They rotate the encryption techniques periodically – I’m not sure how often, but it’s something worth noting. Mozilla’s products tend to store user saved credentials using the same encryption methods, so solving it for one application means you can pretty much use the same technique to decrypt credentials from a separate product.
The /url argument can be used to only return cookies from websites matching user supplied regex. The json output format can be imported into a separate attacker controlled browser using the Cookie Quick Manager Firefox add-on. csv list of the target user’s browser history sorted by total number of visits per site. Email IDs can be extracted using the listmail command above. Used with the /id argument to read any email saved in Thunderbird. NOTE: Thunderbird doesn’t store attachments as individual files on the system unless a user manually saves them in a separate location, so all ThunderFox can do is get the attachment file names for you. Can be used with the /search argument to filter results based on regex found in each email’s body. Retrieves a detailed list (.csv/table format) of all emails in Thunderbird. csv list of all the contacts/emails the user has interacted with using Thunderbird. I was looking into both Thunderbird and Firefox at the same time and rather than create 2 separate projects for each product, I figured it would be easier to just combine them into a single tool and separate the functionality across a few commands. Hat-tip to the both of them 🙂 ThunderFox
IMESSAGE DB BROWSER FOR SQLITE CODE
I also borrowed a lot of helpful code from djhohnstein‘s SharpWeb project. I write shitty code I would never have figured out a decent way to structure a project like this on my own Fortunately, harmj0y churns out lots of great and easy to read code so I decided to design this entire project around SharpChrome. logins.json – Stores encrypted passwords and requires matching key4.db file to decrypt.key4.db – NSS key database used to store Mozilla encryption data.cookies.sqlite – Stores user’s browser cookies.places.sqlite – Stores user’s browser history.global-messages-db.sqlite – An index of all a user’s messages created by Thunderbird.They both use numerous files to store data, but the juicy stuff can all be found here:
# Thunderbird C:\Users\USER\AppData\Roaming\Thunderbird\Profiles\ # Firefox C:\Users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\ Mozilla filesīy default, you’ll find Thunderbird and Firefox user profiles located here: I figured I’d take a look at finding a convenient way to retrieve useful data from both of these products directly from a target system without having to exfiltrate the numerous SQLite databases they use for storage. Still, sifting through these DBs can be pretty annoying once you’ve extracted them since you’ll either have to import them into a Thunderbird/Firefox installation on a system you control or manually execute SQL queries on the files using DB browser or a similar program. Google Chrome, these databases aren-t encrypted and can easily be read once they’ve been exfiltrated from a target system.
IMESSAGE DB BROWSER FOR SQLITE WINDOWS
Like many Windows applications, they both use SQLite databases to store their information – and unlike other “similar” products e.g. Reading data from Mozilla apps such as Thunderbird and Firefox has never been much of a challenge during engagements. Extracting sensitive information from Mozilla apps.
0 kommentar(er)
