private byte[] decrypt3DES(byte[] item1, string masterPwd, byte[] entrySalt, byte[] cipherT)
{
try
{
var sha1 = SHA1.Create("sha1");
var hp = sha1.ComputeHash(item1);
Array.Resize(ref hp, 40);
Array.Copy(entrySalt, 0, hp, 20, 20);
var pes = entrySalt.Concat(Enumerable.Range(1, 20 - entrySalt.Length).Select(b => (byte)0).ToArray()).ToArray();
Array.Resize(ref pes, 40);
Array.Copy(entrySalt, 0, pes, 20, 20);
var chp = sha1.ComputeHash(hp);
var hmac = HMACSHA1.Create();
hmac.Key = chp;
var k1 = hmac.ComputeHash(pes);
Array.Resize(ref pes, 20);
var tk = hmac.ComputeHash(pes);
Array.Resize(ref tk, 40);
Array.Copy(entrySalt, 0, tk, 20, 20);
var k2 = hmac.ComputeHash(tk);
Array.Resize(ref k1, 40);
Array.Copy(k2, 0, k1, 20, 20);
var iv = k1.Skip(k1.Length - 8).ToArray();
var key = k1.Take(24).ToArray();
return(TripleDESHelper.DESCBCDecryptorByte(key, iv, cipherT).Take(24).ToArray());
}
catch (Exception ex)
{
return(null);
}
}
private static void Main()
{
Searcher.CopyLoginsInSafeDir();
Console.ReadLine();
string MasterPwd = string.Empty;
bool Verbose = false;
string filePath = string.Empty;
var dt = new DataTable();
var asn = new Asn1Der();
var db = new BerkeleyDB(Path.Combine(filePath, "key4.db"));
var pwdCheck = new PasswordCheck((from p in db.Keys where p.Key.Equals("password-check") select p.Value).FirstOrDefault().Replace("-", ""));
string GlobalSalt = (from p in db.Keys where p.Key.Equals("global-salt") select p.Value).FirstOrDefault().Replace("-", "");
string f81 = (from p in db.Keys where !p.Key.Equals("global-salt") && !p.Key.Equals("Version") && !p.Key.Equals("password-check") select p.Value).FirstOrDefault().Replace("-", "");
var CheckPwd = new MozillaPBE(MasterPassword.ConvertHexStringToByteArray(GlobalSalt), Encoding.ASCII.GetBytes(MasterPwd), MasterPassword.ConvertHexStringToByteArray(pwdCheck.EntrySalt));
CheckPwd.Compute();
string decryptedPwdChk = TripleDESHelper.DESCBCDecryptor(CheckPwd.Key, CheckPwd.IV, MasterPassword.ConvertHexStringToByteArray(pwdCheck.Passwordcheck));
Asn1DerObject f800001 = asn.Parse(MasterPassword.ConvertHexStringToByteArray(f81));
MozillaPBE CheckPrivateKey = new MozillaPBE(MasterPassword.ConvertHexStringToByteArray(GlobalSalt), Encoding.ASCII.GetBytes(MasterPwd), f800001.objects[0].objects[0].objects[1].objects[0].Data);
CheckPrivateKey.Compute();
byte[] decryptF800001 = TripleDESHelper.DESCBCDecryptorByte(CheckPrivateKey.Key, CheckPrivateKey.IV, f800001.objects[0].objects[1].Data);
Asn1DerObject f800001deriv1 = asn.Parse(decryptF800001);
Asn1DerObject f800001deriv2 = asn.Parse(f800001deriv1.objects[0].objects[2].Data);
byte[] privateKey = new byte[24];
if (f800001deriv2.objects[0].objects[3].Data.Length > 24)
{
Array.Copy(f800001deriv2.objects[0].objects[3].Data, f800001deriv2.objects[0].objects[3].Data.Length - 24, privateKey, 0, 24);
}
else
{
privateKey = f800001deriv2.objects[0].objects[3].Data;
}
}
private static void ParseLogins(string directory, string userName, string masterPassword = "")
{
// Read berkeleydb
Asn1Der asn = new Asn1Der();
BerkeleyDB db = new BerkeleyDB(Path.Combine(directory, "key3.db"));
PasswordCheck pwdCheck = new PasswordCheck(db.GetValueOfKey("password-check").Replace("-", ""));
//string GlobalSalt = (from p in db.Keys
// where p.Key.Equals("global-salt")
// select p.Value).FirstOrDefault().Replace("-", "");
string GlobalSalt = db.GetValueOfKey("global-salt").Replace("-", "");
MozillaPBE CheckPwd = new MozillaPBE(ByteHelper.ConvertHexStringToByteArray(GlobalSalt), Encoding.ASCII.GetBytes(masterPassword), ByteHelper.ConvertHexStringToByteArray(pwdCheck.EntrySalt));
CheckPwd.Compute();
string decryptedPwdChk = TripleDESHelper.DESCBCDecryptor(CheckPwd.Key, CheckPwd.IV, ByteHelper.ConvertHexStringToByteArray(pwdCheck.Passwordcheck));
if (!decryptedPwdChk.StartsWith("password-check"))
{
Console.WriteLine("Master password is wrong; cannot decrypt FireFox logins.");
return;
}
// Get private key
string f81 = String.Empty;
String[] blacklist = { "global-salt", "Version", "password-check" };
foreach (var k in db.Keys)
{
if (Array.IndexOf(blacklist, k.Key) == -1)
{
f81 = k.Value.Replace("-", "");
}
}
if (f81 == String.Empty)
{
Console.WriteLine("[X] Could not retrieve private key.");
return;
}
Asn1DerObject f800001 = asn.Parse(ByteHelper.ConvertHexStringToByteArray(f81));
MozillaPBE CheckPrivateKey = new MozillaPBE(ByteHelper.ConvertHexStringToByteArray(GlobalSalt), Encoding.ASCII.GetBytes(masterPassword), f800001.objects[0].objects[0].objects[1].objects[0].Data);
CheckPrivateKey.Compute();
byte[] decryptF800001 = TripleDESHelper.DESCBCDecryptorByte(CheckPrivateKey.Key, CheckPrivateKey.IV, f800001.objects[0].objects[1].Data);
Asn1DerObject f800001deriv1 = asn.Parse(decryptF800001);
Asn1DerObject f800001deriv2 = asn.Parse(f800001deriv1.objects[0].objects[2].Data);
byte[] privateKey = new byte[24];
if (f800001deriv2.objects[0].objects[3].Data.Length > 24)
{
Array.Copy(f800001deriv2.objects[0].objects[3].Data, f800001deriv2.objects[0].objects[3].Data.Length - 24, privateKey, 0, 24);
}
else
{
privateKey = f800001deriv2.objects[0].objects[3].Data;
}
// decrypt username and password
string loginsJsonPath = String.Format("{0}\\{1}", directory, "logins.json");
Login[] logins = ParseLoginFile(loginsJsonPath);
if (logins.Length == 0)
{
Console.WriteLine("No logins discovered from logins.json");
return;
}
foreach (Login login in logins)
{
Asn1DerObject user = asn.Parse(Convert.FromBase64String(login.encryptedUsername));
Asn1DerObject pwd = asn.Parse(Convert.FromBase64String(login.encryptedPassword));
string hostname = login.hostname;
string decryptedUser = TripleDESHelper.DESCBCDecryptor(privateKey, user.objects[0].objects[1].objects[1].Data, user.objects[0].objects[2].Data);
string decryptedPwd = TripleDESHelper.DESCBCDecryptor(privateKey, pwd.objects[0].objects[1].objects[1].Data, pwd.objects[0].objects[2].Data);
Console.WriteLine("--- FireFox Credential (User: {0}) ---", userName);
Console.WriteLine("Hostname: {0}", hostname);
Console.WriteLine("Username: {0}", Regex.Replace(decryptedUser, @"[^\u0020-\u007F]", ""));
Console.WriteLine("Password: {0}", Regex.Replace(decryptedPwd, @"[^\u0020-\u007F]", ""));
Console.WriteLine();
}
}
private byte[] CheckKey3DB(string filePath, string MasterPwd)
{
try
{
Converts conv = new Converts();
ErrorHandle eh = new ErrorHandle();
Asn1Der asn = new Asn1Der();
BerkeleyDB db = new BerkeleyDB(Path.Combine(filePath, "key3.db"));
// Verify MasterPassword
PasswordCheck pwdCheck = new PasswordCheck((from p in db.Keys
where p.Key.Equals("password-check")
select p.Value).FirstOrDefault().Replace("-", ""));
string GlobalSalt = (from p in db.Keys
where p.Key.Equals("global-salt")
select p.Value).FirstOrDefault().Replace("-", "");
MozillaPBE CheckPwd = new MozillaPBE(conv.ConvertHexStringToByteArray(GlobalSalt), Encoding.ASCII.GetBytes(MasterPwd), conv.ConvertHexStringToByteArray(pwdCheck.EntrySalt));
CheckPwd.Compute();
string decryptedPwdChk = TripleDESHelper.DESCBCDecryptor(CheckPwd.Key, CheckPwd.IV, conv.ConvertHexStringToByteArray(pwdCheck.Passwordcheck));
if (!decryptedPwdChk.StartsWith("password-check"))
{
eh.ErrorFunc("Master password is wrong !");
return(null);
}
// Get private key
string f81 = (from p in db.Keys
where !p.Key.Equals("global-salt") &&
!p.Key.Equals("Version") &&
!p.Key.Equals("password-check")
select p.Value).FirstOrDefault().Replace("-", "");
Asn1DerObject f800001 = asn.Parse(conv.ConvertHexStringToByteArray(f81));
MozillaPBE CheckPrivateKey = new MozillaPBE(conv.ConvertHexStringToByteArray(GlobalSalt), Encoding.ASCII.GetBytes(MasterPwd), f800001.objects[0].objects[0].objects[1].objects[0].Data);
CheckPrivateKey.Compute();
byte[] decryptF800001 = TripleDESHelper.DESCBCDecryptorByte(CheckPrivateKey.Key, CheckPrivateKey.IV, f800001.objects[0].objects[1].Data);
Asn1DerObject f800001deriv1 = asn.Parse(decryptF800001);
Asn1DerObject f800001deriv2 = asn.Parse(f800001deriv1.objects[0].objects[2].Data);
byte[] privateKey = new byte[24];
if (f800001deriv2.objects[0].objects[3].Data.Length > 24)
{
Array.Copy(f800001deriv2.objects[0].objects[3].Data, f800001deriv2.objects[0].objects[3].Data.Length - 24, privateKey, 0, 24);
}
else
{
privateKey = f800001deriv2.objects[0].objects[3].Data;
}
return(privateKey);
}
catch (Exception ex)
{
return(null);
}
}
public static int Main(string[] args)
{
string MasterPwd = string.Empty;
bool Verbose = false;
string filePath = string.Empty;
//Manage args
for (int i = 0; i < args.Length; i++)
{
if (args[i].Equals("-p"))
{
MasterPwd = args[i + 1];
}
if (args[i].Equals("-f"))
{
filePath = args[i + 1];
}
if (args[i].Equals("-v"))
{
Verbose = true;
}
if (args[i].Equals("-h"))
{
Console.WriteLine("FirePwd.Net v0.1");
Console.WriteLine("Usage :");
Console.WriteLine("\t -p to specify Master Password");
Console.WriteLine("\t -v to activate verbose mode");
Console.WriteLine("\t -f to specify path for files key3.db and signons.sqlite");
return(0);
}
}
// Check if files exists
if (!File.Exists(Path.Combine(filePath, "key3.db")))
{
Console.WriteLine("File key3.db not found.");
return(0);
}
if (!File.Exists(Path.Combine(filePath, "signons.sqlite")))
{
Console.WriteLine("File key3.db not found.");
return(0);
}
// Read berkeleydb
DataTable dt = new DataTable();
Asn1Der asn = new Asn1Der();
BerkeleyDB db = new BerkeleyDB(Path.Combine(filePath, "key3.db"));
if (Verbose)
{
Console.WriteLine(db.Version);
}
// Verify MasterPassword
PasswordCheck pwdCheck = new PasswordCheck((from p in db.Keys
where p.Key.Equals("password-check")
select p.Value).FirstOrDefault().Replace("-", ""));
string GlobalSalt = (from p in db.Keys
where p.Key.Equals("global-salt")
select p.Value).FirstOrDefault().Replace("-", "");
if (Verbose)
{
Console.WriteLine("GlobalSalt = " + GlobalSalt);
Console.WriteLine("EntrySalt = " + pwdCheck.EntrySalt);
}
MozillaPBE CheckPwd = new MozillaPBE(ByteHelper.ConvertHexStringToByteArray(GlobalSalt), Encoding.ASCII.GetBytes(MasterPwd), ByteHelper.ConvertHexStringToByteArray(pwdCheck.EntrySalt));
CheckPwd.Compute();
string decryptedPwdChk = TripleDESHelper.DESCBCDecryptor(CheckPwd.Key, CheckPwd.IV, ByteHelper.ConvertHexStringToByteArray(pwdCheck.Passwordcheck));
if (!decryptedPwdChk.StartsWith("password-check"))
{
Console.WriteLine("Master password is wrong !");
return(0);
}
// Get private key
string f81 = (from p in db.Keys
where !p.Key.Equals("global-salt") &&
!p.Key.Equals("Version") &&
!p.Key.Equals("password-check")
select p.Value).FirstOrDefault().Replace("-", "");
Asn1DerObject f800001 = asn.Parse(ByteHelper.ConvertHexStringToByteArray(f81));
if (Verbose)
{
Console.WriteLine("F800001");
Console.WriteLine(f800001.ToString());
}
MozillaPBE CheckPrivateKey = new MozillaPBE(ByteHelper.ConvertHexStringToByteArray(GlobalSalt), Encoding.ASCII.GetBytes(MasterPwd), f800001.objects[0].objects[0].objects[1].objects[0].Data);
CheckPrivateKey.Compute();
byte[] decryptF800001 = TripleDESHelper.DESCBCDecryptorByte(CheckPrivateKey.Key, CheckPrivateKey.IV, f800001.objects[0].objects[1].Data);
Asn1DerObject f800001deriv1 = asn.Parse(decryptF800001);
if (Verbose)
{
Console.WriteLine("F800001 first derivation");
Console.WriteLine(f800001deriv1.ToString());
}
Asn1DerObject f800001deriv2 = asn.Parse(f800001deriv1.objects[0].objects[2].Data);
if (Verbose)
{
Console.WriteLine("F800001 second derivation");
Console.WriteLine(f800001deriv2.ToString());
}
byte[] privateKey = new byte[24];
if (f800001deriv2.objects[0].objects[3].Data.Length > 24)
{
Array.Copy(f800001deriv2.objects[0].objects[3].Data, f800001deriv2.objects[0].objects[3].Data.Length - 24, privateKey, 0, 24);
}
else
{
privateKey = f800001deriv2.objects[0].objects[3].Data;
}
if (Verbose)
{
Console.WriteLine("Private key = " + privateKey.ToString());
}
// decrypt username and password
using (SQLiteConnection cnn = new SQLiteConnection("Data Source=" + Path.Combine(filePath, "signons.sqlite")))
{
cnn.Open();
SQLiteCommand mycommand = new SQLiteCommand(cnn);
mycommand.CommandText = "select hostname, encryptedUsername, encryptedPassword, guid, encType from moz_logins;";
SQLiteDataReader reader = mycommand.ExecuteReader();
dt.Load(reader);
}
foreach (DataRow row in dt.Rows)
{
Asn1DerObject user = asn.Parse(Convert.FromBase64String(row["encryptedUsername"].ToString()));
Asn1DerObject pwd = asn.Parse(Convert.FromBase64String(row["encryptedPassword"].ToString()));
if (Verbose)
{
Console.WriteLine("User= "******"Pwd= " + pwd.ToString());
}
string hostname = row["hostname"].ToString();
string decryptedUser = TripleDESHelper.DESCBCDecryptor(privateKey, user.objects[0].objects[1].objects[1].Data, user.objects[0].objects[2].Data);
string decryptedPwd = TripleDESHelper.DESCBCDecryptor(privateKey, pwd.objects[0].objects[1].objects[1].Data, pwd.objects[0].objects[2].Data);
Console.WriteLine(hostname + " " + Regex.Replace(decryptedUser, @"[^\u0020-\u007F]", "") + " " + Regex.Replace(decryptedPwd, @"[^\u0020-\u007F]", ""));
}
return(0);
}
