Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Including sqlite for Lua?

From: Ron <ron () skullsecurity net>
Date: Mon, 5 Apr 2010 11:20:47 -0500
Hey,

Thanks for the info, that's awesome! I found the source for a program called FirePassword that sort of implements it, 
but I couldn't get it to run. I was going by what it said, but yours sounds far more helpful. Thanks! 

Assuming I can parse sqlite (that's the trick right now), downloading the files is easy (over SMB) and decrypting 3DES 
is pretty simple. 

A random side-thought - I wonder if we should consider abstracting out the "get a file" code somehow. The easiest way 
for me to retrieve a file is the C$ share over SMB, but what if it has open FTP (or a known FTP password) to the root? 
Or a path-traversal vulnerability? Or something else? Maybe there should be a way to do stdnse.get_file("c:\\boot.ini") 
and let nselib handle the implementation details of how to get the file?

Just thinking out loud on this one. I'm going to stick with smb for now. 

On Mon, 05 Apr 2010 17:57:59 +0200 Gutek <ange.gutek () gmail com> wrote:

Nothing to do with lua, but sqlite : we've published something about
the way FF stores the credentials a few monthes ago. It was for a
passwords manager. I've translated the paper for you, if this could
help :

""
Since a       few versions Firefox stores saved passwords in a
SQLite database named signons.sqlite, instead of the previous
text-file format (signons2.txt, signons3.txt). Regarding encryption,
it's 3DES ( EDE mode), and the key is stored inside key3.db.

So, in order to de-cypher and retrieve those credentials we have to
use the PKCS#11 API and NSS (Network Security Services), a crypto
library developped by Mozilla and obviously used by Firefox.
Quickly, starting to develop this tiny code which seemed to me trivial
at the begining, I've noticed that the difficulty was strangely not
due to the code itself, but to the Mozilla's API NSS which is very
poorly documented (second link with the key words "nss api" on
Google : “NSS API is lack of doc | Linux Developer Network” …).
Finaly I prefered reverse engeneering a closed source malware with
Ollydbg, which was retrieveing those credentials for malicious
purposes.

Thoses libraries apart (for the crypto side of the problem), we'll
have to use SQLite so as to read signons.sqlite.

Here is the scheme for the the moz_logins table which interests us :

CREATE TABLE moz_logins (id INTEGER PRIMARY KEY,
                         hostname TEXT NOT NULL,
                         httpRealm TEXT,
                         formSubmitURL TEXT,
                         usernameField TEXT NOT NULL,
                         passwordField  TEXT NOT NULL,
                         encryptedUsername TEXT NOT NULL,
                         encryptedPassword TEXT NOT NULL,
                         guid TEXT,
                         encType INTEGER);
                                              

...And here is the code, in C, with a light use of the win32 API,
which alows us to retrieve the credentials :

(to long to post here, see http://fz-corp.net/?p=199 )

See also http://github.com/lacostej/firefox_password_dump for a
variant.

""

Regards,

A.G.
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86

Attachment: _bin
Description: 

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: