Insider

$ find Mozilla -type f
Mozilla/Firefox/installs.ini
Mozilla/Firefox/profiles.ini
Mozilla/Firefox/Profiles/yodxf5e0.default/times.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/sessionstore-backups/recovery.baklz4
Mozilla/Firefox/Profiles/2542z9mo.default-release/sessionstore-backups/recovery.jsonlz4
Mozilla/Firefox/Profiles/2542z9mo.default-release/weave/failed/tabs.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/weave/toFetch/tabs.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/favicons.sqlite-shm
Mozilla/Firefox/Profiles/2542z9mo.default-release/compatibility.ini
Mozilla/Firefox/Profiles/2542z9mo.default-release/favicons.sqlite-wal
Mozilla/Firefox/Profiles/2542z9mo.default-release/addons.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/logins.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/search.json.mozlz4
Mozilla/Firefox/Profiles/2542z9mo.default-release/sessionCheckpoints.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/pkcs11.txt
Mozilla/Firefox/Profiles/2542z9mo.default-release/times.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/extension-preferences.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/addonStartup.json.lz4
Mozilla/Firefox/Profiles/2542z9mo.default-release/crashes/store.json.mozlz4
Mozilla/Firefox/Profiles/2542z9mo.default-release/key4.db
Mozilla/Firefox/Profiles/2542z9mo.default-release/webappsstore.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/protections.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/places.sqlite-wal
Mozilla/Firefox/Profiles/2542z9mo.default-release/security_state/data.safe.bin
Mozilla/Firefox/Profiles/2542z9mo.default-release/datareporting/state.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/datareporting/aborted-session-ping
Mozilla/Firefox/Profiles/2542z9mo.default-release/datareporting/session-state.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/datareporting/archived/2020-11/1604498649754.5212ab6a-268f-4c2b-aa0b-cf46c3d1dc71.event.jsonlz4
Mozilla/Firefox/Profiles/2542z9mo.default-release/datareporting/archived/2020-11/1604509449817.7d32a9b1-03f4-4155-8f99-ebd1cceb30d5.event.jsonlz4
Mozilla/Firefox/Profiles/2542z9mo.default-release/datareporting/archived/2020-11/1604496849746.014e92ae-cb57-4c0e-a97c-66ffa45bfe20.new-profile.jsonlz4
Mozilla/Firefox/Profiles/2542z9mo.default-release/datareporting/archived/2020-11/1604507415845.36b506e6-3dea-4646-8ae3-62e9fd1b4692.main.jsonlz4
Mozilla/Firefox/Profiles/2542z9mo.default-release/broadcast-listeners.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/cookies.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/places.sqlite-shm
Mozilla/Firefox/Profiles/2542z9mo.default-release/containers.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/formhistory.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/storage/default/moz-extension+++7b958ab1-a8d2-4943-8833-5185e9a8d9d0^userContextId=4294967295/idb/3647222921wleabcEoxlt-eengsairo.sqlite  
Mozilla/Firefox/Profiles/2542z9mo.default-release/storage/default/moz-extension+++7b958ab1-a8d2-4943-8833-5185e9a8d9d0^userContextId=4294967295/.metadata-v2
Mozilla/Firefox/Profiles/2542z9mo.default-release/storage/permanent/chrome/idb/3561288849sdhlie.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/storage/permanent/chrome/idb/1451318868ntouromlalnodry--epcr.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/storage/permanent/chrome/idb/2823318777ntouromlalnodry--naod.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/storage/permanent/chrome/idb/1657114595AmcateirvtiSty.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/storage/permanent/chrome/idb/2918063365piupsah.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/storage/permanent/chrome/idb/3870112724rsegmnoittet-es.sqlite-shm
Mozilla/Firefox/Profiles/2542z9mo.default-release/storage/permanent/chrome/idb/3870112724rsegmnoittet-es.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/storage/permanent/chrome/idb/3870112724rsegmnoittet-es.sqlite-wal
Mozilla/Firefox/Profiles/2542z9mo.default-release/storage/permanent/chrome/.metadata-v2
Mozilla/Firefox/Profiles/2542z9mo.default-release/extensions.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/handlers.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/bookmarkbackups/bookmarks-2020-11-04_11_Xwf6HUY0M1+1NgBa9qQfXA==.jsonlz4
Mozilla/Firefox/Profiles/2542z9mo.default-release/content-prefs.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/gmp-gmpopenh264/1.8.1.1/gmpopenh264.info
Mozilla/Firefox/Profiles/2542z9mo.default-release/gmp-gmpopenh264/1.8.1.1/gmpopenh264.dll
Mozilla/Firefox/Profiles/2542z9mo.default-release/permissions.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/gmp-widevinecdm/4.10.1582.2/widevinecdm.dll
Mozilla/Firefox/Profiles/2542z9mo.default-release/gmp-widevinecdm/4.10.1582.2/widevinecdm.dll.lib
Mozilla/Firefox/Profiles/2542z9mo.default-release/gmp-widevinecdm/4.10.1582.2/manifest.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/gmp-widevinecdm/4.10.1582.2/widevinecdm.dll.sig
Mozilla/Firefox/Profiles/2542z9mo.default-release/gmp-widevinecdm/4.10.1582.2/LICENSE.txt
Mozilla/Firefox/Profiles/2542z9mo.default-release/favicons.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/webappsstore.sqlite-wal
Mozilla/Firefox/Profiles/2542z9mo.default-release/cert9.db
Mozilla/Firefox/Profiles/2542z9mo.default-release/parent.lock
Mozilla/Firefox/Profiles/2542z9mo.default-release/xulstore.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/webappsstore.sqlite-shm
Mozilla/Firefox/Profiles/2542z9mo.default-release/prefs.js
Mozilla/Firefox/Profiles/2542z9mo.default-release/SiteSecurityServiceState.txt
Mozilla/Firefox/Profiles/2542z9mo.default-release/storage.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/places.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/cookies.sqlite-shm
Mozilla/Firefox/Profiles/2542z9mo.default-release/cookies.sqlite-wal
Mozilla/Firefox/Profiles/2542z9mo.default-release/shield-preference-experiments.json
Mozilla/Firefox/Crash Reports/InstallTime20201027185343

$ cat Mozilla/Firefox/Crash\ Reports/InstallTime20201027185343
1604494987

$ cat Mozilla/Firefox/Profiles/2542z9mo.default-release/search.json.mozlz4
mozLz40��){"version":6,"buildID":"20201027185343","locale":"en-US",�!tInEngineList":[{"id":"google@search.mozilla.orgH�default"},6�amazondotcom<�wikipedia9Obing4/dd3A],"e!s@_namDG!�","_isAppProvided":true,"_metaData":{} 8A#O.com<W#_ (en)@0Bin��@Duck/Gor7],"�"useSavedOrder":false}}  

$ cat Mozilla/Firefox/Profiles/2542z9mo.default-release/sessionCheckpoints.json | jq
{
  "profile-after-change": true,
  "final-ui-startup": true,
  "sessionstore-windows-restored": true
}

$ cat Mozilla/Firefox/Profiles/2542z9mo.default-release/addons.json | jq
{
  "schema": 6,
  "addons": []
}

$ sqlite3 Mozilla/Firefox/Profiles/2542z9mo.default-release/key4.db
SQLite version 3.39.5 2022-10-14 20:58:05
Enter ".help" for usage hints.
sqlite> .tables
metaData    nssPrivate
sqlite> select * from metaData;
0`0Aword*�H���.�m����|0��0m	*�H��
04 $��54pO�X&/���h��*��u�
                         �Z 0
*�H��   0	`�He*��Mt�=uF�!�DfP�=�Zd��(U�[c[
0O0Akey_*�H��5fb_00000011|0��0\	*�H��
04 ��ڧ�ôhX]!?y
              �U{ĂL�*��\�v 0
*�H��   0
*�H��    /<�k��`�XG�_��o��TURjG}�ͤ�|
sqlite> select * from nssPrivate;
0`0A8415*�H���||0��0m	*�H��
04 ����;��Ee�٨_���Xz^�(3�1�: 0
*�H��   0	`�He*H����7[X���gSl ڕ�?u2U�֊,�]F���[g���9�Q<Z�|||||||||||||||||�|||||||||||�|�||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
sqlite> .exit

$ cat Mozilla/Firefox/Profiles/2542z9mo.default-release/logins.json | jq
{
  "nextId": 2,
  "logins": [
    {
      "id": 1,
      "hostname": "http://acc01:8080",
      "httpRealm": "Tomcat Manager Application",
      "formSubmitURL": null,
      "usernameField": "",
      "passwordField": "",
      "encryptedUsername": "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECF+d3kuwB9ZWBAj5QRmuUB+gqg==",
      "encryptedPassword": "MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECBqsTKru3+k8BBgCXKb5CRSS4SF6O3Dh4jUKFRBtxfiabQk=",  
      "guid": "{69f06e46-1ffa-42a0-9166-0ca4b8fac057}",
      "encType": 1,
      "timeCreated": 1604509320314,
      "timeLastUsed": 1604509320314,
      "timePasswordChanged": 1604509320314,
      "timesUsed": 1
    }
  ],
  "potentiallyVulnerablePasswords": [],
  "dismissedBreachAlertsByLoginGUID": {},
  "version": 3
}

$ git clone https://github.com/lclevy/firepwd
...

$ python3 firepwd/firepwd.py -d Mozilla/Firefox/Profiles/2542z9mo.default-release/
globalSalt: b'060837e7815de208d7d6ac8fbb2ee86da78ae9ce'
 SEQUENCE {
   SEQUENCE {
     OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
     SEQUENCE {
       SEQUENCE {
         OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
         SEQUENCE {
           OCTETSTRING b'2484933534704f8a13581f262f068216f99984e89768f7e02a8f9f759a0c8f5a'  
           INTEGER b'01'
           INTEGER b'20'
           SEQUENCE {
             OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
           }
         }
       }
       SEQUENCE {
         OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
         OCTETSTRING b'd6da114d74de3d7507468321fb44'
       }
     }
   }
   OCTETSTRING b'6650ff3d8a5a64b0e4281255e45b635b'
 }
clearText b'70617373776f72642d636865636b0202'
password check? True
 SEQUENCE {
   SEQUENCE {
     OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
     SEQUENCE {
       SEQUENCE {
         OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
         SEQUENCE {
           OCTETSTRING b'f4fbf3e43b96b84565beeea6a8d9a85f9003d7da18587a125ee42833b731f93a'
           INTEGER b'01'
           INTEGER b'20'
           SEQUENCE {
             OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
           }
         }
       }
       SEQUENCE {
         OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
         OCTETSTRING b'48baf2ffd7375b58b8d7cc67536c'
       }
     }
   }
   OCTETSTRING b'05da951f823f753255f7d68a2ce5865d46bebcb25b67e81fedd6399e513c5af2'
 }
clearText b'c8e53851c7fed9a1260720791abf1526aeceae89ef079bb60808080808080808'
decrypting login/password pairs
   http://acc01:8080:b'admin',b'HTB{ur_8RoW53R_H157Ory}'