dissect.target.plugins.apps.browser.firefox
¶
Module Contents¶
Classes¶
Firefox browser plugin. |
Functions¶
Decode Firefox login data. |
|
Decrypt an item with the given primary password and salt. |
|
Decrypt an item with the given Firefox primary password and salt. |
|
Decrypt the provided |
|
Decrypt a stored username and password using provided credentials and key4 file. |
Attributes¶
- dissect.target.plugins.apps.browser.firefox.HAS_ASN1 = True¶
- dissect.target.plugins.apps.browser.firefox.HAS_CRYPTO = True¶
- dissect.target.plugins.apps.browser.firefox.FIREFOX_EXTENSION_RECORD_FIELDS = [('uri', 'source_uri'), ('string[]', 'optional_permissions')]¶
- dissect.target.plugins.apps.browser.firefox.log¶
- class dissect.target.plugins.apps.browser.firefox.FirefoxPlugin(target)¶
Bases:
dissect.target.plugins.apps.browser.browser.BrowserPlugin
Firefox browser plugin.
- __namespace__ = 'firefox'¶
- DIRS = ['AppData/Roaming/Mozilla/Firefox/Profiles', 'AppData/local/Mozilla/Firefox/Profiles',...¶
- BrowserHistoryRecord¶
- BrowserCookieRecord¶
- BrowserDownloadRecord¶
- BrowserExtensionRecord¶
- BrowserPasswordRecord¶
- check_compatible() None ¶
Perform a compatibility check with the target.
This function should return
None
if the plugin is compatible with the current target (self.target
). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError
.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- history() Iterator[BrowserHistoryRecord] ¶
Return browser history records from Firefox.
- Yields BrowserHistoryRecord with the following fields:
ts (datetime): Visit timestamp. browser (string): The browser from which the records are generated from. id (string): Record ID. url (uri): History URL. title (string): Page title. description (string): Page description. rev_host (string): Reverse hostname. visit_type (varint): Visit type. visit_count (varint): Amount of visits. hidden (string): Hidden value. typed (string): Typed value. session (varint): Session value. from_visit (varint): Record ID of the “from” visit. from_url (uri): URL of the “from” visit. source: (path): The source file of the history record.
- cookies() Iterator[BrowserCookieRecord] ¶
Return browser cookie records from Firefox.
- Parameters:
browser_name – The name of the browser as a string.
- Yields:
Records with the following fields – ts_created (datetime): Cookie created timestamp. ts_last_accessed (datetime): Cookie last accessed timestamp. browser (string): The browser from which the records are generated from. name (string): The cookie name. value (string): The cookie value. host (string): Cookie host key. path (string): Cookie path. expiry (varint): Cookie expiry. is_secure (bool): Cookie secury flag. is_http_only (bool): Cookie http only flag. same_site (bool): Cookie same site flag.
- downloads() Iterator[BrowserDownloadRecord] ¶
Return browser download records from Firefox.
- Yields BrowserDownloadRecord with the following fields:
ts_start (datetime): Download start timestamp. ts_end (datetime): Download end timestamp. browser (string): The browser from which the records are generated from. id (string): Record ID. path (string): Download path. url (uri): Download URL. size (varint): Download file size. state (varint): Download state number. source: (path): The source file of the download record.
- extensions() Iterator[BrowserExtensionRecord] ¶
Return browser extension records for Firefox.
- Yields BrowserExtensionRecord with the following fields::
ts_install (datetime): Extension install timestamp. ts_update (datetime): Extension update timestamp. browser (string): The browser from which the records are generated. id (string): Extension unique identifier. name (string): Name of the extension. short_name (string): Short name of the extension. default_title (string): Default title of the extension. description (string): Description of the extension. version (string): Version of the extension. ext_path (path): Relative path of the extension. from_webstore (boolean): Extension from webstore. permissions (string[]): Permissions of the extension. manifest (varint): Version of the extensions’ manifest. optional_permissions (string[]): Optional permissions of the extension. source_uri (path): Source path from which the extension was downloaded. source (path): The source file of the download record.
- passwords() Iterator[BrowserPasswordRecord] ¶
Return Firefox browser password records.
Automatically decrypts passwords from Firefox 58 onwards (2018) if no primary password is set. Alternatively, you can supply a primary password through the keychain to access the Firefox password store.
PASSPHRASE
passwords in the keychain with providersbrowser
,firefox
,user
and no provider can be used to decrypt secrets for this plugin.- Resources:
- dissect.target.plugins.apps.browser.firefox.pbeWithSha1AndTripleDES_CBC = '1.2.840.113549.1.12.5.1.3'¶
- dissect.target.plugins.apps.browser.firefox.CKA_ID = b'\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01'¶
- dissect.target.plugins.apps.browser.firefox.decrypt_moz_3des(global_salt: bytes, primary_password: bytes, entry_salt: str, encrypted: bytes) bytes ¶
- dissect.target.plugins.apps.browser.firefox.decode_login_data(data: str) tuple[bytes, bytes, bytes] ¶
Decode Firefox login data.
- Parameters:
data – Base64 encoded data in string format.
- Raises:
ValueError – When missing
pycryptodome
orasn1crypto
dependencies.- Returns:
Tuple of bytes with
key_id
,iv
andciphertext
- dissect.target.plugins.apps.browser.firefox.decrypt_pbes2(decoded_item: asn1crypto.core.Sequence, primary_password: bytes, global_salt: bytes) bytes ¶
Decrypt an item with the given primary password and salt.
- Parameters:
decoded_item –
core.Sequence
is alist
representation ofSEQUENCE
as described below.primary_password –
bytes
of Firefox primary password to decrypt ciphertext with.global_salt –
bytes
of salt to prepend to primary password when calculating AES key.
- Raises:
ValueError – When missing
pycryptodome
orasn1crypto
dependencies.- Returns:
Bytes of decrypted AES ciphertext.
- dissect.target.plugins.apps.browser.firefox.decrypt_sha1_triple_des_cbc(decoded_item: asn1crypto.core.Sequence, primary_password: bytes, global_salt: bytes) bytes ¶
Decrypt an item with the given Firefox primary password and salt.
- Parameters:
decoded_item –
core.Sequence
is alist
representation ofSEQUENCE
as described below.primary_password –
bytes
of Firefox primary password to decrypt ciphertext with.global_salt –
bytes
of salt to prepend to primary password when calculating AES key.
- Raises:
ValueError – When missing
pycryptodome
orasn1crypto
dependencies.- Returns:
Bytes of decrypted 3DES ciphertext.
- dissect.target.plugins.apps.browser.firefox.decrypt_master_key(decoded_item: asn1crypto.core.Sequence, primary_password: bytes, global_salt: bytes) tuple[bytes, str] ¶
Decrypt the provided
core.Sequence
with the provided Firefox primary password and salt.At this stage we are not yet sure of the structure of
decoded_item
. The structure will depend on thecore.Sequence
object identifier atdecoded_item[0][0]
, hence we extract it. This function will then call the apropriatedecrypt_pbes2``or ``decrypt_sha1_triple_des_cbc
functions to decrypt the item.- Parameters:
decoded_item –
core.Sequence
is alist
representation ofSEQUENCE
as described below.primary_password –
bytes
of Firefox primary password to decrypt ciphertext with.global_salt –
bytes
of salt to prepend to primary password when calculating AES key.
- Raises:
ValueError – When missing
pycryptodome
orasn1crypto
dependencies.- Returns:
Tuple of decrypted bytes and a string representation of the identified encryption algorithm.
- dissect.target.plugins.apps.browser.firefox.query_global_salt(key4_file: dissect.target.helpers.fsutil.TargetPath) tuple[str, str] ¶
- dissect.target.plugins.apps.browser.firefox.query_master_key(key4_file: dissect.target.helpers.fsutil.TargetPath) tuple[str, str] ¶
- dissect.target.plugins.apps.browser.firefox.retrieve_master_key(primary_password: bytes, key4_file: dissect.target.helpers.fsutil.TargetPath) tuple[bytes, str] ¶
- dissect.target.plugins.apps.browser.firefox.decrypt_field(key: bytes, field: tuple[bytes, bytes, bytes]) bytes ¶
- dissect.target.plugins.apps.browser.firefox.decrypt(username: str, password: str, key4_file: dissect.target.helpers.fsutil.TargetPath, primary_password: str = '') tuple[str | None, str | None] ¶
Decrypt a stored username and password using provided credentials and key4 file.
- Parameters:
username – Encoded and encrypted password.
password. (password Encoded and encrypted)
key4_file – Path to key4.db file.
primary_password – Password to use for decryption routine.
- Returns:
A tuple of decoded username and password strings.
- Resources: