Pass The Thief

‘Pass The Thief’ is an open source tool designed for use by penetration testers. It works by going through application files on a system and extracting passwords from applications which locally store usernames and passwords to allow a user to access their accounts more conveniently. For example, you can pull all of the passwords from popular broswers such as Chrome and Opera.

What did I contribute?

I originally joined the project after the creator labeled some issues ‘help-wanted’. I started by trying to add OSx support for the Chrome password recovery. I initially thought it would be a case of altering the program to use a different path to the Chrome files on OSx. However, it was slightly different as Google encrypts all the passwords with a key which is then stored in the OSx keychain. This process is totally reversible if you have root access, it is just very different to how the Windows version works as keychain is a unique OSx feature. You can get the key from the command line (you do need user access to do this but this is already assumed). You can then pipe the key into an ‘openssl’ command with the passwords that have been recovered from the sqlite database file.

Automating this process was completely doable in a small python script, it was just a case of learning how to execute shell commands in python and then manipulating the output.

What I learned

I learned about the process of contributing to an open source project. This was something I knew how to do but had never done so I feel like I solidified my knowledge. Secondly, I learned about how to apply cryptography techniques I had learned about it class, specifically use python cryptography libraries. Lastly, the project was exclusively deployed onto python3 so I had to learn all the subtle differences between python versions. For example I had to fight with ‘strings’ now being ‘bytes’ in python3.

Plans for the for the future

I plan on keeping engaged with the project and adding OSx support for any new applications that are added. There is also room for general improvement like adding multiple output formats such as a database or a simple formatted file.

Written on December 20, 2017