Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Including sqlite for Lua?

From: Gutek <ange.gutek () gmail com>
Date: Mon, 05 Apr 2010 17:57:59 +0200
Nothing to do with lua, but sqlite : we've published something about the
way FF stores the credentials a few monthes ago. It was for a passwords
manager. I've translated the paper for you, if this could help :

""
Since a few versions Firefox stores saved passwords in a SQLite database
named signons.sqlite, instead of the previous text-file format
(signons2.txt, signons3.txt). Regarding encryption, it's 3DES ( EDE
mode), and the key is stored inside key3.db.

So, in order to de-cypher and retrieve those credentials we have to use
the PKCS#11 API and NSS (Network Security Services), a crypto library
developped by Mozilla and obviously used by Firefox.
Quickly, starting to develop this tiny code which seemed to me trivial
at the begining, I've noticed that the difficulty was strangely not due
to the code itself, but to the Mozilla's API NSS which is very poorly
documented (second link with the key words "nss api" on Google : “NSS
API is lack of doc | Linux Developer Network” …).
Finaly I prefered reverse engeneering a closed source malware with
Ollydbg, which was retrieveing those credentials for malicious purposes.

Thoses libraries apart (for the crypto side of the problem), we'll have
to use SQLite so as to read signons.sqlite.

Here is the scheme for the the moz_logins table which interests us :

CREATE TABLE moz_logins (id INTEGER PRIMARY KEY,
                         hostname TEXT NOT NULL,
                         httpRealm TEXT,
                         formSubmitURL TEXT,
                         usernameField TEXT NOT NULL,
                         passwordField  TEXT NOT NULL,
                         encryptedUsername TEXT NOT NULL,
                         encryptedPassword TEXT NOT NULL,
                         guid TEXT,
                         encType INTEGER);
                                                

...And here is the code, in C, with a light use of the win32 API, which
alows us to retrieve the credentials :

(to long to post here, see http://fz-corp.net/?p=199 )

See also http://github.com/lacostej/firefox_password_dump for a variant.

""

Regards,

A.G.
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: