:py:mod:`dissect.target.plugins.apps.browser.firefox` ===================================================== .. py:module:: dissect.target.plugins.apps.browser.firefox Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.apps.browser.firefox.FirefoxPlugin Functions ~~~~~~~~~ .. autoapisummary:: :nosignatures: dissect.target.plugins.apps.browser.firefox.decrypt_master_key dissect.target.plugins.apps.browser.firefox.decrypt_value Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.apps.browser.firefox.HAS_ASN1 dissect.target.plugins.apps.browser.firefox.HAS_CRYPTO dissect.target.plugins.apps.browser.firefox.FIREFOX_EXTENSION_RECORD_FIELDS dissect.target.plugins.apps.browser.firefox.log dissect.target.plugins.apps.browser.firefox.pbeWithSha1AndTripleDES_CBC dissect.target.plugins.apps.browser.firefox.CKA_ID .. py:data:: HAS_ASN1 :value: True .. py:data:: HAS_CRYPTO :value: True .. py:data:: FIREFOX_EXTENSION_RECORD_FIELDS :value: [('uri', 'source_uri'), ('string[]', 'optional_permissions')] .. py:data:: log .. py:class:: FirefoxPlugin(target: dissect.target.target.Target) Bases: :py:obj:`dissect.target.plugins.apps.browser.browser.BrowserPlugin` Firefox browser plugin. .. py:attribute:: __namespace__ :value: 'firefox' Defines the plugin namespace. .. py:attribute:: USER_DIRS :value: ('AppData/Roaming/Mozilla/Firefox/Profiles', 'AppData/local/Mozilla/Firefox/Profiles',... .. py:attribute:: SYSTEM_DIRS :value: ('/data/data/org.mozilla.vrbrowser/files/mozilla',) .. py:attribute:: BrowserHistoryRecord .. py:attribute:: BrowserCookieRecord .. py:attribute:: BrowserDownloadRecord .. py:attribute:: BrowserExtensionRecord .. py:attribute:: BrowserPasswordRecord .. py:attribute:: installs .. py:method:: find_installs() -> collections.abc.Iterator[tuple[dissect.target.plugins.general.users.UserDetails | None, pathlib.Path]] Find Firefox install directories on the target. .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an :class:`UnsupportedPluginError`. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:method:: history() -> collections.abc.Iterator[BrowserHistoryRecord] Return browser history records from Firefox. Yields BrowserHistoryRecord with the following fields: .. code-block:: text ts (datetime): Visit timestamp. browser (string): The browser from which the records are generated from. id (string): Record ID. url (uri): History URL. title (string): Page title. description (string): Page description. host (string): Hostname. visit_type (varint): Visit type. visit_count (varint): Amount of visits. hidden (string): Hidden value. typed (boolean): Typed value. session (varint): Session value. from_visit (varint): Record ID of the "from" visit. from_url (uri): URL of the "from" visit. source: (path): The source file of the history record. .. py:method:: cookies() -> collections.abc.Iterator[BrowserCookieRecord] Return browser cookie records from Firefox. :param browser_name: The name of the browser as a string. Yields: .. code-block:: text Records with the following fields: ts_created (datetime): Cookie created timestamp. ts_last_accessed (datetime): Cookie last accessed timestamp. browser (string): The browser from which the records are generated from. name (string): The cookie name. value (string): The cookie value. host (string): Cookie host key. path (string): Cookie path. expiry (varint): Cookie expiry. is_secure (bool): Cookie secury flag. is_http_only (bool): Cookie http only flag. same_site (bool): Cookie same site flag. .. py:method:: downloads() -> collections.abc.Iterator[BrowserDownloadRecord] Return browser download records from Firefox. Yields BrowserDownloadRecord with the following fields: .. code-block:: text ts_start (datetime): Download start timestamp. ts_end (datetime): Download end timestamp. browser (string): The browser from which the records are generated from. id (string): Record ID. path (string): Download path. url (uri): Download URL. size (varint): Download file size. state (varint): Download state number. source: (path): The source file of the download record. .. py:method:: extensions() -> collections.abc.Iterator[BrowserExtensionRecord] Return browser extension records for Firefox. Yields BrowserExtensionRecord with the following fields: .. code-block:: text ts_install (datetime): Extension install timestamp. ts_update (datetime): Extension update timestamp. browser (string): The browser from which the records are generated. id (string): Extension unique identifier. name (string): Name of the extension. short_name (string): Short name of the extension. default_title (string): Default title of the extension. description (string): Description of the extension. version (string): Version of the extension. ext_path (path): Relative path of the extension. from_webstore (boolean): Extension from webstore. permissions (string[]): Permissions of the extension. manifest (varint): Version of the extensions' manifest. optional_permissions (string[]): Optional permissions of the extension. source_uri (path): Source path from which the extension was downloaded. source (path): The source file of the download record. .. py:method:: passwords() -> collections.abc.Iterator[BrowserPasswordRecord] Return Firefox browser password records. Automatically decrypts passwords from Firefox 58 onwards (2018) if no primary password is set. Alternatively, you can supply a primary password through the keychain to access the Firefox password store. Passphrases in the keychain with providers ``browser``, ``firefox``, ``user`` and no provider can be used to decrypt secrets for this plugin. .. rubric:: References - https://github.com/mozilla-firefox/firefox/tree/main/toolkit/components/passwordmgr - https://github.com/lclevy/firepwd .. py:data:: pbeWithSha1AndTripleDES_CBC :value: '1.2.840.113549.1.12.5.1.3' .. py:data:: CKA_ID .. py:function:: decrypt_master_key(key4_file: pathlib.Path, primary_password: bytes) -> bytes Retrieve and decrypt the master key from the Firefox NSS database. :param key4_file: Path object to the ``key4.db`` file. :param primary_password: bytes of the Firefox primary password. :raises ValueError if retrieval or decryption of master key fails.: :returns: 32 byte or 24 byte long decrypted and unpadded master key for AES or 3DES operations. .. py:function:: decrypt_value(b64_ciphertext: str, key: bytes) -> bytes | None Decrypt an encrypted value using the decrypted master key and algorithm. :param b64_ciphertext: Base64 encoded ciphertext. :param key: Decrypted Firefox master key. :returns: Decrypted bytes or None. :raises ValueError if decryption fails.: .. rubric:: References - https://github.com/lclevy/firepwd - https://github.com/Sohimaster/Firefox-Passwords-Decryptor/ - https://github.com/mozilla-firefox/firefox/tree/main/toolkit/components/passwordmgr - https://github.com/mozilla-firefox/firefox/blob/main/security/manager/ssl/SecretDecoderRing.cpp - https://github.com/mozilla-firefox/firefox/blob/main/security/nss/lib/pk11wrap/pk11sdr.c#L156