/foxhunter

A tool for extracting, analysing, attacking, and dumping Firefox browser artifacts on Linux platforms for forensic purposes.

Primary LanguagePythonMIT LicenseMIT

foxhunter logo
FoxHunter

Supported Platforms Language GitHub file size in bytes License GitHub Workflow Status

A tool for extracting, analysing, attacking, and dumping Firefox browser artifacts on Linux platforms for forensic purposes.


FoxHunter extracts and dumps:

  • Addons
  • Bookmarks (Active & Deleted)
  • Browsing History
  • Browsing History Searches
  • Certificates (x509)
  • Cookies
  • Downloads
  • Extensions
  • Form History
  • Saved Logins (Encrypted)

FoxHunter allows users to decrypt extracted logins through:

  • Anonymous Authentication (Blank Password)
  • Password Authentication (Known Factor)
  • Brute Force Authentication (Wordlist/Dictionary Attack)

Finally, FoxHunter performs analysis on gathered artifacts:

  • Identifies addons not installed through Mozilla store.
  • Identifies addons with low download rates and/or ratings.
  • Identifies out-of-date addons - potential security risks.
  • Identifies extensions with interesting/abnormal permissions.
  • Identifies certificates from relatively unknown issuers.
  • Identifies certificates with weak/unrecommended encryption standards.
  • Identifies deleted bookmarks.
  • Identifies possible malware downloads by file name.
  • Identifies common file download websites.
  • Categorises downloads by file type.
  • Produces graphs of user downloads over extended periods of time.
  • Identifies interesting form history fields containing PII.
  • Identifies commonly used form fields.
  • Identifies commonly used login usernames and passwords.
  • Identifies potential patterns within usernames or passwords.
  • Identifies cookies with interesting values (Base64, Hex, GA Cookies).
  • Identifies the most common browsing history searches.
  • Identifies common browsing history searches.
  • Identifies commonly used search engines.
  • Identifies commonly used social media sites.
  • Identifies times of the day when the user is most active.
  • Identifies days of the week when the user is most active.


⚡️ Quick start

First, install Python 3 and Pip.

sudo apt-get update
sudo apt-get install python3.10
sudo apt-get install python3-pip

Install the required dependencies for FoxHunter, using pip.

pip install -r requirements.txt

To verify that dependencies have been installed correctly, run FoxHunter.

python3 foxhunter.py -h


🦊 Commands & Options

By default, FoxHunter extracts artifacts from a profile, and displays statistics about gathered artifacts on the terminal.

  • A specific Firefox profile can be specified with the -p argument. If this argument is not supplied, FoxHunter will attempt to search the system for Firefox profiles, and let the user choose.
  • To dump gathered artifacts out, use any of the -oC, -oJ or -oX arguments to dump in CSV, JSON and XML formats respectively.
  • To perform additional analysis of artifacts, specify the -A argument. This requires an Internet connection.
$ python3 foxhunter.py -h

usage: foxhunter.py [-h] [-q] [-p PROFILE] [-oC OUTPUT_DIR] [-oJ OUTPUT_DIR] [-oX OUTPUT_DIR] [-A]

options:
  -h, --help                                 show this help message and exit
  -q, --quiet                                don't display debug messages
  -p PROFILE, --profile PROFILE              directory of firefox profile to seek artifacts
  -oC OUTPUT_DIR, --output-csv OUTPUT_DIR    directory to dump artifacts in CSV format
  -oJ OUTPUT_DIR, --output-json OUTPUT_DIR   directory to dump artifacts in JSON format
  -oX OUTPUT_DIR, --output-xml OUTPUT_DIR    directory to dump artifacts in XML format
  -A, --analyse                              analyse gathered artifacts

🔧 Testing

FoxHunter is tested using the bash-tap testing framework.

To run all tests, execute ./test. In order for a test to be picked up by this program, it must have:

  • An extension of .t.
  • Executable permissions. (chmod +x test.t)

To verify the program is working as intended, a set of pregenerated testing profiles are used. These can be found at testing/data/profile-no-password and testing/data/profile-password.

Saved login data for the former profile is unlocked. Saved login data for the latter is protected using the master password in testing/data/master-password, which can also be obtained using the getPassword function within tests.

NOTE: Testing is done on GitHub runners with a UTC timezone. If you attempt to test on a machine that is not running on UTC time, tests may fail.

⚖️ License

FoxHunter is free and open-source software licensed under the MIT License.