Hi everyone,
I would like to see my passwords saved for firefox using a C++ application. I did a bit of reading and no solution was conclusive:
I found that the passwords are stored in 2 files: logins.json and key3.db (I also found a third file, cert8.db, on one site without any mention of it anywhere else).
I found that the encryption algorithm firefox uses is 3des, and that if no password is specified, an empty, 0-char password was used.
I found that the key in the logins.json file is the one encrypted with 3des and encoded with b64. The key for the encryption was stored in key3.db and one was useless without the other.
I found that I cannot read key3.db with sqlite3.dll, MySQL on XAMPP, or any other method I know of reading sql databases.
I found that although most b64 strings have a '=' char at the end, the ones in my logins.json (a single password setup just for this research) did not. Putting it through the b64 decoder in NP++ returns garbage (if its 3des encrypted not surprising) but any online decoder I used returns nothing.
I found no sources dating to 2016.
Any source code that I found to this purpose did not compile and/or was full of errors. When I removed the errors as best I could it had issues preparing the database.
Is there any information I am missing, or that is incorrect? I am truly lost here and I would appreciate it if someone were to point me in the right direction. Thank you.
You can have a look at the following C project: https://github.com/philsmd/pswRecovery4Moz
It is older but still shows how to get the important data from the key3.db file.
Firefox is open source, just go through the source. Probably the db is initialized using a password. There is a 'dbtest.c' file inside firefox source, Have a look at that file.
Also use the NSS tools. may be it helps
Related
In the documentation sample code for how to deal with user uploaded files, they save it as a trusted filename for filestorage via GetRandomFileName, and a trusted filename for HTML display.
In the comments it says: "In most production scenarios, an anti-virus/anti-malware scanner API is used on the file before making the file available for download or for use by other systems."
Is that going to be before it is saved with a random filename or after? Because that is the point of saving it as a random filename, so that it doesn't get executed? And when the scanning is done, how is the file going to be made available? I guess the file just has to be renamed if it passes the scan or else deleted? If so, what is the proper way to get the original file extenstion? And do you know of any good scanners that are gratis that are popular to use?
I try to learn web development. Thanks for your time and help.
The renaming of the file here has nothing to do with the anti-virus protection. The files don't tend to execute themselves whatever their name is. Same with the virus scan: it's not for the server protection, it's for the users protection. If your server executes the binary it gets from the client, it's a security breach regardless of whether it's a virus or not.
The renaming here is probably done just to be able to store the duplicates. That being said, in the production scenarios you'll probably never store the incoming files as physical files on the FS. They usually go to the DB as blobs, so the name is not an issue.
This is just a sample app designed to teach how to work with binary streams and file controllers. Don't expect too much from it in terms of applicability to the real solutions.
I just got my Chrome's "Cookies" file which has a .bin extension from my Windows 10 machine at the path:
C:\Users\\AppData\Local\Google\Chrome\User Data\Default\
Now, since I used to use just Firefox which doesn't encrypt it's cookies values in the cookies database, I don't know what to do about getting the value of cookies in the Chrome db.
Just by looking into it with SQLite Explorer I learned that values are encrypted in a special column of the table with the value BLOB and I can only get a binary format of it that is useless for me.
Now I saw many solutions over the Internet, with scripts mainly written in Python and Perl but no one worked for me.
At this point I really don't know how to handle the situation and I really need to get those cookies values.
I got skills in programming with Python 3 and Java but I'm not skilled enough about cookies and about the way Chrome encrypts them to write a decrypt script, so if you have any advice on where or how should I get started on this I would be grateful you to tell me.
Please don't report as a duplicate, since every other topic that I read about this didn't help me at all and I think that maybe starting a new question about this could help me find a better solution, thanks.
I have a website that has the old "list files" style of doing things, and I want to perform a hash on a file there before downloading it to the user's local system. I know how to hash a local file, but it seems there's not a lot of info as to whether or not I can do this without downloading the online file. My logic is, if the user already has the same file, why waste time downloading it? So, is it possible to do this?
After further contemplation I decided that the date modified comparison is actually the behavior that I want. If a client were to modify a file on accident, there is now an option to correct it. If they modify it on purpose, I certainly don't want to wipe out their work.
Hello can anyone explain me or give me some examples of how to lock a folder with VB.net.
I want to chose folder, set password for it and then lock it.
When i try to open that folder i want my app to popup asking for password, if password is ok then unlock folder if not do nothing.
I know how to do all except this autorun of my app when folder is accessed.
Thank you!
Your scheme as you described it doesn't mention encrypting files, and without encryption use of such "locking" is questionable.
Now, encryption or not, your only solution is a filesystem filter driver which will ask the password when the file is accessed, and then will allow or deny opening of the file (and on-the-fly encryption/decryption must be performed as well).
VB.NET can't be used to write a kernel-mode driver (you need deep knowledge of C and Windows internals and about 6 months of work to create a driver). You can use our CallbackFilter product, which provides a driver and lets you write business logic in user-mode.
on the Microsoft forum there is the following solution, maybe it's useful to you: http://social.microsoft.com/forums/en-US/softwareresources/thread/9a0f17af-928e-4732-a3ba-90d54ed961ea ; you may create the file they suggest dinamically by your software and then manage it.
I just accidentally pasted a $200 SSL certificate in the private key file and saved in vi. The private key is now lost. I know I yanked the existing data before replacing it and saving. Is it possible to retrieve this data somehow? I think no, but I figured I'd ask.
If you haven't quit vi, you can just 'p'.. no?
If your vi session is still running, and you haven't written your file yet, just do [esc]:q! and you should be back to your original file.
Or just hit p to paste the stuff you yanked previously.
You might have an id.rsa~ file hanging around. If so, that is your backup file.
It sounds like you've already written your file, so you are probably out of luck. Can you generate a new keypair and ask your cert vendor to re-issue the cert?
In the future, you might want to look into setting the backup option in vim. This used to be a default setting in Linux distributions back in the day, but it definitely isn't the default on my mac now.
If you yanked the data before you overwrote it, it probably should still be accessible using registers (:help registers):
:registers
will show you the contents of all registers.
If you find the lost text, it can be yanked by using the number displayed at the beginning of the line, e.g. by issuing "3p in normal mode.
UPDATE: The question was about vi, not vim, right? Then the command registers might not exist; I think the yank registers 0-9 are a vim extension.
I don't suppose you have backups set do you (doc)? If not, can't you do u?