# Credentials from Web Browsers **ATT\&CK ID:** [T1555.003](https://attack.mitre.org/techniques/T1555/003/) **Permissions Required:** **User** **Description** \ Adversaries may acquire credentials from web browsers by reading files specific to the target browser.[\[1\]](https://blog.talosintelligence.com/2018/02/olympic-destroyer.html) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers. For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, `AppData\Local\Google\Chrome\User Data\Default\Login Data` and executing a SQL query: `SELECT action_url, username_value, password_value FROM logins;`. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function `CryptUnprotectData`, which uses the victim’s cached logon credentials as the decryption key.[\[2\]](https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata) Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.[\[3\]](https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign)[\[4\]](https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the [Windows Credential Manager](https://attack.mitre.org/techniques/T1555/004). Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.[\[5\]](https://github.com/putterpanda/mimikittenz) ## Techniques ## Firefox ### Firefox Profile Locations ```bash # Linux /home//.mozilla/firefox/xxxx.default # MacOS /Users//Library/Application\ Support/Firefox/Profiles/xxxx.default' # Windows C:\Users\\AppData\Roaming\Mozilla\Firefox\Profiles\xxxx.default ``` ### Firefox\_decrypt **Github:** ```bash python3 firefox_decrypt.py ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FG9Pz8PZNkkyilEde6ij0%2Fimage.png?alt=media\&token=67016392-10c9-4211-b2a6-3d0c99034594) ### LaZagne ``` laZagne.exe browsers browsers ``` ## Google Chrome ### Chrome Profile Location ```bash # Linux /home//.config/google-chrome/default # MacOS Users//Library/Application Support/Google/Chrome/Default # Windows C:\Users\\AppData\Local\Google\Chrome\User Data\Default ``` ### LaZagne ``` laZagne.exe browsers browsers ``` ### Metasploit ``` use post/windows/gather/enum_chrome ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FWPupVB6Onhp5WEuMngWV%2Fimage.png?alt=media\&token=9022b41c-bb0a-4b73-8d9a-fdc9db3ca2ff) After completion, open the decrypted data file as mentioned by `Metasploit`. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FeLCvqLxIueKjq1wKMq5j%2Fimage.png?alt=media\&token=70167698-76eb-40b3-9a10-c586b2019c01) ## Mitigation ### Disable password manager in multiple browsers [Dashlane](https://www.dashlane.com/) have an excellent article on methods to disable the password manager for multiple browsers via Group Policy. {% embed url="" %} ###