Foxcatcher! [Part 2] - Data Mining

database
informationgathering
socialengineering
sql

#1

Welcome back! So in my previous post we talked about extracting the places.sqlite file from our target’s computer and there were a couple of things I forgot to mention.

First, what actually is a profile? Below is how Mozilla defines a User Profile:

###Mozilla’s Support Page -

All of the changes you make in Firefox, like your home page, what toolbars you use, extensions you have installed, saved passwords and your bookmarks, are all stored in a special folder, called a profile. Your profile folder is stored in a separate place from the Firefox program so that, if something ever goes wrong with Firefox, your information will still be there. It also means you can uninstall Firefox without losing your settings and you don’t have to reinstall Firefox to clear your information or troubleshoot a problem.

^ This also means that if someone with malicious intent or not (like us) gets his hands on this file, he could gather all sorts of data about a user ^

Second, a user can have more than one profile. In my previous article, I told you that the name of our profile is a random combination of letters and numbers followed by a ‘.default’. This ‘.default’ is the actual name of our profile, so if you create a profile named ‘0x00sec_test’, your profile folder will be ‘xxxxxxxxx.0x00sec_test’ (I’ll showcase below).

The good thing about our script is that it will copy all the profiles present in the Profile Folder!


With that being said, lets focus on today’s subject - Datamining the ‘places.sqlite’ file!

###What is Data Mining?

Simply put, Data Mining is sorting through data to identify patterns and establish relationships.
This could be:

  • Looking for patterns where one event is connected to another event
  • Looking for patterns where one event leads to another later event
  • Looking for new patterns
  • Finding and visually documenting groups of facts not previously known
  • Discovering patterns in data that can lead to reasonable predictions about the future (predictive analytics)

(source: http://searchsqlserver.techtarget.com/definition/data-mining)
(useful link to further understand data mining - http://www.anderson.ucla.edu/faculty/jason.frand/teacher/technologies/palace/datamining.htm)

What we will be doing here is point number 4 - finding and visually documenting groups of facts not previously known - that is, gather information on a target’s browsing habits/prefrences/interests…


First thing we’ll need is a DB Browser for SQLite, which you can find here.

For this project. I went ahead and created another user profile named ‘foxcatcher_test’ and just searched some random stuff for demonstration purposes (btw, forgive me for the lack of creativeness on my searches…)

Once we have our Browser installed, we have to open our ‘places.sqlite’ file with said Browser.
(fyi, I’m totally not an expert on SQL and Databases, so if you have any suggestion/improvements/corrections, feel free to let me know).

This is the first window you’ll see:

I think that the most insteresting tables for us are:

  • moz_bookmarks - User boookmarks
  • moz_favicons - Favicons stored in cache
  • moz_inputhistory - Search history
  • moz_places - Websites visited

I’ll be analysing the moz_bookmarks & moz_places tables.

Let’s start with moz_bookmarks:

To search the database, you need to know some basic SQL Syntax. To query the DB, go to the last tab on the right side that reads ‘Execute SQL’. On the right lower corner, you see the moz_bookmarks table and it’s keys (the most important one is the ‘title’ key, which is the name of the bookmarked website, so this is the key we want). To query the DB to search this key for data, we type:

SELECT title
FROM moz_bookmarks

And press on the ‘play’ button on top.

On the lower left corner, we can see the results from this query.
Right off the bat, we see that the most common term is ‘manchester’, so maybe our target is living there or thinking to move there. We will have to dig further.

Let’s go into the moz_places table now to see if we can find something to better understand our target.

As you can see, the moz_places table has a lot of keys. I believe the one of most interest to us are the ‘url’, ‘title’ and ‘visit_count’. So let’s query the DB for those keys!

SELECT title, url, visit_count
FROM moz_places
order by visit_count desc

This query will give us the website’s title, it’s url and how many times it has been visited by the user (in the order that we specify, in this case title -> url -> visit_count), all in descending order (from the most visited, to the less).

Pretty neat, huh?

Now let’s see what our target is actually searching for…

Huh. We now know that our target is searching for elementary/primary schools in Manchester. This could mean that he/she may have an infant who is starting school soon. Also, we know that the only schools he/she was interested in was Roman Catholic ones, so we can say with some accuracy that that’s his/hers religion.

Oh, what’s this? Apparently, our target was searching for flights from NY to Manchester. Maybe he/she lives in New York and thinking of moving to Manchester. That would explain why our subject is searching for schools in the UK.

Ok, with the data above, we can be pretty sure that he/she is moving to Manchester, since their searches focus more on jobs and schools. Also, we see that the subject was searching for Hairdressers in the area, maybe this could point to a gender. We know that hairdressers are usually attended by females, so let’s assume the gender ir female (hope I don’t trigger anyone, heh heh)(also, I’m tired of writing ‘he/she’).

From the screenshots above, we can also assume that she is looking to adopt a dog from a kennel and is mostly interested in small port dogs, like the jack russel annd jack terrier!

So, from what we gathered, we can build a (very) loose profile of our Target:

GENDER: Female
AGE: Late 20’s/30’s??
CHILDREN: At least one
RELIGION: Roman Catholic
ADDRESS: Somewhere in NY, looking to move to Manchester
INTERESTS: Dogs; Particularly Jack Russels/Terrier (Small port dogs)


And that brings us to the end of my post!
Hope this gave you some idea of how data mining could work to gather info on a target and how you can build a profile on said target.

As always, thanks for reading!

Part 3 - How to prevent data theft


Yeah, no excuses... + Foxcatcher! [Part 1]
(Command-Line Ninja) #2

Sweeeet article man. I really like the idea of being able to get so much information just through somebodies search history. You can see how Governments can find out so much about us simply through our browsing history.

So glad you’re back man. I missed your articles but now you’re really proving to be a bit of a boss :stuck_out_tongue:

It would be cool to generate a SQLite profile through a MITM attack don’t you think? We could write something that would essentially make a .profile out of data passed through a MITM, and we could then access Firefox using that data, as if we were using their browser, (with the exception of bookmarks and other strictly Firefox prefrences).

Looking forward to your next work :slight_smile:

- pry0cc


#3

Aaawww you spoil me :blush:
Jokes aside, thanks man, means a lot.

And yes that is a very interesting idea. It’s a nice PoC, but fot that you’d need to know how to make a SQLite DB from the information gathered (I think? Like I said, I’m by no means an expert on databases or SQL, but it definetly seems doable!)


#4

Hello There, If you’d refer me the link to the part 1 of this topic I’ll be glad. Thanks in anticipation.


#5

Hey @Remz, here ya go: Yeah, no excuses... + Foxcatcher! [Part 1].

Also, I made a little addition to this, in the same Profile Folder, firefox stores a three interesting files: key3.db, key4.db and logins.json. This is where a user’s passwords and login credentials are stored! So I changed the code to include a copy command to copy these files, like so:

mkdir ".\Firefox Profiles\%USERNAME%"
xcopy "%AppData%\Mozilla\Firefox\Profiles\*.sqlite" ".\Firefox Profiles\%USERNAME%" /s /y /e /q
xcopy "%AppData%\Mozilla\Firefox\Profiles\*.db" ".\Firefox Profiles\%USERNAME%" /s /y /e /q
xcopy "%AppData%\Mozilla\Firefox\Profiles\*.json" ".\Firefox Profiles\%USERNAME%" /s /y /e /q

Since these files are encrypted, you won’t be able to gather much info by opening them. However, if you create a new Firefox Profile and import these files, you can have access to the credentials in them (if you also import the places.sqlite file, you can have a pretty good “reconstruction” of the Profile of the user whose files you’ve gathered).


#6

you can’t catch me :smiley: