NetExec icon indicating copy to clipboard operation
NetExec copied to clipboard
verified publisher icon Pennyw0rth

Update firefox.py for new AES-256-CBC encryption (fix dpapi error)

Open hilarex opened this issue 3 months ago • 3 comments

Description

Add Firefox 144+ password decryption support

  • Support new AES-256-CBC encryption format (16-byte IV)
  • Extract all master keys from NSS database (Firefox 144+ uses multiple)
  • Expand keys to 32 bytes using SHA-256 when needed
  • Maintain backward compatibility with legacy 3DES-CBC format
  • Try all available keys until successful decryption

Type of change

Insert an "x" inside the brackets for relevant items (do not delete options)

  • [X] Bug fix (non-breaking change which fixes an issue)
  • [X] New feature (non-breaking change which adds functionality)
  • [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • [ ] Deprecation of feature or functionality
  • [ ] This change requires a documentation update
  • [ ] This requires a third party update (such as Impacket, Dploot, lsassy, etc)

Setup guide for the review

The test should try to dump dpapi using the command :

nxc smb <ip> -u <user> -p <pass> --dpapi

The target is a machine with passwords in Firefox >144, and another with Firefox <144 (for backwards compatibility)

Screenshots (if appropriate):

The issue was : image

Checklist:

Insert an "x" inside the brackets for completed and relevant items (do not delete options)

  • [ ] I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
  • [ ] I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
  • [ ] New and existing e2e tests pass locally with my changes
  • [ ] If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
  • [X] I have performed a self-review of my own code
  • [X] I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

hilarex avatar Oct 22 '25 08:10 hilarex

Thanks for the PR!

@zblurx the perfect one for you if you got some time.

NeffIsBack avatar Oct 22 '25 14:10 NeffIsBack

Hey @hilarex thanks for the PR. I have been testing it on the new firefox and it's working well: image

However, the firefox secrets dump does not work anymore on older firefox versions (tested on 140.0.4): image

zblurx avatar Oct 30 '25 10:10 zblurx

@zblurx I pushed a small fix, and I tested on both new and older version. It seems to work now

hilarex avatar Nov 06 '25 08:11 hilarex