tmp/disk -password 'Password'

Google Chrome

On UNIX-type systems, stored credentials are kept in Google Chrome profile folders such as :

/home/<Username>/.config/google-chrome/default

We may download the entire Default folder to our attacking machine and use to decrypt passwords. Not that the default script profile folder path should be edited.

python chrome.py

On Windows, stored credentials are kept in Google Chrome profile folders such as :

C:\Users\<Username>\AppData\Local\Google\Chrome\User Data\Default

LaZagne

The (Python) project is a go-to reference from browser credentials dumping (among other awesome dumping features).

PS> laZagne.exe browsers -password P@ssword!

Decrypt-Chrome-Passwords

We may use to decrypt passwords.

PS> python decrypt_chrome_password.py

Chrome-Decrypter

can also be used as follows.

PS> .\chrome_decrypt.exe

LaZagneForensic

Alternatively, the (Python) project can be used to decrypt passwords from a linux hosst, using a mounted file system (/tmp/disk).

python laZagneForensic.py browsers -local /tmp/disk -password 'Password'