Have an account?
It looks like you're new here. If you want to get involved, click one of these buttons!
Apply for Membership
Who's Online (0)
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
MozillaRecovery - crack master passwords
I have to tell you, this was a lot of work, but I got obsessed with figuring out, how Mozilla saves passwords. Once I found out, I wrote this software for this. There is not much information about that topic in the internet. The programs I found which recover master passwords from Mozilla applications weren't open source.
About the program
Download .jar and source:
Once you start the program, it searches automatically for default locations of your key3.db in Firefox and, if not found, in the Thunderbird application directory. I prepared and tested this for Windows 7 and Linux. If it is not working for your OS, please tell me the default location for it. I just need the information to put that in. You can change the location by hand, of course.
key3.db is the file that is used to recover the master password. You can start a wordlist attack on that. The program ships with a default worldlist, but it is small (I didn't want to upload a wordlist file that adds several megabytes to the program). You can use your own list by changing the location.
Alternatively you can start a bruteforce attack by activating the "bruteforce" checkbox. Although I used threads, this is limited to a word length of five (a bruteforce attack with a wordlength of six would take several days, so I don't allow that) and the alphabet a-zA-Z by now. I got about 30000 password tests per second on my machine.
Once you got the master password, it is very easy to obtain saved login information from signons.sqlite, since both, Thunderbird and Firefox, will show usernames and passwords in plain text. (google if you don't know how)
Conclusion: Always set a master password if you save login information with Thunderbird or Firefox. Otherwise the login information can be obtained without any problems.
About the source
The only (non-standard) library I used is apache.log4j for logging purposes. You will see a properties file and a log folder. The standard logging level is WARN. If you change this level to INFO or DEBUG, the master passwords found with the program will be saved in there, so be careful with that option.
Lines of code without comments and empty lines:
Lines of code with everything else:
Copyright 2012 Deque at
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are
permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of
conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list
of conditions and the following disclaimer in the documentation and/or other materials
provided with the distribution.
THIS SOFTWARE IS PROVIDED BY Deque at
``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Deque at
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The views and conclusions contained in the software and documentation are those of the
authors and should not be interpreted as representing official policies, either expressed
or implied, of Deque at
The code was tested for: Firefox 9.01 Thunderbird 9.01, Windows 7, Arch Linux.
If you have a different setting, you can help me by telling me that it worked or that it didn't.
Please make sure that you have Java 7.
If there are still problems, post the logging file that is in the logs folder.
Looks awesome deque thanks for sharing
Thank you Xinapse. Also for your other comments.
Excellent job Deque! I'm very glad to see you are starting to take an interest in security. :)
while( !(succeed = try() ) );
I had interest before, I just didn't have enough knowledge to make a good program in that field. :)
thanks for this killer sharing..:)
Add a Comment