This time on the show, we’re cracking the code: EXIF Data tools, Windows login hash cracking, Extracting passwords from Firefox and other browsers, what’s in that P-CAP file and special report form Maker Faire 2011. All that and more, this time on Hak5.

Download HD Download MP4 Download WMV

FirePassword

You know how you can store and save all you login credentials in Firefox, Chrome, as well as other browsers? Well, maybe that’s not such a great idea. There are several portable (yes, portable!) tools that can instantly recover login credentials stored by Firefox, Chrome and others. Broswers store your username and password for every website you visit as long as you give them consent in the settings. The credentials are saved by Firefox, Chrome and others in a sign-on database that is securely encrypted. Today I’m focusing on Firefox.

FirePassword, the tool in question today, can instantly decrypt and recover the data even if there’s a master password protecting it.
Not only this, but FirePassword can even recover sign-on passwords for other profiles (on the same system) and info from other OS’s like Linux and Mac. This can obviously be used for malicious intent, or can be used for the greater good of forensic investigators who need to transmit data from the target PC to another machine without disrupting the original target machine.

FirePassword portable works from XP-7, and loads DLLs from the firefox executable location automatically. DLLs aren’t packaged with the tool, and the newest version presents an easy to use color based display so you can clearly view password details.

Lets get started on cracking my Firefox passwords!

To install, follow the on screen instructions from securityxploded.com. They have nice detailed instructions on how to use the program so you shouldn’t have a problem.

Once installed, open your command prompt and change directory to your FirePassword.exe folder, probably in your program files.
Mine is c:\ Program Files (x86)\SecurityXploded\FirePassword\. Once there, type in FirePassword.exe and hit enter. You should see a screen kind of like the one on my monitor.

It will list every website, username, and password you have saved into FireFox.
It’ll also show you any OLD passwords that you never deleted out of the FireFox settings.

If you have a master password set on FireFox, you will need that password to be able to see your other passwords. For example, I will go into the FireFox options, choose Master Password and set it.

Over in my CMD, I’ll type FirePassword.exe -m kerby and click enter. Now it’ll give me my other passwords. If you do this wrong, you’ll get this error code.

You can also copy the Firefox profile files from different operating system such as Linux or Mac to the Windows system locally and then specify that path with FirePassword to recover data from the offline profiles.

It’s pretty surprising how easy this really is for anyone to discover. To protect yourself, do what I do and DON’T save your passwords in FireFox! Make your machine log off every time you close it or leave it idle for more than a minute. Anything, but really, just don’t save your passwords.

It’s also worth mentioning the WebBrowserPassView tool from NirSoft. It’s a password recovery tool for Internet Explorer, Firefox, Chrome and Opera.

Now, if you’ve got another tool for me to check out, email feedback@hak5.org

If you’re into Hak5 you’ll love our new show by hosts Darren Kitchen and Shannon Morse. Check out HakTip!

Whether you’re a beginner or a pro, HakTip is essential viewing for current and aspiring hackers, computer enthusiasts, and IT professionals. With a how-to approach to all things Information Technology, HakTip breaks down the core concepts, tools, and techniques of Linux, Wireless Networks, Systems Administration, and more

And let’s not forget to mention that you can follow us on Twitter and Facebook, Subscribe to the show and get all your Hak5 goodies, including the infamous WiFi Pineapple over at HakShop.com. If you have any questions or suggestions please feel free to contact us at feedback@hak5.org.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

8 Comments

  • britto89 2 years ago

    lol. at about 8.30min in you can see where shannon stuffs up her lines and it was obviously meant to be editted out

  • Jos Angel 2 years ago

    In firefox,
    Clcik “Firefox -> Options -> Security -> Show Passwords -> [select account] -> Show Password -> [confirm it]”
    thats it.. no need for any 3rd party tools like FirePassword…… lol… it also works with other browsers like chrome…

    • Seuros 2 years ago

      If there is a masterpassword you will need that 3rd party application!

      • SoundAdvice 2 years ago

        FirePassword doesn’t show you anything unless you already know the master password. If you’re going to download a third party application, it should be one to crack the master password for Firefox, which FirePassword is not.

        • aznable 2 years ago

          Why not combining FirePassword with a dictionary or bruteforce attack? A quick google shows me that Firefox keeps their passwords in two files: signons.txt and key3.db. So you can easily grab it and try to crack it at home.

  • ElysianPhoenix 2 years ago

    In the event that you need to clear any stored login credentials from a Windows box, type the following in the Run dialog or command line:

    rundll32.exe keymgr.dll,KRShowKeyMgr

    This will display the Stored Username and Passwords dialog where you can add/edit/delete login credentials for other Windows boxes, file shares, websites et cetera. Just clean them all out from here and you’re good to go.

    For the sysadmin who needs to roll this out as a script, you will need to put the CMDKEY utility inside an accessible share (SYSVOL will do) and use the /delete: switch to remove credentials.

    CMDKEY Utility

  • kikker46 2 years ago

    http://hak5.org/challenge seems a little outdated

  • allen harper 2 years ago

    Its funny you mention firepassword. there used to me a simple mod for firefox3 that disabled the save password dialog and went ahead and saved it anyway. basically every log in would be saved without being asked to. then firepassword could view them all.