Dabbling in Open Source
I was searching Up For Grabs for an open-source project to work on and stumbled upon an interesting tool called passthief that I figured would be useful in pentesting. I analyzed all the modules in anticipation for writing the Firefox password extracter module. In Linux, I found the two files we need in this directory: ~/.mozilla/firefox/i9wamphd.default-release
. The key4.db
file stores the key database for the passwords and logins.json
contains the encrypted usernames and passwords. As I dug deeper into the specifics, I realized other people must have previously cracked this. And, I found firefox_decrypt and FF Password Exporter which do exactly what I was going to try to do. I also found firepwned which checks if your Firefox saved passwords have been involved in a known data leak using the Have I Been Pwned API. I figured I could repurpose a lot of that code, but eventually decided it might not be worth my time. In my exploratory efforts with passthief on Linux, the program needed a lot of work to get running and would require a lot of debugging on a target machine. And if someone needed to extract firefox passwords, they could just use the already existing and maintained firefox_decrypt.
I did do a pull request for WinPEAS to fix a typo that was bothering me though. Hooray open-source!