:py:mod:`dissect.target.plugins.apps.browser.firefox` ===================================================== .. py:module:: dissect.target.plugins.apps.browser.firefox Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.apps.browser.firefox.FirefoxPlugin Functions ~~~~~~~~~ .. autoapisummary:: :nosignatures: dissect.target.plugins.apps.browser.firefox.decrypt_moz_3des dissect.target.plugins.apps.browser.firefox.decode_login_data dissect.target.plugins.apps.browser.firefox.decrypt_pbes2 dissect.target.plugins.apps.browser.firefox.decrypt_sha1_triple_des_cbc dissect.target.plugins.apps.browser.firefox.decrypt_master_key dissect.target.plugins.apps.browser.firefox.query_global_salt dissect.target.plugins.apps.browser.firefox.query_master_key dissect.target.plugins.apps.browser.firefox.retrieve_master_key dissect.target.plugins.apps.browser.firefox.decrypt_field dissect.target.plugins.apps.browser.firefox.decrypt Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.apps.browser.firefox.HAS_ASN1 dissect.target.plugins.apps.browser.firefox.HAS_CRYPTO dissect.target.plugins.apps.browser.firefox.FIREFOX_EXTENSION_RECORD_FIELDS dissect.target.plugins.apps.browser.firefox.log dissect.target.plugins.apps.browser.firefox.pbeWithSha1AndTripleDES_CBC dissect.target.plugins.apps.browser.firefox.CKA_ID .. py:data:: HAS_ASN1 :value: True .. py:data:: HAS_CRYPTO :value: True .. py:data:: FIREFOX_EXTENSION_RECORD_FIELDS :value: [('uri', 'source_uri'), ('string[]', 'optional_permissions')] .. py:data:: log .. py:class:: FirefoxPlugin(target) Bases: :py:obj:`dissect.target.plugins.apps.browser.browser.BrowserPlugin` Firefox browser plugin. .. py:attribute:: __namespace__ :value: 'firefox' .. py:attribute:: DIRS :value: ['AppData/Roaming/Mozilla/Firefox/Profiles', 'AppData/local/Mozilla/Firefox/Profiles',... .. py:attribute:: BrowserHistoryRecord .. py:attribute:: BrowserCookieRecord .. py:attribute:: BrowserDownloadRecord .. py:attribute:: BrowserExtensionRecord .. py:attribute:: BrowserPasswordRecord .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an ``UnsupportedPluginError``. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:method:: history() -> Iterator[BrowserHistoryRecord] Return browser history records from Firefox. Yields BrowserHistoryRecord with the following fields: ts (datetime): Visit timestamp. browser (string): The browser from which the records are generated from. id (string): Record ID. url (uri): History URL. title (string): Page title. description (string): Page description. rev_host (string): Reverse hostname. visit_type (varint): Visit type. visit_count (varint): Amount of visits. hidden (string): Hidden value. typed (string): Typed value. session (varint): Session value. from_visit (varint): Record ID of the "from" visit. from_url (uri): URL of the "from" visit. source: (path): The source file of the history record. .. py:method:: cookies() -> Iterator[BrowserCookieRecord] Return browser cookie records from Firefox. :param browser_name: The name of the browser as a string. :Yields: *Records with the following fields* -- ts_created (datetime): Cookie created timestamp. ts_last_accessed (datetime): Cookie last accessed timestamp. browser (string): The browser from which the records are generated from. name (string): The cookie name. value (string): The cookie value. host (string): Cookie host key. path (string): Cookie path. expiry (varint): Cookie expiry. is_secure (bool): Cookie secury flag. is_http_only (bool): Cookie http only flag. same_site (bool): Cookie same site flag. .. py:method:: downloads() -> Iterator[BrowserDownloadRecord] Return browser download records from Firefox. Yields BrowserDownloadRecord with the following fields: ts_start (datetime): Download start timestamp. ts_end (datetime): Download end timestamp. browser (string): The browser from which the records are generated from. id (string): Record ID. path (string): Download path. url (uri): Download URL. size (varint): Download file size. state (varint): Download state number. source: (path): The source file of the download record. .. py:method:: extensions() -> Iterator[BrowserExtensionRecord] Return browser extension records for Firefox. Yields BrowserExtensionRecord with the following fields:: ts_install (datetime): Extension install timestamp. ts_update (datetime): Extension update timestamp. browser (string): The browser from which the records are generated. id (string): Extension unique identifier. name (string): Name of the extension. short_name (string): Short name of the extension. default_title (string): Default title of the extension. description (string): Description of the extension. version (string): Version of the extension. ext_path (path): Relative path of the extension. from_webstore (boolean): Extension from webstore. permissions (string[]): Permissions of the extension. manifest (varint): Version of the extensions' manifest. optional_permissions (string[]): Optional permissions of the extension. source_uri (path): Source path from which the extension was downloaded. source (path): The source file of the download record. .. py:method:: passwords() -> Iterator[BrowserPasswordRecord] Return Firefox browser password records. Automatically decrypts passwords from Firefox 58 onwards (2018) if no primary password is set. Alternatively, you can supply a primary password through the keychain to access the Firefox password store. ``PASSPHRASE`` passwords in the keychain with providers ``browser``, ``firefox``, ``user`` and no provider can be used to decrypt secrets for this plugin. Resources: - https://github.com/lclevy/firepwd .. py:data:: pbeWithSha1AndTripleDES_CBC :value: '1.2.840.113549.1.12.5.1.3' .. py:data:: CKA_ID :value: b'\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01' .. py:function:: decrypt_moz_3des(global_salt: bytes, primary_password: bytes, entry_salt: str, encrypted: bytes) -> bytes .. py:function:: decode_login_data(data: str) -> tuple[bytes, bytes, bytes] Decode Firefox login data. :param data: Base64 encoded data in string format. :raises ValueError: When missing ``pycryptodome`` or ``asn1crypto`` dependencies. :returns: Tuple of bytes with ``key_id``, ``iv`` and ``ciphertext`` .. py:function:: decrypt_pbes2(decoded_item: asn1crypto.core.Sequence, primary_password: bytes, global_salt: bytes) -> bytes Decrypt an item with the given primary password and salt. :param decoded_item: ``core.Sequence`` is a ``list`` representation of ``SEQUENCE`` as described below. :param primary_password: ``bytes`` of Firefox primary password to decrypt ciphertext with. :param global_salt: ``bytes`` of salt to prepend to primary password when calculating AES key. :raises ValueError: When missing ``pycryptodome`` or ``asn1crypto`` dependencies. :returns: Bytes of decrypted AES ciphertext. .. py:function:: decrypt_sha1_triple_des_cbc(decoded_item: asn1crypto.core.Sequence, primary_password: bytes, global_salt: bytes) -> bytes Decrypt an item with the given Firefox primary password and salt. :param decoded_item: ``core.Sequence`` is a ``list`` representation of ``SEQUENCE`` as described below. :param primary_password: ``bytes`` of Firefox primary password to decrypt ciphertext with. :param global_salt: ``bytes`` of salt to prepend to primary password when calculating AES key. :raises ValueError: When missing ``pycryptodome`` or ``asn1crypto`` dependencies. :returns: Bytes of decrypted 3DES ciphertext. .. py:function:: decrypt_master_key(decoded_item: asn1crypto.core.Sequence, primary_password: bytes, global_salt: bytes) -> tuple[bytes, str] Decrypt the provided ``core.Sequence`` with the provided Firefox primary password and salt. At this stage we are not yet sure of the structure of ``decoded_item``. The structure will depend on the ``core.Sequence`` object identifier at ``decoded_item[0][0]``, hence we extract it. This function will then call the apropriate ``decrypt_pbes2``or ``decrypt_sha1_triple_des_cbc`` functions to decrypt the item. :param decoded_item: ``core.Sequence`` is a ``list`` representation of ``SEQUENCE`` as described below. :param primary_password: ``bytes`` of Firefox primary password to decrypt ciphertext with. :param global_salt: ``bytes`` of salt to prepend to primary password when calculating AES key. :raises ValueError: When missing ``pycryptodome`` or ``asn1crypto`` dependencies. :returns: Tuple of decrypted bytes and a string representation of the identified encryption algorithm. .. py:function:: query_global_salt(key4_file: dissect.target.helpers.fsutil.TargetPath) -> tuple[str, str] .. py:function:: query_master_key(key4_file: dissect.target.helpers.fsutil.TargetPath) -> tuple[str, str] .. py:function:: retrieve_master_key(primary_password: bytes, key4_file: dissect.target.helpers.fsutil.TargetPath) -> tuple[bytes, str] .. py:function:: decrypt_field(key: bytes, field: tuple[bytes, bytes, bytes]) -> bytes .. py:function:: decrypt(username: str, password: str, key4_file: dissect.target.helpers.fsutil.TargetPath, primary_password: str = '') -> tuple[Optional[str], Optional[str]] Decrypt a stored username and password using provided credentials and key4 file. :param username: Encoded and encrypted password. :param password Encoded and encrypted password.: :param key4_file: Path to key4.db file. :param primary_password: Password to use for decryption routine. :returns: A tuple of decoded username and password strings. Resources: - https://github.com/lclevy/firepwd