I have to tell you, this was a lot of work, but I got obsessed with figuring out, how Mozilla saves passwords. Once I found out, I wrote this software for this. There is not much information about that topic in the internet. The programs I found which recover master passwords from Mozilla applications weren't open source.
Once you start the program, it searches automatically for default locations of your key3.db in Firefox and, if not found, in the Thunderbird application directory. I prepared and tested this for Windows 7 and Linux. If it is not working for your OS, please tell me the default location for it. I just need the information to put that in. You can change the location by hand, of course.
key3.db is the file that is used to recover the master password. You can start a wordlist attack on that. The program ships with a default worldlist, but it is small (I didn't want to upload a wordlist file that adds several megabytes to the program). You can use your own list by changing the location.
Alternatively you can start a bruteforce attack by activating the "bruteforce" checkbox. Although I used threads, this is limited to a word length of five (a bruteforce attack with a wordlength of six would take several days, so I don't allow that) and the alphabet a-zA-Z by now. I got about 30000 password tests per second on my machine.
Once you got the master password, it is very easy to obtain saved login information from signons.sqlite, since both, Thunderbird and Firefox, will show usernames and passwords in plain text. (google if you don't know how)
Conclusion: Always set a master password if you save login information with Thunderbird or Firefox. Otherwise the login information can be obtained without any problems.
About the source
The only (non-standard) library I used is apache.log4j for logging purposes. You will see a properties file and a log folder. The standard logging level is WARN. If you change this level to INFO or DEBUG, the master passwords found with the program will be saved in there, so be careful with that option.
Lines of code without comments and empty lines: 914 Lines of code with everything else: 1141
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY Deque at http://www.iexploit.org ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Deque at http://www.iexploit.org OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The views and conclusions contained in the software and documentation are those of the authors and should not be interpreted as representing official policies, either expressed or implied, of Deque at http://www.iexploit.org
[/spoiler]
The code was tested for: Firefox 9.01 Thunderbird 9.01, Windows 7, Arch Linux. If you have a different setting, you can help me by telling me that it worked or that it didn't.
Problems?
Please make sure that you have Java 7. If there are still problems, post the logging file that is in the logs folder.