PwnSec Notes
  • AppSec
    • General Notes
    • Payloads
    • Fuzzing
    • Code Review
    • ReDos
    • SSTI
    • LFI-RFI
    • PHP Tricks
    • Javascript
    • Serialization
    • SQL Injection
    • JWT
    • GraphQL
    • Side Channel
    • Command Execution
    • WebSockets
    • Ruby
    • 0Auth
    • Latex Injection
    • NoSQL
    • JS Analysis
    • Apache Lucene
  • Forensics
    • Basics
    • Network Captures
    • Windows Logs
    • Memory
    • Browser
    • Threat Intelligence
    • Disk
  • Binary-Exploitation
    • Concepts
    • Binary Analysis
    • Debugging
    • Shellcodes
  • Malware-Analysis
    • Memory Mapping
    • Macros
    • Unpacking
    • Analysis
    • Resources
  • Reverse-Engineering
    • GDB basics
    • MASM Basics
    • Decompilers
    • Useful Codes
  • Services
    • SNMP
    • Grafana
    • Consul
  • Network Pentesting
    • C2 Servers
    • Pivoting
    • CrackMapExec
    • Kubernetes
    • Docker
  • MISC
    • Slack
    • Git
    • Pyjails
    • Privilege Escalation
    • Python LOL Code
  • Cloud Hacking
    • AWS S3
    • AWS Cognito
  • Mobile Pentesting
    • Frida
    • ADB
    • Drozer
    • Smali
    • Static Analysis
    • Dynamic Analysis
    • Bypass SSL Pinning
    • APK Labs
    • Android Malwares
    • Abusing Firebase
    • Root Detection
Powered by GitBook
On this page
  • Chrome
  • hindsight
  • Firefox
  • dumpzilla
  • Firefox Decrypt
  1. Forensics

Browser

Chrome

hindsight

Web browser forensics tool for Google Chrome/Chromium-based browsers.

  • Installation

sudo apt update
sudo apt install -y sqlitebrowser
git clone https://github.com/obsidianforensics/hindsight.git
cd hindsight
python3 -m venv venv && source venv/bin/activate
pip3 install -r requirements.txt
python3 setup.py install
deactivate
npm install sqlite-browser
npm install sqlite3

  • Usage

source venv/bin/activate && python3 hindsight_gui.py

Firefox

  • Profile locations

# Ubuntu 22.04
/home/<USER>/snap/firefox/common/.mozilla/firefox/<Profile>.default

# Linux
/home/<USER>/.mozilla/firefox/<Profile>.default-esr

# Windows
C:\Documents and Settings\<USER>\Application Data\Mozilla\Firefox\Profiles\<Profile>.default

dumpzilla

Web browser forensics tool for Firefox.

  • Installation

wget https://www.dumpzilla.org/dumpzilla.py

  • Usage

python3 dumpzilla.py browser_profile_directory [Options]

The option --All can extract everything the tool can extract.

The most interesting options are:

  • --Downloads: it shows what links were used for downloads and where they stored on the host.

  • --Forms: it shows what auto-fill forms the user have and what they searched/typed directly on the browser's search bar (not in a search engine).

  • --History: it shows the user's internet browsing history.

  • --Bookmarks: it shows the user's bookmarks.

Firefox Decrypt

Firefox Decrypt is a tool to extract passwords from Mozilla (Firefox™, Waterfox™, Thunderbird®, SeaMonkey®) profiles.

git clone https://github.com/unode/firefox_decrypt
cd firefox_decrypt

Usage

python3 firefox_decrypt <Profile> -f human
PreviousMemoryNextThreat Intelligence

Last updated 2 years ago

Download the Python script from the official website for Unix/Windows Or directly via the command line:

--Passwords: this will work on older versions of firefox (< 58), the script will try to decrypt the encrypted passwords stored in signons.sqlite with the master decryption key stored in key3.db, but this was used in previous versions of Firefox and since version 58 logins are now stored in key4.db (SQLite) while encrypted logins are stored in logins.json. ()

https://www.dumpzilla.org/
source