Firefed Save
🕵️ A tool for Firefox profile analysis, data extraction, forensics and hardening
Firefed
Firefed is a command-line tool to inspect Firefox profiles. It can extract saved passwords, preferences, addons, history and more. You may use it for forensic analysis, to audit your config for insecure settings or just to quickly extract some data without starting up the browser.
Note that Firefed is a work in progress and not all features work seamlessly yet -- but you're more than welcome to contribute, especially with bug reports and usage feedback.
Installation
Install the package, preferably via pip:
pip install firefed --upgrade
Usage
$ firefed -h
usage: firefed [-h] [-V] [-P] [-p PROFILE] [-v] [-f] FEATURE ...
A tool for Firefox profile analysis, data extraction, forensics and hardening
optional arguments:
-h, --help show this help message and exit
-V, --version show program's version number and exit
-P, --profiles show all local profiles
-p PROFILE, --profile PROFILE
profile name or directory to be used when running a
feature
-v, --verbose verbose output (can be used multiple times)
-f, --force treat target as a profile directory even if it doesn't
look like one
features:
Set the feature you want to run as positional argument. Each feature has
its own sub arguments which can be listed with `firefed <feature> -h`.
FEATURE
addons List installed addons/extensions.
bookmarks List bookmarks.
cookies List cookies.
downloads List downloaded files.
forms List form input history (search terms, address fields,
etc.).
history List history.
hosts List known hosts.
infect Install a PoC reverse shell via a hidden extension.
inputhistory List history of urlbar inputs (typed URLs).
logins List saved logins.
permissions List host permissions (e.g. location sharing).
preferences List user preferences.
summary Summarize results of all (summarizable) features.
visits List history of visited URLs.
Features
Addons
List installed addons/extensions.
usage: firefed addons [-h] [-a] [-A] [-S] [-f {list,short,csv}] [-s]
optional arguments:
-h, --help show this help message and exit
-a, --all show all extensions (including system extensions)
-A, --show-addons-json
show entries from "addons.json"
-S, --show-startup-json
show addon startup entries (from
"addonStartup.json.lz4")
-f {list,short,csv}, --format {list,short,csv}
output format
-s, --summary summarize results
Bookmarks
List bookmarks.
usage: firefed bookmarks [-h] [-f {tree,list,csv}] [-s]
optional arguments:
-h, --help show this help message and exit
-f {tree,list,csv}, --format {tree,list,csv}
output format
-s, --summary summarize results
Cookies
List cookies.
Don't find a cookie you have definitely set? Not all cookies are immediately written to the cookie store. You possibly need to close the browser first to force all cookies being written to disk.
usage: firefed cookies [-h] [-H HOST] [-a] [-S SESSION_FILE]
[-f {setcookie,list,csv}] [-s]
optional arguments:
-h, --help show this help message and exit
-H HOST, --host HOST filter by hostname (glob)
-a, --all show cookies from all sources, including all available
session files
-S SESSION_FILE, --session-file SESSION_FILE
extract cookies from session file (you can use
"recovery", "previous", "sessionstore" as shortcuts
for default file locations)
-f {setcookie,list,csv}, --format {setcookie,list,csv}
output format
-s, --summary summarize results
Downloads
List downloaded files.
usage: firefed downloads [-h] [-s]
optional arguments:
-h, --help show this help message and exit
-s, --summary summarize results
Forms
List form input history (search terms, address fields, etc.).
Searches in the browser's searchbar have the key "searchar-history".
usage: firefed forms [-h] [-s]
optional arguments:
-h, --help show this help message and exit
-s, --summary summarize results
History
List history.
usage: firefed history [-h] [-f {list,short,csv}] [-s]
optional arguments:
-h, --help show this help message and exit
-f {list,short,csv}, --format {list,short,csv}
output format
-s, --summary summarize results
Hosts
List known hosts.
usage: firefed hosts [-h] [-s]
optional arguments:
-h, --help show this help message and exit
-s, --summary summarize results
Infect
Install a PoC reverse shell via a hidden extension.
This is highly experimental and only a proof of concept. Also note the extension currently isn't actually hidden and disappears with the next browser restart.
The reverse shell will attempt to connect to localhost:8123 and provides
a JS REPL with system principal privileges.
usage: firefed infect [-h] [-u] [-c] [-y]
optional arguments:
-h, --help show this help message and exit
-u, --uninstall uninstall malicious addon
-c, --check check if profile appears infected
-y, --yes don't prompt for confirmation
InputHistory
List history of urlbar inputs (typed URLs).
usage: firefed inputhistory [-h] [-s]
optional arguments:
-h, --help show this help message and exit
-s, --summary summarize results
Logins
List saved logins.
You can provide a valid master password, but firefed doesn't (yet) support cracking an unkown password.
usage: firefed logins [-h] [-l LIBNSS] [-p PASSWORD] [-f {table,list,csv}]
[-s]
optional arguments:
-h, --help show this help message and exit
-l LIBNSS, --libnss LIBNSS
path to libnss3
-p PASSWORD, --master-password PASSWORD
profile's master password (If not set, an empty
password is tried. If that fails, you're prompted.)
-f {table,list,csv}, --format {table,list,csv}
output format
-s, --summary summarize results
Permissions
List host permissions (e.g. location sharing).
This feature extracts the stored permissions which the user has granted to particular hosts (e.g. popups, location sharing, desktop notifications).
usage: firefed permissions [-h] [-f {table,csv}] [-s]
optional arguments:
-h, --help show this help message and exit
-f {table,csv}, --format {table,csv}
output format
-s, --summary summarize results
Preferences
List user preferences.
This feature reads the preferences from prefs.js and user.js.
Unfortunately, we can't extract any default values since these aren't
stored in the profile.
usage: firefed preferences [-h] [-d] [-c] [-S PATH] [-b] [-i] [-s]
optional arguments:
-h, --help show this help message and exit
-d, --duplicates show all preferences, even if the key appears multiple
times (otherwise, only the last occurence is shown
because it overrides all previous occurences)
-c, --check compare preferences with recommended settings
-S PATH, --source PATH
path to file with recommended settings (use "userjs-
master" or "userjs-relaxed" to load userjs config from
Github)
-b, --bad-only when comparing with recommendations, show only bad
values
-i, --include-undefined
when comparing with recommendations, treat undefined
preferences as bad values
-s, --summary summarize results
Summary
Summarize results of all (summarizable) features.
usage: firefed summary [-h]
optional arguments:
-h, --help show this help message and exit
Visits
List history of visited URLs.
This is different from the history feature because it lists a single
entry with a timestamp for each individual visit, even if the URL is the
same.
usage: firefed visits [-h] [-f {list,csv}] [-s]
optional arguments:
-h, --help show this help message and exit
-f {list,csv}, --format {list,csv}
output format
-s, --summary summarize results
Related tools
-
dumpzilla (Extracts various information in a single step)
-
firefox_decrypt (Extracts passwords)
Open Source Agenda Badge
