FirePassword : The Firefox Username & Password List Decryptor

HOME TOOLS ARTICLES RESEARCH DOWNLOAD BLOG ABOUT CONTACT

Latest Tool

ProcNetMonitor 2.7

Updated: 2 Sep 2010

Tool of the Month

DllHijackAuditor 1.0

Book of the Month

Recommended book for any one who would like to know in & out of the Cyber crooks, their operations and the framework in which they operate to make millions behind the lines. Book of the month list.

Latest Stuff

Updated ProcNetMonitor 2.7

Released DllHijackAuditor, new tool to audit against Dll Hijack Vulnerability

Released SpyBHORemover 2.5

Updated SXPasswordSuite 1.0

ThunderbirdPassDecryptor, new tool to recover Thunderbird Passwords is released.

Top Tools

GooglePasswordDecryptor

FirePasswordViewer

SpyDLLRemover

ChromePasswordDecryptor

NetworkPasswordDecryptor

SpyBHORemover

FirePassword

IEPasswordDecryptor

ProcNetMonitor

SXPasswordSuite

...more statistics

Contents

About FirePassword
Features of FirePassword
About Firefox's built-in Password Manager
Internals of FirePassword Tool
Using FirePassword
Screenshots of FirePassword
Testing FirePassword
acknowledgement
History of FirePassword
Download FirePassword

About FirePassword

FirePassword is FREE console based tool to instantly recover login passwords stored by Firefox. Like other browsers, Firefox also stores the login details such as username, password for every website visited by the user at the user consent. All these secret details are stored in Firefox sign-on database securely in an encrypted format. FirePassword can instantly decrypt and recover these secrets even if they are protected with master password.

Also FirePassword can be used to recover sign-on passwords from different profile (for other users on the same system) as well as from the different operating system (such as Linux, Mac etc). This greatly helps forensic investigators who can copy the Firefox profile data from the target system to different machine and recover the passwords offline without affecting the target environment.

Newer version dynamically loads the DLLs from installed location of Firefox automatically. Hence these DLLs are no longer packaged with FirePassword tool. Also this version presents the color based display to clearly view the password details.

FirePassword is a standalone portable tool and works on wider range of platforms starting from Windows XP to latest operating system, Windows 7.

Features of FirePassword

Here are the highlights of top features of FirePassword which makes it stand apart from other similar tools including commercial ones.

Instantly decrypt and recover stored encrypted passwords from 'Firefox Sign-on Secret Store' for all versions of Firefox.

Supports recovery of passwords from local system as well as remote system. User can specify Firefox profile location from the remote system to recover the passwords.

It can recover passwords from Firefox secret store even when it is protected with master password. In such case user have to enter the correct master password to successfully decrypt the sign-on passwords.

Automatically discovers Firefox profile location based on installed version of Firefox.

On successful recovery operation, username, password along with a corresponding login website is displayed.

Does not require any installation as it is standalone portable tool and can be run directly on any system.

About Firefox's Built-in Password Manager

Firefox has a built-in password manager tool which stores username and passwords for all the visited websites. These credentials are stored in the encrypted form in the Firefox profile's database files such as key3.db and signons.txt.

The key3.db file contains master password related information such as encrypted password check string, salt, algorithm and version information etc.

Signons.txt file contains the actual sign-on information

Reject Host list : List of websites for which user don't want Firefox to remember the credentials.
Normal Host List : Each host URL is followed by username and password.

Internals of FirePassword

Firefox till version 3.5 stores the sign-on secrets in signons.txt file located in the Firefox profile directory. With version 3.5 onwards Firefox started storing the sign-on secrets in Sqlite database file named 'signons.sqlite'. The structure of sign-on information stored in the signons.txt file (signons2.txt for version 2 and signons3.txt for version 3) and signons.sqlite for version 3.5 onwards is described below...

For Firefox < version 2.0

First comes the sign-on file header which is always "#2c"
Next comes the reject host list in clear text, one per line and terminated with full stop.
After that normal host list is stored in the following format
- Host URL
  - Name (username or *password)
  - Value (encrypted)
  - .(full stop)

For Firefox version 2.0

First comes the sign-on file header which is always "#2d"
Next comes the reject host list in clear text, one per line and ends with full stop.
After that normal host list is stored in the following format
- Host URL
  - Name (username or *password)
  - Value (encrypted)
  - Subdomain URL
  - .(full stop)

For Firefox version 3.0 and below 3.5

First comes the sign-on file header which is always "#2e"
Next comes the excluded host list in clear text, one per line and ends with full stop.
After that saved host list is stored in the following format
- Host URL
  - Name (username or *password)
  - Value (encrypted)
  - Subdomain URL
  - --- (Dashed line denoting the end of host entry)
  - .(full stop)

For Firefox version 3.5 and above

The new signons.sqlite database file has two tables moz_disabledHosts and moz_logins. The moz_disabledHosts table contains list of excluded websites which are exempted from storing passwords by user. The moz_logins table contains all the saved website passwords. Here is more detailed description of each tables...

table - moz_disabledHosts
- id - index of each entry
- hostname - blacklisted website URL

table - moz_logins
- id - index of each entry
- hostname - base website URL
- httpRealm -
- formSubmitURL - Actual website URL for which secrets are saved.
- usernameField - name of username element of form field
- passwordField - name of password element of form field
- encryptedUsername - encrypted username
- encryptedPassword - encrypted password
- guid - unique GUID for each entry
- encType - value 1 indicates encrypted

Here each Host entry can have multiple username/password pairs. Starting from Firefox version 2.0, sub domain URL is also included along with username/password entry. If it is the password field then it begins with '*'. This is the key in distinguishing between username and password entry.

Now once the username and password values are extracted, next task is to decrypt them. Information required to decrypt these values is stored in key3.db file. If the master password is set, then you must provide the master password to proceed with decryption. If you have forgotten the master password, then you can use Firemaster tool to recover the master password. If the master password is set and if you have not provided it, then FirePassword will prompt you to enter the master password.

Using FirePassword

Here is the general usage information

FirePassword.exe [-m "master password" ] <Firefox_Profile_Directory>

Options:
-m specify the master password

FirePassword is the console tool, hence you need to run it from cmd prompt. Here are the brief usage instructions

Launch the cmd prompt and move to folder where you have copied FirePassword.exe
Next run it by typing 'FirePassword.exe'. It will automatically discover current Firefox profile and recover all the stored passwords.
If you have protected Firefox with master password then you have to specify it using -m option like 'FirePassword.exe -m mypassword' to recover the passwords successfully.
On successful recovery operation, FirePassword displays login website URL, username and password for all the stored websites. It also displays excluded website list as well.
If you wants to save the password list to file then you can issue following command, 'FirePassword.exe > passlist.txt'

You can also copy the Firefox profile files from different operating system such as Linux, Mac to the Windows system locally and then specify that path with the FirePassword to recover passwords from such offline profile.

Screenshots of FirePassword

Testing FirePassword

FirePassword is successfully tested with Firefox version 1.0 to latest version 3.6.3 and should work with any Firefox greater than version 1.0

If you encounter any problem with FirePassword, then please drop a mail to me mentioning your Firefox version and any other details which will help in fixing the problem.

Disclaimer

FirePassword is designed for good purpose to help users to recover and view their sign-on secrets. Like any tool its use either good or bad, depends upon the user who uses it. However author is not responsible for damage caused due to misuse of this tool.

Acknowledgement

Thanks to the Mozilla-Firefox crew for making such an excellent and beautiful browser.
Thanks to Stefano for informing and providing code to make the FirePassword to support Firefox version 2.0

History of FirePassword

Version 3.6 : 12th May 2010

Dynamically loads Firefox DLLs from its installed location. Color based display to clearly view the password information.

Version 3.5 : 27th Dec 2009

Support for Windows 7. The errors messages are now shown in RED color so that they are clearly seen.

Version 3.1 : 21st Aug 2009

Support for recovering the passwords from Sqlite signon database file used by latest Firefox version 3.5.

Version 2.6 : 9th Jan 2009

Fixed the application data folder problem with Vista.
Also it contains some of the security related changes.

Version 2.5 : 18th June 2008

Support for Firefox version 3.0 with its new signon file format.

Other enhancements related to user friendliness and clear display.