`dissect.target.plugins.apps.browser.firefox`¶

Module Contents¶

Classes¶

FirefoxPlugin

Firefox browser plugin.

Functions¶

`decrypt_moz_3des`
`decode_login_data`	Decode Firefox login data.
`decrypt_pbes2`	Decrypt an item with the given primary password and salt.
`decrypt_sha1_triple_des_cbc`	Decrypt an item with the given Firefox primary password and salt.
`decrypt_master_key`	Decrypt the provided `core.Sequence` with the provided Firefox primary password and salt.
`query_global_salt`
`query_master_key`
`retrieve_master_key`
`decrypt_field`
`decrypt`	Decrypt a stored username and password using provided credentials and key4 file.

Attributes¶

`HAS_ASN1`
`HAS_CRYPTO`
`FIREFOX_EXTENSION_RECORD_FIELDS`
`log`
`pbeWithSha1AndTripleDES_CBC`
`CKA_ID`

dissect.target.plugins.apps.browser.firefox.HAS_ASN1 = True¶

dissect.target.plugins.apps.browser.firefox.HAS_CRYPTO = True¶

dissect.target.plugins.apps.browser.firefox.FIREFOX_EXTENSION_RECORD_FIELDS = [('uri', 'source_uri'), ('string[]', 'optional_permissions')]¶

dissect.target.plugins.apps.browser.firefox.log¶

class dissect.target.plugins.apps.browser.firefox.FirefoxPlugin(target)¶

Bases: dissect.target.plugins.apps.browser.browser.BrowserPlugin

Firefox browser plugin.

__namespace__ = 'firefox'¶

DIRS = ['AppData/Roaming/Mozilla/Firefox/Profiles', 'AppData/local/Mozilla/Firefox/Profiles',...¶

BrowserHistoryRecord¶

BrowserCookieRecord¶

BrowserDownloadRecord¶

BrowserExtensionRecord¶

BrowserPasswordRecord¶

check_compatible() → None¶

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:: UnsupportedPluginError – If the plugin could not be loaded.

history() → Iterator[BrowserHistoryRecord]¶

Return browser history records from Firefox.

Yields BrowserHistoryRecord with the following fields:: ts (datetime): Visit timestamp. browser (string): The browser from which the records are generated from. id (string): Record ID. url (uri): History URL. title (string): Page title. description (string): Page description. rev_host (string): Reverse hostname. visit_type (varint): Visit type. visit_count (varint): Amount of visits. hidden (string): Hidden value. typed (string): Typed value. session (varint): Session value. from_visit (varint): Record ID of the “from” visit. from_url (uri): URL of the “from” visit. source: (path): The source file of the history record.

cookies() → Iterator[BrowserCookieRecord]¶

Return browser cookie records from Firefox.

Parameters:: browser_name – The name of the browser as a string.
Yields:: Records with the following fields – ts_created (datetime): Cookie created timestamp. ts_last_accessed (datetime): Cookie last accessed timestamp. browser (string): The browser from which the records are generated from. name (string): The cookie name. value (string): The cookie value. host (string): Cookie host key. path (string): Cookie path. expiry (varint): Cookie expiry. is_secure (bool): Cookie secury flag. is_http_only (bool): Cookie http only flag. same_site (bool): Cookie same site flag.

downloads() → Iterator[BrowserDownloadRecord]¶

Return browser download records from Firefox.

Yields BrowserDownloadRecord with the following fields:: ts_start (datetime): Download start timestamp. ts_end (datetime): Download end timestamp. browser (string): The browser from which the records are generated from. id (string): Record ID. path (string): Download path. url (uri): Download URL. size (varint): Download file size. state (varint): Download state number. source: (path): The source file of the download record.

extensions() → Iterator[BrowserExtensionRecord]¶

Return browser extension records for Firefox.

Yields BrowserExtensionRecord with the following fields::: ts_install (datetime): Extension install timestamp. ts_update (datetime): Extension update timestamp. browser (string): The browser from which the records are generated. id (string): Extension unique identifier. name (string): Name of the extension. short_name (string): Short name of the extension. default_title (string): Default title of the extension. description (string): Description of the extension. version (string): Version of the extension. ext_path (path): Relative path of the extension. from_webstore (boolean): Extension from webstore. permissions (string[]): Permissions of the extension. manifest (varint): Version of the extensions’ manifest. optional_permissions (string[]): Optional permissions of the extension. source_uri (path): Source path from which the extension was downloaded. source (path): The source file of the download record.

passwords() → Iterator[BrowserPasswordRecord]¶

Return Firefox browser password records.

Automatically decrypts passwords from Firefox 58 onwards (2018) if no primary password is set. Alternatively, you can supply a primary password through the keychain to access the Firefox password store.

PASSPHRASE passwords in the keychain with providers browser, firefox, user and no provider can be used to decrypt secrets for this plugin.

Resources:

https://github.com/lclevy/firepwd

dissect.target.plugins.apps.browser.firefox.pbeWithSha1AndTripleDES_CBC = '1.2.840.113549.1.12.5.1.3'¶

dissect.target.plugins.apps.browser.firefox.CKA_ID = b'\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01'¶

dissect.target.plugins.apps.browser.firefox.decrypt_moz_3des(global_salt: bytes, primary_password: bytes, entry_salt: str, encrypted: bytes) → bytes¶

dissect.target.plugins.apps.browser.firefox.decode_login_data(data: str) → tuple[bytes, bytes, bytes]¶

Decode Firefox login data.

Parameters:: data – Base64 encoded data in string format.
Raises:: ValueError – When missing pycryptodome or asn1crypto dependencies.
Returns:: Tuple of bytes with key_id, iv and ciphertext

dissect.target.plugins.apps.browser.firefox.decrypt_pbes2(decoded_item: asn1crypto.core.Sequence, primary_password: bytes, global_salt: bytes) → bytes¶

Decrypt an item with the given primary password and salt.

Parameters:

decoded_item – core.Sequence is a list representation of SEQUENCE as described below.
primary_password – bytes of Firefox primary password to decrypt ciphertext with.
global_salt – bytes of salt to prepend to primary password when calculating AES key.

Raises:

ValueError – When missing pycryptodome or asn1crypto dependencies.

Returns:

Bytes of decrypted AES ciphertext.

dissect.target.plugins.apps.browser.firefox.decrypt_sha1_triple_des_cbc(decoded_item: asn1crypto.core.Sequence, primary_password: bytes, global_salt: bytes) → bytes¶

Decrypt an item with the given Firefox primary password and salt.

Parameters:

decoded_item – core.Sequence is a list representation of SEQUENCE as described below.
primary_password – bytes of Firefox primary password to decrypt ciphertext with.
global_salt – bytes of salt to prepend to primary password when calculating AES key.

Raises:

ValueError – When missing pycryptodome or asn1crypto dependencies.

Returns:

Bytes of decrypted 3DES ciphertext.

dissect.target.plugins.apps.browser.firefox.decrypt_master_key(decoded_item: asn1crypto.core.Sequence, primary_password: bytes, global_salt: bytes) → tuple[bytes, str]¶

Decrypt the provided core.Sequence with the provided Firefox primary password and salt.

At this stage we are not yet sure of the structure of decoded_item. The structure will depend on the core.Sequence object identifier at decoded_item[0][0], hence we extract it. This function will then call the apropriate decrypt_pbes2``or ``decrypt_sha1_triple_des_cbc functions to decrypt the item.

Parameters:

decoded_item – core.Sequence is a list representation of SEQUENCE as described below.
primary_password – bytes of Firefox primary password to decrypt ciphertext with.
global_salt – bytes of salt to prepend to primary password when calculating AES key.

Raises:

ValueError – When missing pycryptodome or asn1crypto dependencies.

Returns:

Tuple of decrypted bytes and a string representation of the identified encryption algorithm.

dissect.target.plugins.apps.browser.firefox.query_global_salt(key4_file: dissect.target.helpers.fsutil.TargetPath) → tuple[str, str]¶

dissect.target.plugins.apps.browser.firefox.query_master_key(key4_file: dissect.target.helpers.fsutil.TargetPath) → tuple[str, str]¶

dissect.target.plugins.apps.browser.firefox.retrieve_master_key(primary_password: bytes, key4_file: dissect.target.helpers.fsutil.TargetPath) → tuple[bytes, str]¶

dissect.target.plugins.apps.browser.firefox.decrypt_field(key: bytes, field: tuple[bytes, bytes, bytes]) → bytes¶

dissect.target.plugins.apps.browser.firefox.decrypt(username: str, password: str, key4_file: dissect.target.helpers.fsutil.TargetPath, primary_password: str = '') → tuple[str | None, str | None]¶

Decrypt a stored username and password using provided credentials and key4 file.

Parameters:

username – Encoded and encrypted password.
password. (password Encoded and encrypted)
key4_file – Path to key4.db file.
primary_password – Password to use for decryption routine.

Returns:

A tuple of decoded username and password strings.

Resources:

https://github.com/lclevy/firepwd

dissect.target.plugins.apps.browser.firefox¶

Module Contents¶

Classes¶

Functions¶

Attributes¶

`dissect.target.plugins.apps.browser.firefox`¶